06-05-2012 09:52 AM - edited 03-04-2019 04:34 PM
Hi All,
Thanks for a forum like this that has continued to help individuals like me in my career as a network administrator.
I am presently configuring a VPN connection between two of our offices so that we can have data/voice/video connectivity between the two sites. We want users to be able to access internet, while the vpn tunnel will be mainly for data/voice/video connectivity.
I am using Cisco 1812 for this configuration.
Attached is a 'show running configuration' from the local Router. My questions are:
1. Will the configuration shown give me the desired vpn connection as well as give users access to internet?
2. Is there a way to delegate bandwith (say 2mbps) just for internet use while the rest of the bandwidth will be for vpn data traffic?
The 'sho run' is pasted below
Router#sho run
Building configuration...
Current configuration : 2179 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$UOub$z7fLtnBI.El8lsWrFr6v/0
enable password 7 130816011F091639
!
no aaa new-model
!
!
dot11 syslog
!
!
ip cef
!
!
no ip domain lookup
ip name-server 41.198.x.y
ip name-server 41.198.x.z
!
multilink bundle-name authenticated
!
!
!
!
crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 2
crypto isakmp key SeCRetKey address 41.200.t.y (PUBLIC IP ADDRESS OF REMOTE ROUTER FROM ISP)
!
!
crypto ipsec transform-set MY-VPN esp-aes 256 esp-md5-hmac
!
crypto map VPN-LG 10 ipsec-isakmp
set peer 192.168.1.1
set transform-set MY-VPN
match address VPN-TRAFFIC
!
archive
log config
hidekeys
!
!
!
!
!
interface Loopback0
ip address 192.100.100.1 255.255.255.255
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
ip address 41.198.X.Y 255.255.255.248 (PUBLIC IP ADDRESS OF LOCAL ROUTER FROM ISP)
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN-LG
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 41.198.T.K (DEFAULT GATEWAY OF ISP)
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet1 overload (NAT FOR INTERNET ACCESS)
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 100 remark EXCLUDED FROM NAT
access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 remark
!
!
!
!
!
!
control-plane
!
!
line con 0
password 7 00091215105E1915
login
line aux 0
line vty 0 4
password 7 082C4D5D1D1C1704
login
line vty 5 193
password 7 082C4D5D1D1C1704
login
!
end
Thanks for your help.
Tom
Solved! Go to Solution.
06-22-2012 08:30 AM
Hello Tom,
I'm happy that there has been good progress.
May I ask you what changes you did to get the VPN UP-ACTIVE state?
Because it is not clear what made this progress. You have changed some parameter in the configuration?
This is for sake of clarity. Don't be afraid to tell if you did a change we are all here to learn.
The VPN is up but most of the end systems show bad IP connectivity. This is the most difficult scenario.
>> But I discovered that a ping to the internet systems and servers times out (except one server which replies well), I couldn't access any system internally via the vpn.
If there were some PCs or servers with no connectivity we could think of a wrong default gateway configured on them.
However, I see a clear pattern in the pings of hosts 192.168.0.45 and 192.168.0.80 we see one reply one timeout, then a reply a timeout and so on.
I would check if these servers have two default gateways configured and they are load balancing over them, with one being the correct gateway and one being a device that is not able to route over the VPN.
On the other hand, your last configuration looks like correct and the fact that VPN is UP and that you can ping internal to internal between routers is meaningful that network devices are well configured.
Hope to help
Giuseppe
06-05-2012 10:16 AM
Hello Tom,
1) it is generally Ok the only error is that the peer address in the crypto map should be the remote site public IP address and not the remote site LAN private IP address
2) you should use QoS for this
shortly you can define a traffic class that include all traffic between local public ip address and remote public IP address and a default class that would be internet.
access-list 121 permit ip host local-public host remote-public
class-map match-any VPN-TRAFFIC
match address 121
policy-map OUT-QOS
class class-default
shape
service-policy SCHED
policy-map SCHED
class VPN-TRAFFIC
bandwidth XX
class class-default
fair-queue
This is hierarchical QoS with outer policy map creating a pipe of speed
on WAN interface to apply this:
interface fas1
service-policy output OUT-QOS
However to be noted you can control how much bandwidth you use in upstream not in the downstream direction that would require cooperation with ISP.
Hope to help
Giuseppe
06-06-2012 12:21 AM
Thanks Guiseppe,
Your input was very helpful. I will now add the qos configuration to my router config to see the effect. We will test the tunnel and I will get back to you with the report (I'll post in the final config before live test for your comment).
Thanks once more, you've been very helpful.
Tom
06-05-2012 06:31 PM
Keep in mind that type 7 encryption is not real encryption. When you post a config you should sanitize any line with a type 7 entry. After all you dont want anyone to know your vty password is "masters".
Sent from Cisco Technical Support iPad App
06-06-2012 12:24 AM
Thanks Jeff.
Your input well noted. I'll be more carefull next time. meanwhile this is still a test config, most of the parameters will be changed when going live.
Thanks for pointing out that security blunder.
Tom
06-07-2012 03:06 AM
Hi Guiseppe,
I used the vpn configuration as posted above but when i did "sho crypto session" , i was getting
Lagos#sho crypto session
Crypto session current status
Interface: FastEthernet1
Session status: DOWN-NEGOTIATING
Peer: XX.1.201.50 port 500
IKE SA: local XX.2.23.9/500 remote XX.198.201.50/500 Inactive
IPSEC FLOW: permit ip 192.168.0.0/255.255.255.0 192.168.1.0/255.255.255.0
Active SAs: 0, origin: crypto map
What to do you think is the issue and how can i solve this?
Thanks and awaiting your response.
Tom
Message was edited by: thomas augustine ohalete
06-07-2012 09:18 AM
Hello Tom,
you should verify that the ISAKMP negotiation can take place
check if you have ACLs applied in both routers you need to permit UDP port 500 between them using the public IP addresses in order to have a successful negotiation.
Hope to help
Giuseppe
06-07-2012 10:01 AM
Hi Guiseppe,
How do I check if ISAKMP negotiation is taking place aside from "sho crypto session"?
Please there is one more thing I added to the original config I posted, may be it is worth pointing out. I added the IP Route statement:
ip route 0.0.0.0 0.0.0.0 41.x.y.z
ip route 192.168.1.0 255.255.255.0 41.a.b.c
41.x.y.z is the default gateway given me by the ISP while 41.a.b.c is the public IP address of the remote router.
Should the static IP route statement point to the ISP gateway or to the remote raoter public IP (external interface IP)?
(i.e. should the second route statement rather be "ip route 192.168.1.0 255.255.255.0 41.x.y.z")
Thanks
Tom
06-07-2012 10:14 AM
Hello Tom,
the static route should point to local next-hop 41.x.y.z not to remote public IP address or simply it should point out the interface ( use the interface as next-hop).
For troubleshooting ISAKMP negotiation I would suggest you to read the following document:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml
you need to enable terminal monitor to see debug output on a telnet or ssh shell ( if you are on a vty)
Hope to help
Giuseppe
06-14-2012 07:25 AM
Hi Guiseppe,
Thanks for your helps.
I have changed the IP route statement to "IP ROUTE 192.168.0.0 255.255.255.0 F1"
Sho crypto session is still giving:
"
Port#sho crypto session
Crypto session current status
Interface: FastEthernet1
Session status: DOWN-NEGOTIATING
Peer: 41.x.x.x port 500
IKE SA: local 41.x.x.x.50/500 remote 41.x.x.x/500 Inactive
IKE SA: local 41.x.x.x.50/500 remote 41.x.x.x/500 Inactive
IKE SA: local 41.x.x.50/500 remote 41.x.x.x/500 Inactive
IKE SA: local 41.x.x.x.50/500 remote 41.x.x.9/500 Inactive
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.0.0/255.255.255.0
Active SAs: 0, origin: crypto map
But I can ping the interfaces (both external & internal) of the remote router and I can ping one of the servers in the remote LAN but I cannot reach the APPLICATION server and I cannot reach any othe system in the remote LAN.
Note: These ping were done from the router, if I ping from the system (windows), I dont receive any reply from the servers but I have reply from the external interface of remote router not the internal interface.
Any idea what could be the cause?
Thanks
Tom
06-14-2012 08:48 AM
Hello Tom,
first of all, when you want to check the IPSec VPN connectivity from the router you should use the extended ping command to specify a source IP address = internal LAN IP address as explained here
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#topic1
You can ping the remote router public IP address even if the VPN is down.
It is not clear how you can ping a specific server in the remote LAN if the VPN is down, you shouldn't be able to ping any address in the remote LAN just the public IP address of remote router should be reachable.
You can see that there are few Internet Key Exchange Security associations that are inactive and 0 IPSec SA so the VPN looks like stucked in negotiation of IKE phases 1 or 2.
I think it is high time for you to check the configuration on the remote router to look for possible mismatching configuration.
The ACL that defines traffic to be encrypted has to be mirrored on the remote end router
so if you have on the local router for example :
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
(you actually have a named ACL with name VPN-TRAFFIC for this, but the idea is the same about mirroring)
the remote router should have:
access-list 102 permit ip 192.168.0.0. 0.0.0.255 195.168.1.0 0.0.0.255
this is mirrored version of the ACL to be used on the remote router.
Check also that there is no inbound ACL on the public interface of the remote router and if there is one it has to allow ISAKMP traffic from local router ( UDP 500) and IPSec traffic (that may be ESP or AH depending on transformation set in use).
You need also to have a matching transformation set and a matching key associated to the peer address.
If you can retrieve the configuration of the remote router and you remove username/pwd and mask public IP addresses you can attach it as a txt file.
Hope to help
Giuseppe
06-18-2012 06:30 AM
Hi Guiseppe,
Thanks so much.
I have checked the config with the mirror, every thing looks ok. There is no access list applied on the interfaces.
Below is the debug result from the router:
Crypto ISAKMP debugging is on
PortHar#
*Jun 18 12:11:08.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 18 12:11:08.247: ISAKMP (0:0): incrementing error counter on sa, attempt 3
of 5: retransmit phase 1
*Jun 18 12:11:08.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 18 12:11:08.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Jun 18 12:11:08.247: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 18 12:11:08.247: ISAKMP: set new node 0 to QM_IDLE
*Jun 18 12:11:08.247: ISAKMP:(0):SA is still budding. Attached new ipsec request
to it. (local 41.21.23.2, remote 41.21.20.79)
*Jun 18 12:11:08.247: ISAKMP: Error while processing SA request: Failed to initi
alize SA
*Jun 18 12:11:08.247: ISAKMP: Error while processing KMI message 0, error 2.
*Jun 18 12:11:18.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 18 12:11:18.247: ISAKMP (0:0): incrementing error counter on sa, attempt 4
of 5: retransmit phase 1
*Jun 18 12:11:18.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 18 12:11:18.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Jun 18 12:11:18.247: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 18 12:11:26.247: ISAKMP:(0):purging node -716168354
*Jun 18 12:11:26.247: ISAKMP:(0):purging node 429942114
*Jun 18 12:11:28.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 18 12:11:28.247: ISAKMP (0:0): incrementing error counter on sa, attempt 5
of 5: retransmit phase 1
*Jun 18 12:11:28.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 18 12:11:28.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Jun 18 12:11:28.247: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 18 12:11:36.247: ISAKMP:(0):purging SA., sa=8459C878, delme=8459C878
*Jun 18 12:11:38.247: ISAKMP: set new node 0 to QM_IDLE
*Jun 18 12:11:38.247: ISAKMP:(0):SA is still budding. Attached new ipsec request
to it. (local 41.21.23.2, remote 41.21.20.79)
*Jun 18 12:11:38.247: ISAKMP: Error while processing SA request: Failed to initi
alize SA
*Jun 18 12:11:38.247: ISAKMP: Error while processing KMI message 0, error 2.
*Jun 18 12:11:38.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 18 12:11:38.247: ISAKMP:(0):peer does not do paranoid keepalives.
*Jun 18 12:11:38.247: ISAKMP:(0):deleting SA reason "Death by retransmission P1"
state (I) MM_NO_STATE (peer 41.211.203.79)
*Jun 18 12:11:38.247: ISAKMP:(0):deleting SA reason "Death by retransmission P1"
state (I) MM_NO_STATE (peer 41.21.20.79)
*Jun 18 12:11:38.247: ISAKMP: Unlocking peer struct 0x841E0E9C for isadb_mark_sa
_deleted(), count 0
*Jun 18 12:11:38.247: ISAKMP: Deleting peer node by peer_reap for 41.21.20.79:
841E0E9C
*Jun 18 12:11:38.247: ISAKMP:(0):deleting node 1868246545 error FALSE reason "IK
E deleted"
*Jun 18 12:11:38.247: ISAKMP:(0):deleting node -1397591442 error FALSE reason "I
KE deleted"
*Jun 18 12:11:38.247: ISAKMP:(0):deleting node 1621370039 error FALSE reason "IK
E deleted"
*Jun 18 12:11:38.247: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jun 18 12:11:38.247: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
*Jun 18 12:12:08.247: ISAKMP:(0): SA request profile is (NULL)
*Jun 18 12:12:08.247: ISAKMP: Created a peer struct for 41.211.203.79, peer port
500
*Jun 18 12:12:08.247: ISAKMP: New peer created peer = 0x841E0E9C peer_handle = 0
x80000063
*Jun 18 12:12:08.247: ISAKMP: Locking peer struct 0x841E0E9C, refcount 1 for isa
kmp_initiator
*Jun 18 12:12:08.247: ISAKMP: local port 500, remote port 500
*Jun 18 12:12:08.247: ISAKMP: set new node 0 to QM_IDLE
*Jun 18 12:12:08.247: ISAKMP: Find a dup sa in the avl tree during calling isadb
_insert sa = 84B624B4
*Jun 18 12:12:08.247: ISAKMP:(0):Can not start Aggressive mode, trying Main mode
.
*Jun 18 12:12:08.247: ISAKMP:(0):found peer pre-shared key matching 41.21.20.7
9
*Jun 18 12:12:08.247: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jun 18 12:12:08.247: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jun 18 12:12:08.247: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jun 18 12:12:08.247: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jun 18 12:12:08.247: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jun 18 12:12:08.247: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Jun 18 12:12:08.247: ISAKMP:(0): beginning Main Mode exchange
*Jun 18 12:12:08.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Jun 18 12:12:08.247: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 18 12:12:18.251: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 18 12:12:18.251: ISAKMP (0:0): incrementing error counter on sa, attempt 1
of 5: retransmit phase 1
*Jun 18 12:12:18.251: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 18 12:12:18.251: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Jun 18 12:12:18.251: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 18 12:12:28.247: ISAKMP:(0):purging node 1868246545
*Jun 18 12:12:28.247: ISAKMP:(0):purging node -1397591442
*Jun 18 12:12:28.247: ISAKMP:(0):purging node 1621370039
*Jun 18 12:12:28.251: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 18 12:12:28.251: ISAKMP (0:0): incrementing error counter on sa, attempt 2
of 5: retransmit phase 1
*Jun 18 12:12:28.251: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 18 12:12:28.251: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Jun 18 12:12:28.251: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 18 12:12:38.247: ISAKMP:(0):purging SA., sa=84B61D28, delme=84B61D28
*Jun 18 12:12:38.247: ISAKMP: set new node 0 to QM_IDLE
*Jun 18 12:12:38.247: ISAKMP:(0):SA is still budding. Attached new ipsec request
to it. (local 41.21.23.2, remote 41.21.20.79)
*Jun 18 12:12:38.247: ISAKMP: Error while processing SA request: Failed to initi
alize SA
*Jun 18 12:12:38.247: ISAKMP: Error while processing KMI message 0, error 2.
*Jun 18 12:12:38.251: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 18 12:12:38.251: ISAKMP (0:0): incrementing error counter on sa, attempt 3
of 5: retransmit phase 1
*Jun 18 12:12:38.251: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 18 12:12:38.251: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Jun 18 12:12:38.251: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 18 12:12:48.251: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 18 12:12:48.251: ISAKMP (0:0): incrementing error counter on sa, attempt 4
of 5: retransmit phase 1
*Jun 18 12:12:48.251: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 18 12:12:48.251: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Jun 18 12:12:48.251: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 18 12:12:58.251: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 18 12:12:58.251: ISAKMP (0:0): incrementing error counter on sa, attempt 5
of 5: retransmit phase 1
*Jun 18 12:12:58.251: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 18 12:12:58.251: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Jun 18 12:12:58.251: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 18 12:13:08.247: ISAKMP: set new node 0 to QM_IDLE
*Jun 18 12:13:08.247: ISAKMP:(0):SA is still budding. Attached new ipsec request
to it. (local 41.21.23.2, remote 41.21.20.79)
*Jun 18 12:13:08.247: ISAKMP: Error while processing SA request: Failed to initi
alize SA
*Jun 18 12:13:08.247: ISAKMP: Error while processing KMI message 0, error 2.
*Jun 18 12:13:08.251: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 18 12:13:08.251: ISAKMP:(0):peer does not do paranoid keepalives.
*Jun 18 12:13:08.251: ISAKMP:(0):deleting SA reason "Death by retransmission P1"
state (I) MM_NO_STATE (peer 41.21.20.79)
*Jun 18 12:13:08.251: ISAKMP:(0):deleting SA reason "Death by retransmission P1"
state (I) MM_NO_STATE (peer 41.21.20.79)
*Jun 18 12:13:08.251: ISAKMP: Unlocking peer struct 0x841E0E9C for isadb_mark_sa
_deleted(), count 0
*Jun 18 12:13:08.251: ISAKMP: Deleting peer node by peer_reap for 41.211.203.79:
841E0E9C
*Jun 18 12:13:08.251: ISAKMP:(0):deleting node 118781290 error FALSE reason "IKE
deleted"
*Jun 18 12:13:08.251: ISAKMP:(0):deleting node 311310705 error FALSE reason "IKE
deleted"
*Jun 18 12:13:08.251: ISAKMP:(0):deleting node 1388080404 error FALSE reason "IK
E deleted"
*Jun 18 12:13:08.251: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jun 18 12:13:08.251: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
*Jun 18 12:13:38.247: ISAKMP:(0): SA request profile is (NULL)
*Jun 18 12:13:38.247: ISAKMP: Created a peer struct for 41.21.20.79, peer port
500
*Jun 18 12:13:38.247: ISAKMP: New peer created peer = 0x841E0E9C peer_handle = 0
x80000064
*Jun 18 12:13:38.247: ISAKMP: Locking peer struct 0x841E0E9C, refcount 1 for isa
kmp_initiator
*Jun 18 12:13:38.247: ISAKMP: local port 500, remote port 500
*Jun 18 12:13:38.247: ISAKMP: set new node 0 to QM_IDLE
*Jun 18 12:13:38.247: ISAKMP: Find a dup sa in the avl tree during calling isadb
_insert sa = 8459C878
*Jun 18 12:13:38.247: ISAKMP:(0):Can not start Aggressive mode, trying Main mode
.
*Jun 18 12:13:38.247: ISAKMP:(0):found peer pre-shared key matching 41.21.20.7
9
*Jun 18 12:13:38.247: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jun 18 12:13:38.247: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jun 18 12:13:38.247: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jun 18 12:13:38.247: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jun 18 12:13:38.247: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jun 18 12:13:38.247: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Jun 18 12:13:38.247: ISAKMP:(0): beginning Main Mode exchange
*Jun 18 12:13:38.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Jun 18 12:13:38.247: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 18 12:13:48.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 18 12:13:48.247: ISAKMP (0:0): incrementing error counter on sa, attempt 1
of 5: retransmit phase 1
*Jun 18 12:13:48.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 18 12:13:48.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Jun 18 12:13:48.247: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 18 12:13:58.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 18 12:13:58.247: ISAKMP (0:0): incrementing error counter on sa, attempt 2
of 5: retransmit phase 1
*Jun 18 12:13:58.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 18 12:13:58.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Jun 18 12:13:58.247: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 18 12:13:58.251: ISAKMP:(0):purging node 118781290
*Jun 18 12:13:58.251: ISAKMP:(0):purging node 311310705
*Jun 18 12:13:58.251: ISAKMP:(0):purging node 1388080404
*Jun 18 12:14:08.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 18 12:14:08.247: ISAKMP (0:0): incrementing error counter on sa, attempt 3
of 5: retransmit phase 1
*Jun 18 12:14:08.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 18 12:14:08.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Jun 18 12:14:08.247: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 18 12:14:08.247: ISAKMP: set new node 0 to QM_IDLE
*Jun 18 12:14:08.247: ISAKMP:(0):SA is still budding. Attached new ipsec request
to it. (local 41.21.23.2, remote 41.21.20.79)
*Jun 18 12:14:08.247: ISAKMP: Error while processing SA request: Failed to initi
alize SA
*Jun 18 12:14:08.247: ISAKMP: Error while processing KMI message 0, error 2.
*Jun 18 12:14:08.251: ISAKMP:(0):purging SA., sa=84B624B4, delme=84B624B4
*Jun 18 12:14:18.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 18 12:14:18.247: ISAKMP (0:0): incrementing error counter on sa, attempt 4
of 5: retransmit phase 1
*Jun 18 12:14:18.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 18 12:14:18.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Jun 18 12:14:18.247: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 18 12:14:28.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 18 12:14:28.247: ISAKMP (0:0): incrementing error counter on sa, attempt 5
of 5: retransmit phase 1
*Jun 18 12:14:28.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 18 12:14:28.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Jun 18 12:14:28.247: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 18 12:14:38.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 18 12:14:38.247: ISAKMP:(0):peer does not do paranoid keepalives.
*Jun 18 12:14:38.247: ISAKMP:(0):deleting SA reason "Death by retransmission P1"
state (I) MM_NO_STATE (peer 41.21.20.79)
*Jun 18 12:14:38.247: ISAKMP:(0):deleting SA reason "Death by retransmission P1"
state (I) MM_NO_STATE (peer 41.21.20.79)
*Jun 18 12:14:38.247: ISAKMP: Unlocking peer struct 0x841E0E9C for isadb_mark_sa
_deleted(), count 0
*Jun 18 12:14:38.247: ISAKMP: Deleting peer node by peer_reap for 41.21.20.79:
841E0E9C
*Jun 18 12:14:38.247: ISAKMP:(0):deleting node 669952754 error FALSE reason "IKE
deleted"
*Jun 18 12:14:38.247: ISAKMP:(0):deleting node 1327947477 error FALSE reason "IK
E deleted"
*Jun 18 12:14:38.247: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jun 18 12:14:38.247: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
*Jun 18 12:14:38.247: ISAKMP:(0): SA request profile is (NULL)
*Jun 18 12:14:38.247: ISAKMP: Created a peer struct for 41.211.203.79, peer port
500
*Jun 18 12:14:38.247: ISAKMP: New peer created peer = 0x841E0E9C peer_handle = 0
x80000065
*Jun 18 12:14:38.247: ISAKMP: Locking peer struct 0x841E0E9C, refcount 1 for isa
kmp_initiator
*Jun 18 12:14:38.247: ISAKMP: local port 500, remote port 500
*Jun 18 12:14:38.247: ISAKMP: set new node 0 to QM_IDLE
*Jun 18 12:14:38.247: ISAKMP: Find a dup sa in the avl tree during calling isadb
_insert sa = 84B61D28
*Jun 18 12:14:38.247: ISAKMP:(0):Can not start Aggressive mode, trying Main mode
.
*Jun 18 12:14:38.247: ISAKMP:(0):found peer pre-shared key matching 41.21.20.7
9
*Jun 18 12:14:38.247: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jun 18 12:14:38.247: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jun 18 12:14:38.247: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jun 18 12:14:38.247: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jun 18 12:14:38.247: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jun 18 12:14:38.247: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Jun 18 12:14:38.247: ISAKMP:(0): beginning Main Mode exchange
*Jun 18 12:14:38.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Jun 18 12:14:38.247: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 18 12:14:48.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 18 12:14:48.247: ISAKMP (0:0): incrementing error counter on sa, attempt 1
of 5: retransmit phase 1
*Jun 18 12:14:48.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 18 12:14:48.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Jun 18 12:14:48.247: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 18 12:14:58.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 18 12:14:58.247: ISAKMP (0:0): incrementing error counter on sa, attempt 2
of 5: retransmit phase 1
*Jun 18 12:14:58.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 18 12:14:58.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Jun 18 12:14:58.247: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 18 12:15:08.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 18 12:15:08.247: ISAKMP (0:0): incrementing error counter on sa, attempt 3
of 5: retransmit phase 1
*Jun 18 12:15:08.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 18 12:15:08.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Jun 18 12:15:08.247: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 18 12:15:08.247: ISAKMP: set new node 0 to QM_IDLE
*Jun 18 12:15:08.247: ISAKMP:(0):SA is still budding. Attached new ipsec request
to it. (local 41.211.230.2, remote 41.21.20.79)
*Jun 18 12:15:08.247: ISAKMP: Error while processing SA request: Failed to initi
alize SA
*Jun 18 12:15:08.247: ISAKMP: Error while processing KMI message 0, error 2.
*Jun 18 12:15:18.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 18 12:15:18.247: ISAKMP (0:0): incrementing error counter on sa, attempt 4
of 5: retransmit phase 1
*Jun 18 12:15:18.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 18 12:15:18.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Jun 18 12:15:18.247: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 18 12:15:28.247: ISAKMP:(0):purging node 669952754
*Jun 18 12:15:28.247: ISAKMP:(0):purging node 1327947477
*Jun 18 12:15:28.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 18 12:15:28.247: ISAKMP (0:0): incrementing error counter on sa, attempt 5
of 5: retransmit phase 1
*Jun 18 12:15:28.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 18 12:15:28.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Jun 18 12:15:28.247: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 18 12:15:38.247: ISAKMP:(0):purging SA., sa=8459C878, delme=8459C878
*Jun 18 12:15:38.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 18 12:15:38.247: ISAKMP:(0):peer does not do paranoid keepalives.
*Jun 18 12:15:38.247: ISAKMP:(0):deleting SA reason "Death by retransmission P1"
state (I) MM_NO_STATE (peer 41.21.20.79)
*Jun 18 12:15:38.247: ISAKMP:(0):deleting SA reason "Death by retransmission P1"
state (I) MM_NO_STATE (peer 41.21.20.79)
*Jun 18 12:15:38.247: ISAKMP: Unlocking peer struct 0x841E0E9C for isadb_mark_sa
_deleted(), count 0
*Jun 18 12:15:38.247: ISAKMP: Deleting peer node by peer_reap for 41.211.203.79:
841E0E9C
*Jun 18 12:15:38.247: ISAKMP:(0):deleting node -461856763 error FALSE reason "IK
E deleted"
*Jun 18 12:15:38.247: ISAKMP:(0):deleting node -802791679 error FALSE reason "IK
E deleted"
*Jun 18 12:15:38.247: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jun 18 12:15:38.247: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
*Jun 18 12:15:38.247: ISAKMP:(0): SA request profile is (NULL)
*Jun 18 12:15:38.247: ISAKMP: Created a peer struct for 41.21.20.79, peer port
500
*Jun 18 12:15:38.247: ISAKMP: New peer created peer = 0x841E0E9C peer_handle = 0
x80000066
*Jun 18 12:15:38.247: ISAKMP: Locking peer struct 0x841E0E9C, refcount 1 for isa
kmp_initiator
*Jun 18 12:15:38.247: ISAKMP: local port 500, remote port 500
*Jun 18 12:15:38.247: ISAKMP: set new node 0 to QM_IDLE
*Jun 18 12:15:38.247: ISAKMP: Find a dup sa in the avl tree during calling isadb
_insert sa = 8459C878
*Jun 18 12:15:38.247: ISAKMP:(0):Can not start Aggressive mode, trying Main mode
.
*Jun 18 12:15:38.247: ISAKMP:(0):found peer pre-shared key matching 41.21.20.7
9
*Jun 18 12:15:38.247: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jun 18 12:15:38.247: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jun 18 12:15:38.247: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jun 18 12:15:38.247: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jun 18 12:15:38.247: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jun 18 12:15:38.247: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Jun 18 12:15:38.247: ISAKMP:(0): beginning Main Mode exchange
*Jun 18 12:15:38.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Jun 18 12:15:38.247: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 18 12:15:48.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 18 12:15:48.247: ISAKMP (0:0): incrementing error counter on sa, attempt 1
of 5: retransmit phase 1
*Jun 18 12:15:48.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 18 12:15:48.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Jun 18 12:15:48.247: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 18 12:15:58.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 18 12:15:58.247: ISAKMP (0:0): incrementing error counter on sa, attempt 2
of 5: retransmit phase 1
*Jun 18 12:15:58.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 18 12:15:58.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Jun 18 12:15:58.247: ISAKMP:(0):Sending an IKE IPv4 Packet.
PortHarcourt#
*Jun 18 12:16:08.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 18 12:16:08.247: ISAKMP (0:0): incrementing error counter on sa, attempt 3
of 5: retransmit phase 1
*Jun 18 12:16:08.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 18 12:16:08.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Jun 18 12:16:08.247: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 18 12:16:08.247: ISAKMP: set new node 0 to QM_IDLE
*Jun 18 12:16:08.247: ISAKMP:(0):SA is still budding. Attached new ipsec request
to it. (local 41.21.23.2, remote 41.21.20.79)
*Jun 18 12:16:08.247: ISAKMP: Error while processing SA request: Failed to initi
alize SA
*Jun 18 12:16:08.247: ISAKMP: Error while processing KMI message 0, error 2.
PortHarcourt#undebug a
*Jun 18 12:16:18.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 18 12:16:18.247: ISAKMP (0:0): incrementing error counter on sa, attempt 4
of 5: retransmit phase 1
*Jun 18 12:16:18.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 18 12:16:18.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe
er_port 500 (I) MM_NO_STATE
*Jun 18 12:16:18.247: ISAKMP:(0):Sending an IKE IPv4 Packet.//
Also the SDM test tunnel shows this:
1) Ensure that the peer device is configured properly. Generate the mirror configuration from 'Configure->VPN->Site to site VPN->Edit Site to Site VPN' and match it with the peer configuration. 2) A firewall in the network or peer device may be blocking the VPN traffic. Contact the ISP or administrator to resolve this issue.
But there is no firewall configured.
Do i need to separartely configure a tunnel IP address, I am not using GRE over Ipsec but site-to-site vpn configuration. Is there an alternate config i can try?
Please can you read the debug result to interpret it?
Thanks
Tom
06-18-2012 09:52 AM
Hello Tom,
if you are using IPSec and not GRE over IPSec on both sides you are fine.
I don't think that moving to GRE over IPSec can provide you better results.
About your debug output: we see that the local node sends, retransmits IKE messages to the other peer, but my understanding is that the remote peer is not answering. So over time the local node creates new IKE SA, attempts to reach the remote peer, makes some (5) retransmission attempts and ends wiith deleting the current IKE SA.
And then everything repeats.
The most meaningful lines are those like:
*Jun 18 12:15:38.247: ISAKMP:(0):deleting SA reason "Death by retransmission P1"
state (I) MM_NO_STATE (peer 41.21.20.79)
So the question may be is the remote peer really configured for ISAKMP?
If yes, as you have checked the configuration on the remote side,
another possible question is the ISP allows for ISAKMP UDP 500 over its network?
The ISP may be located in a country that has imposed some security constraints on the internet service.
You should collect the same debug output at the remote router to see if the behaviour is the same.
If it is the same, and you see only the messages sent by the local node in the output, you may want to contact the ISP to have them provide you feedback on this.
Hope to help
Giuseppe
06-20-2012 02:53 AM
Hi Guiseppe,
You have really been very helpful and I believe I am almost there.
The VPN is up, when i did 'sho crypto session', I got:
Interface: FastEthernet1
Session status: UP-ACTIVE
Peer: 41.2.2.2 port 500
IKE SA: local 41.3.3.3/500 remote 41.2.2.2/500 Active
IPSEC FLOW: permit ip 192.168.0.0/255.255.255.0 192.168.1.0/255.255.255.0
Active SAs: 2, origin: crypto map
Also I can ping the LAN interfaces of the routers for both end.
But I discovered that a ping to the internet systems and servers times out (except one server which replies well), I couldn't access any system internally via the vpn.
what could be the cause and how should I tackle it. Could it be issues with MTU or are there further fine tunning configs to add for the tunnel to permit data access? The sho run is included below. Also included is the image of the screen shot of a ping test (ping result from windows not router). 192.168.0.1 is the local router, 192.168.1.1 is the remote router while 192.168.1.227 is a remote system. The second screen shot is taken from the remote end - The internal systems and severs are the ones timing out but the routers are replying well and can be log into from remote site.
Router#sho run
Building configuration...
Current configuration : 4029 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-3885639516
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3885639516
revocation-check none
rsakeypair TP-self-signed-3885639516
!
!
dot11 syslog
!
!
ip cef
!
!
ip name-server x.x.x.x
ip name-server x.x.x.x
!
multilink bundle-name authenticated
!
!
username jjjj privilege 15 password vvvvvv
!
!
crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address x.x.x.x
!
!
crypto ipsec transform-set ME esp-aes esp-md5-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer x.x.x.x
set transform-set ME
match address VPN-TRAFFIC
!
archive
log config
hidekeys
!
!
!
!
!
interface Tunnel0
no ip address
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
ip address t.t.t.t 255.255.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 t.t.t.t
ip route 192.168.1.0 255.255.255.0 FastEthernet1
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map LAT interface FastEthernet1 overload
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 100 remark EXCLUDE NAT
access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 remark
!
!
!
route-map LAT permit 1
match ip address 100
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password kkkkkkkkkkk
login local
transport input telnet ssh
line vty 5 193
privilege level 15
password kkkkkkkkkk
login local
transport input telnet ssh
!
end
Thanks
Tom
06-22-2012 08:30 AM
Hello Tom,
I'm happy that there has been good progress.
May I ask you what changes you did to get the VPN UP-ACTIVE state?
Because it is not clear what made this progress. You have changed some parameter in the configuration?
This is for sake of clarity. Don't be afraid to tell if you did a change we are all here to learn.
The VPN is up but most of the end systems show bad IP connectivity. This is the most difficult scenario.
>> But I discovered that a ping to the internet systems and servers times out (except one server which replies well), I couldn't access any system internally via the vpn.
If there were some PCs or servers with no connectivity we could think of a wrong default gateway configured on them.
However, I see a clear pattern in the pings of hosts 192.168.0.45 and 192.168.0.80 we see one reply one timeout, then a reply a timeout and so on.
I would check if these servers have two default gateways configured and they are load balancing over them, with one being the correct gateway and one being a device that is not able to route over the VPN.
On the other hand, your last configuration looks like correct and the fact that VPN is UP and that you can ping internal to internal between routers is meaningful that network devices are well configured.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide