Solved: Re: vpn does not come up

awnet · ‎01-25-2024

Hello,

In my lab I am trying to create a vpn. The setup is quite simple.

Sw1 -> hq-vpn01 router - isp01 router - loc01-vpn01 router <- sw2

I have attached the config files for the routers.

The VPN does not come up. I have tried to generate traffic, but it does not work.

Could anyone please try to help me identify the issue? Thank you!

awnet · ‎01-25-2024

removing this route

ip route vrf cust-a-loc01 172.16.0.0 255.255.255.0 40.0.1.2 global

and updating things like this brought the VPN online

Global and VRF need to be able to communicate with each other.

ip route vrf cust-a-loc01 0.0.0.0 0.0.0.0 gig 1 40.0.1.1 global
ip route 172.16.1.0 255.255.255.0 gig1 172.16.1.1
ip nat inside source list 101 interface gig2 overload
access-list 101 deny ip 172.16.1.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 101 permit ip 172.16.1.0 0.0.0.255 any

Things needs to be updated on both routers.

View solution in original post

MHM Cisco World · ‎01-25-2024

The connection between router and ISP in global and you use keyring vrf aware

That wrong

Georg Pauwen · ‎01-25-2024

Hello,

better post the output of 'sh run' from both VPN endpoints, as the snippets you put together make it hard to see what is actually configured. At the very least, the access list defining the interesting traffic is wrong, it should not contain the 'permit any any', as that defeats the purpose of defining interesting traffic:

ip access-list extended acl-cust-a
permit ip 172.16.1.0 0.0.0.255 172.16.0.0 0.0.0.255
--> permit ip any any REMOVE THIS LINE

awnet · ‎01-25-2024

Hello,

Thank you for your reply.

I will put the sh run from VPN endpoints.

Permit any any has an ! mark, so it is not active.

Best regards!

awnet · ‎01-25-2024

Here are the files. Updated those again as the first ones did not had full configuration

Thank you!

Georg Pauwen · ‎01-25-2024

Hello,

I think your routing is wrong. The next hop is identical to your local WAN interface:

interface GigabitEthernet2
description to hq
ip address 40.0.1.2 255.255.255.0
ip nat outside
negotiation auto
no mop enabled
no mop sysid
crypto map CMAP
!
ip route 0.0.0.0 0.0.0.0 40.0.1.2 name default-route-to-isp01
ip route vrf cust-a-loc01 172.16.0.0 255.255.255.0 40.0.1.2 global

awnet · ‎01-25-2024

removing this route

ip route vrf cust-a-loc01 172.16.0.0 255.255.255.0 40.0.1.2 global

and updating things like this brought the VPN online

Global and VRF need to be able to communicate with each other.

ip route vrf cust-a-loc01 0.0.0.0 0.0.0.0 gig 1 40.0.1.1 global
ip route 172.16.1.0 255.255.255.0 gig1 172.16.1.1
ip nat inside source list 101 interface gig2 overload
access-list 101 deny ip 172.16.1.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 101 permit ip 172.16.1.0 0.0.0.255 any

Things needs to be updated on both routers.

Georg Pauwen · ‎01-25-2024

Hello,

exactly. You have the same problem on the other side:

interface GigabitEthernet1
description to loc01
ip address 40.0.0.2 255.255.255.0
ip nat outside
negotiation auto
no mop enabled
no mop sysid
crypto map CMAP

ip route vrf cust-a-access 172.16.1.0 255.255.255.0 40.0.0.2 global