Here is just the VPN related

mario.jost · ‎03-14-2017

Please take a look to the nework diagram attached. I try to create two VPN Connections from roLAI01 and roDAI01 to roDLZ01. I attached all 3 configurations aswell.

Fist, i configured the routers roDLZ01 and roDAI01. The VPN between them works fine and continues to work fine. But i cannot seem to get another VPN connection from roDLZ01 to roLAI01. It stays in the MM_NO_STATE all the time:

roDLZ01#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

55.55.55.55 44.44.44.44 QM_IDLE 1065 0 ACTIVE

66.66.66.66 44.44.44.44 MM_NO_STATE 0 0 ACTIVE (deleted)

roLAI01#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

IPv6 Crypto ISAKMP SA

Strange thing is, i can see someting about this connection to 66.66.66.66 in phase 2 even if phase 1 is not up:

roDLZ01#show crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: VPN-DAI, local addr 44.44.44.44

   protected vrf: (none)
   local ident (addr/mask/prot/port): (10.20.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.30.0.0/255.255.255.0/0/0)
   current_peer 55.55.55.55 port 500
    PERMIT, flags={origin_is_acl,}
   #pkts encaps: 21, #pkts encrypt: 21, #pkts digest: 0
   #pkts decaps: 21, #pkts decrypt: 21, #pkts verify: 0
   #pkts compressed: 0, #pkts decompressed: 0
   #pkts not compressed: 0, #pkts compr. failed: 0
   #pkts not decompressed: 0, #pkts decompress failed: 0
   #send errors 0, #recv errors 0

     local crypto endpt.: 44.44.44.44, remote crypto endpt.:55.55.55.55
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x2ACF525C(718230108)

     inbound esp sas:
      spi: 0x2966125C(694555228)
        transform: esp-aes 128 esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2008, flow_id: FPGA:1, crypto map: VPN-DAI
        sa timing: remaining key lifetime (k/sec): (4525504/2609)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     outbound esp sas:
      spi: 0x2ACF525C(718230108)
        transform: esp-aes 128 esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2009, flow_id: FPGA:1, crypto map: VPN-DAI
        sa timing: remaining key lifetime (k/sec): (4525504/2609)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     local crypto endpt.: 44.44.44.44, remote crypto endpt.:66.66.66.66
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x0(0)

   local ident (addr/mask/prot/port): (10.20.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.40.0.0/255.255.255.0/0/0)
   current_peer 66.66.66.66 port 500
    PERMIT, flags={origin_is_acl,}
   #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
   #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
   #pkts compressed: 0, #pkts decompressed: 0
   #pkts not compressed: 0, #pkts compr. failed: 0
   #pkts not decompressed: 0, #pkts decompress failed: 0
   #send errors 0, #recv errors 0

     local crypto endpt.: 44.44.44.44, remote crypto endpt.:66.66.66.66
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x0(0)

     local crypto endpt.: 44.44.44.44, remote crypto endpt.:66.66.66.66
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x0(0)

Is this normal? And what do is miss that the connection is not coming up from roDLZ01 to roLAI01?

I have looked at other solutions with subinterfaces and different crypto maps, but i would need multiple public IPs to realize such a configuration.

Thanks and best regards,

Mario

mario.jost · ‎03-14-2017

I think i found the problem myself. i forgot to add crypto map VPN-DLZ to the outside interface on roLAI01. I changed so many parameters in the meantime, that i dont know if the original configuraion will hold up. I will try to streamline the config as far as possible and post a clean config afterwards.

mario.jost · ‎03-14-2017

Here is just the VPN related configuration you need to put on a router to terminate multiple VPNs on one Router with only 1 public IP:

Router roDLZ01 (in the main office, brach offices connect to this router)

!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp key MerBag4PreSiDent address 55.55.55.55
crypto isakmp key MerBag4PreSiDent address 66.66.66.66
!
crypto ipsec transform-set VPN esp-aes 128 esp-md5-hmac
!
crypto map VPN 1 ipsec-isakmp
description VPN DAI
set peer 55.55.55.55
set transform-set VPN
match address VPN-DAI
!
crypto map VPN 2 ipsec-isakmp
description VPN LAI
set peer 66.66.66.66
set transform-set VPN
match address VPN-LAI
!
interface FastEthernet0/0
ip address 44.44.44.44 255.255.255.0
crypto map VPN
!
interface FastEthernet0/1
ip address 10.20.0.1 255.255.255.0
!
ip access-list extended VPN-DAI
permit ip 10.20.0.0 0.0.0.255 10.30.0.0 0.0.0.255
ip access-list extended VPN-LAI
permit ip 10.20.0.0 0.0.0.255 10.40.0.0 0.0.0.255
!

Router roLAI01 (brach office 1)

!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp key MerBag4PreSiDent address 44.44.44.44
!
crypto ipsec transform-set DLZ esp-aes 128 esp-md5-hmac
!
crypto map VPN-DLZ 1 ipsec-isakmp
description VPN DLZ
set peer 44.44.44.44
set transform-set DLZ
match address VPN-DLZ
!
interface FastEthernet0/0
ip address 66.66.66.66 255.255.255.0
crypto map VPN-DLZ
!
interface FastEthernet0/1
ip address 10.40.0.1 255.255.255.0

ip access-list extended VPN-DLZ
permit ip 10.40.0.0 0.0.0.255 10.20.0.0 0.0.0.255

Router roDAI01 (brach office 2)

!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp key MerBag4PreSiDent address 44.44.44.44
!
crypto ipsec transform-set DLZ esp-aes 128 esp-md5-hmac
!
crypto map VPN-DLZ 1 ipsec-isakmp
description VPN DLZ
set peer 44.44.44.44
set transform-set DLZ
match address VPN-DLZ
!
interface FastEthernet0/0
ip address 55.55.55.55 255.255.255.0
crypto map VPN-DLZ
!
interface FastEthernet0/1
ip address 10.30.0.1 255.255.255.0
!
ip access-list extended VPN-DLZ
permit ip 10.30.0.0 0.0.0.255 10.20.0.0 0.0.0.255

Hope i can help someone else with this post...

Terminate 2 VPN Connections to one Router