03-24-2020 04:24 PM - edited 03-24-2020 04:25 PM
There is NO ASA in this config.
I have a network with the HQ router being a 3925 on IOS 15.7 and it has a DMVPN configured and working to connect to my customers on an as needed bases. I want to set up a remote worker for my company and they have a 1921 running IOS 15.7. I am trying to use a site-to-site VPN for this. We will also be setting up site-to-site VPN’s for some of our customers for their employees to work remotely including VoIP phones.
First question, can a DMVPN and a site-to-site VPN exist on the same router?
Our customers will rarely be connected to our DMVPN as it is only for us to support their VoIP system. ALL routers will be Cisco 2900 or 3900 series. I would hate to make them drop any site-to-site connections to their employees while we needed to make a change to their CME config. WE WILL NOT have access to their networks or their remote users in any way and we don’t want any.
Below are my configs for both our HQ router and our HOME employee router and some test results.
We have the DMVPN working perfectly! Connection to a test customer is working.
We cannot get communication between the HQ and the HOME router.
It looks like the HQ router show crypto map does not show the 192.168.50.0 network but it is in the config.
Both HQ and Home routers can ping the internet 4.2.2.2
What am I missing to get this working?
One it is working, is the site-to-site VPN encrypted? It does not look like it is but the DMVP does
HQ ROUTER
crypto isakmp policy 100
encr aes 256
hash sha512
authentication pre-share
group 16
lifetime 3600
crypto isakmp key abc123def address 0.0.0.0
crypto isakmp keepalive 10 periodic
!
crypto dynamic-map DYNAMIC_CORP_VPN 10
set security-association lifetime seconds 86400
set transform-set PSE_SUPPORT-TSET
match address ACL_VPN_CORP_TO_BRANCH
!
crypto map CONVERTED_DYNAMIC-MAP_TO_STATIC-MAP 1 ipsec-isakmp dynamic DYNAMIC_CORP_VPN
!
crypto ipsec transform-set PSE_SUPPORT-TSET esp-aes esp-sha512-hmac
mode tunnel
!
crypto ipsec profile PSE_SUPPORT-IPSEC
set security-association lifetime seconds 86400
set transform-set PSE_SUPPORT-TSET
!
interface GigabitEthernet0/0.110
ip address 10.110.0.1 255.255.255.0
interface GigabitEthernet0/0.50
ip address 192.168.50.1 255.255.255.0
interface GigabitEthernet0/0.69
ip address 192.168.69.1 255.255.255.0
interface GigabitEthernet0/0.169
ip address 192.168.169.1 255.255.255.0
!
interface GigabitEthernet0/2
ip address 1.4.2.8 255.255.255.248
ip nat outside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
crypto map CONVERTED_DYNAMIC-MAP_TO_STATIC-MAP
!
ip nat inside source list 151 interface GigabitEthernet0/2 overload
!
ip route 0.0.0.0 0.0.0.0 1.4.2.7
!
ip access-list extended ACL_VPN_CORP_TO_BRANCH
permit ip 192.168.50.0 0.0.0.255 172.31.0.0 0.0.0.7
permit ip 192.168.69.0 0.0.0.255 172.31.0.0 0.0.0.7
permit ip 10.110.0.0 0.0.0.255 172.31.0.0 0.0.0.7
deny ip any any
!
access-list 151 permit ip 10.0.0.0 0.255.255.255 any
access-list 151 permit ip 172.16.0.0 0.15.255.255 any
access-list 151 permit ip 192.168.0.0 0.0.255.255 any
!
HOME ROUTER
!
ip dhcp excluded-address 172.31.0.1 172.31.0.4
!
ip dhcp pool Remote_Users
network 172.31.0.0 255.255.255.248
default-router 172.31.0.1
option 150 ip 10.110.0.1
dns-server 172.31.0.1
domain-name thedurhamcorporation.com
lease 0 12
!
crypto isakmp policy 100
encr aes 256
hash sha512
authentication pre-share
group 16
lifetime 3600
crypto isakmp key 6 abc123def address 1.4.2.8
crypto isakmp keepalive 10 periodic
!
crypto ipsec transform-set PSE_SUPPORT-TSET esp-aes esp-sha512-hmac
mode tunnel
!
crypto map BRANCH_TO_CORP_VPN 10 ipsec-isakmp
set peer 1.4.2.8
set transform-set PSE_SUPPORT-TSET
match address ACL_VPN_BRANCH_TO_CORP
!
interface GigabitEthernet0/0
description Internet Access Port
ip address 2.1.1.3 255.255.255.224
ip nat outside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
crypto map BRANCH_TO_CORP_VPN
!
interface GigabitEthernet0/1
ip address 172.31.0.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip nat inside source list 151 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 2.1.1.1
!
ip access-list extended ACL_VPN_BRANCH_TO_CORP
permit ip 172.31.0.0 0.0.0.7 192.168.50.0 0.0.0.255
permit ip 172.31.0.0 0.0.0.7 192.168.69.0 0.0.0.255
permit ip 172.31.0.0 0.0.0.7 10.110.0.0 0.0.0.255
deny ip any any
!
access-list 151 remark Block NAT Service to VPN
access-list 151 deny ip 172.31.0.0 0.0.0.7 192.168.50.0 0.0.0.255
access-list 151 deny ip 172.31.0.0 0.0.0.7 192.168.69.0 0.0.0.255
access-list 151 deny ip 172.31.0.0 0.0.0.7 10.110.0.0 0.0.0.255
access-list 151 permit ip 172.31.0.0 0.0.0.7 any
!
HQ ROUTER
show crypto isakmp policy
Global IKE policy
Protection suite of priority 100
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard 2 (512 bit)
authentication method: Pre-Shared Key
Diffie-Hellman group: #16 (4096 bit)
lifetime: 3600 seconds, no volume limit
HOME ROUTER
show crypto isakmp policy
Global IKE policy
Protection suite of priority 100
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard 2 (512 bit)
authentication method: Pre-Shared Key
Diffie-Hellman group: #16 (4096 bit)
lifetime: 3600 seconds, no volume limit
HQ ROUTER
Transform set default: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set PSE_SUPPORT-TSET: { esp-aes esp-sha512-hmac }
will negotiate = { Tunnel, },
HOME ROUTER
Transform set default: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set PSE_SUPPORT-TSET: { esp-aes esp-sha512-hmac }
will negotiate = { Tunnel, },
HQ ROUTER * Network 192.168.50.0 is missing below
show crypto map
Crypto Map IPv4 "CONVERTED_DYNAMIC-MAP_TO_STATIC-MAP" 1 ipsec-isakmp
Dynamic map template tag: DYNAMIC_CORP_VPN
Crypto Map IPv4 "CONVERTED_DYNAMIC-MAP_TO_STATIC-MAP" 65536 ipsec-isakmp
Peer = 2.1.1.3
Extended IP access list
access-list permit ip 10.110.0.0 0.0.0.255 172.31.0.0 0.0.0.7
Current peer: 2.1.1.3
dynamic (created from dynamic map DYNAMIC_CORP_VPN/10)
Security association lifetime: 4608000 kilobytes/86400 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
PSE_SUPPORT-TSET: { esp-aes esp-sha512-hmac } ,
}
Crypto Map IPv4 "CONVERTED_DYNAMIC-MAP_TO_STATIC-MAP" 65537 ipsec-isakmp
Peer = 2.1.1.3
Extended IP access list
access-list permit ip 192.168.69.0 0.0.0.255 172.31.0.0 0.0.0.7
Current peer: 2.1.1.3
dynamic (created from dynamic map DYNAMIC_CORP_VPN/10)
Security association lifetime: 4608000 kilobytes/86400 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
PSE_SUPPORT-TSET: { esp-aes esp-sha512-hmac } ,
}
Crypto Map IPv4 "CONVERTED_DYNAMIC-MAP_TO_STATIC-MAP" 65538 ipsec-isakmp
Peer = 2.1.1.3
Extended IP access list
access-list permit ip 192.168.50.0 0.0.0.255 172.31.0.0 0.0.0.7
Current peer: 2.1.1.3
dynamic (created from dynamic map DYNAMIC_CORP_VPN/10)
Security association lifetime: 4608000 kilobytes/86400 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
PSE_SUPPORT-TSET: { esp-aes esp-sha512-hmac } ,
}
Interfaces using crypto map CONVERTED_DYNAMIC-MAP_TO_STATIC-MAP:
GigabitEthernet0/2
Interfaces using crypto map NiStTeSt1:
Crypto Map IPv4 "Tunnel0-head-0" 65536 ipsec-isakmp *DMVPN Tunnel
Profile name: PSE_SUPPORT-IPSEC
Security association lifetime: 4608000 kilobytes/86400 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
PSE_SUPPORT-TSET: { esp-aes esp-sha512-hmac } ,
}
Crypto Map IPv4 "Tunnel0-head-0" 65537 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 192.168.69.252
Extended IP access list
access-list permit gre host 1.4.2.8 host 192.168.69.252
Current peer: 192.168.69.252
Security association lifetime: 4608000 kilobytes/86400 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
PSE_SUPPORT-TSET: { esp-aes esp-sha512-hmac } ,
}
Interfaces using crypto map Tunnel0-head-0:
Tunnel0
HOME ROUTER
show crypto map
Crypto Map IPv4 "BRANCH_TO_CORP_VPN" 10 ipsec-isakmp
Peer = 1.4.2.8
Extended IP access list ACL_VPN_BRANCH_TO_CORP
access-list ACL_VPN_BRANCH_TO_CORP permit ip 172.31.0.0 0.0.0.7 192.168.50.0 0.0.0.255
access-list ACL_VPN_BRANCH_TO_CORP permit ip 172.31.0.0 0.0.0.7 192.168.69.0 0.0.0.255
access-list ACL_VPN_BRANCH_TO_CORP permit ip 172.31.0.0 0.0.0.7 10.110.0.0 0.0.0.255
access-list ACL_VPN_BRANCH_TO_CORP deny ip any any
Current peer: 1.4.2.8
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
PSE_SUPPORT-TSET: { esp-aes esp-sha512-hmac } ,
}
Interfaces using crypto map BRANCH_TO_CORP_VPN:
GigabitEthernet0/0
HQ ROUTER
ping 172.31.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.0.1, timeout is 2 seconds:
U...U
HOME ROUTER
ping 192.168.69.1 source 172.31.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.69.1, timeout is 2 seconds:
Packet sent with a source address of 172.31.0.1
.....
Success rate is 0 percent (0/5)
ping 4.2.2.2 source 172.31.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/26/28 ms
HQ ROUTER
show crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
1139 IPsec AES+SHA512 0 143 143 12.4.2.8
1140 IPsec AES+SHA512 143 0 0 1.4.2.8
1161 IPsec AES+SHA512 0 102 102 1.4.2.8
1162 IPsec AES+SHA512 0 0 0 1.4.2.8
1163 IPsec AES+SHA512 0 4 4 1.4.2.8
1164 IPsec AES+SHA512 0 0 0 1.4.2.8
11086 IKE SHA512+AES256 0 0 0 1.4.2.8
11087 IKE SHA512+AES256 0 0 0 1.4.2.8
11088 IKE SHA512+AES256 0 0 0 1.4.2.8
HOME ROUTER
show crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
1042 IKE SHA512+AES256 0 0 0 2.1.1.3
2055 IPsec AES+SHA512 0 0 0 2.1.1.3
2056 IPsec AES+SHA512 91 0 0 2.1.1.3
2057 IPsec AES+SHA512 0 0 0 2.1.1.3
2058 IPsec AES+SHA512 4 0 0 2.1.1.3
HQ ROUTER
show crypto session detail
Crypto session current status
Interface: Tunnel0 * DMVPN VPN tunnel
Uptime: 3d05h
Session status: UP-ACTIVE
Peer: 192.168.69.252 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 192.168.69.252
Desc: (none)
Session ID: 0
IKEv1 SA: local 1.4.2.8/500 remote 192.168.69.252/500 Active
Capabilities:D connid:11086 lifetime:00:15:00
Session ID: 0
IKEv1 SA: local 1.4.2.8/500 remote 192.168.69.252/500 Active
Capabilities:D connid:11087 lifetime:00:15:00
IPSEC FLOW: permit 47 host 1.4.2.8 host 192.168.69.252
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 7758 drop 0 life (KB/Sec) 4323776/16 hours, 5 mins
Outbound: #pkts enc'ed 7759 drop 0 life (KB/Sec) 4323774/16 hours, 5 mins
Interface: GigabitEthernet0/2
Uptime: 00:06:42
Session status: UP-ACTIVE
Peer: 12.187.12.133 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 12.187.12.133
Desc: (none)
Session ID: 0
IKEv1 SA: local 1.4.2.8/500 remote 2.1.1.3/500 Active
Capabilities:D connid:11088 lifetime:00:53:16
IPSEC FLOW: permit ip 192.168.69.0/255.255.255.0 172.31.0.0/255.255.255.248
Active SAs: 2, origin: dynamic crypto map
Inbound: #pkts dec'ed 4 drop 0 life (KB/Sec) 4252213/3473
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4252214/3473
IPSEC FLOW: permit ip 10.110.0.0/255.255.255.0 172.31.0.0/255.255.255.248
Active SAs: 2, origin: dynamic crypto map
Inbound: #pkts dec'ed 65 drop 0 life (KB/Sec) 4371659/3197
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4371667/3197
HOME ROUTER
show crypto session detail
Crypto session current status
Interface: GigabitEthernet0/0
Uptime: 00:02:27
Session status: UP-ACTIVE
Peer: 12.45.217.58 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 1.4.2.8
Desc: (none)
Session ID: 0
IKEv1 SA: local 2.1.1.3/500 remote 1.4.2.8/500 Active
Capabilities:D connid:1042 lifetime:00:57:30
IPSEC FLOW: deny ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) NA/NA
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) NA/NA
IPSEC FLOW: permit ip 172.31.0.0/255.255.255.248 192.168.69.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
IPSEC FLOW: permit ip 172.31.0.0/255.255.255.248 10.110.0.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4204120/3452
Outbound: #pkts enc'ed 28 drop 0 life (KB/Sec) 4204117/3452
IPSEC FLOW: permit ip 172.31.0.0/255.255.255.248 192.168.50.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Solved! Go to Solution.
03-25-2020 06:41 AM
Hi,
Yes, DMVPN can co-exist with other VPN technologies configured on the same device. As far as i understand from your statements and by looking at the configs, the IKE and IPsec tunnel are up, it's just data-plane which does not seem to be working. It seems that HQ router received encrypted packets, but fails to send back, as you forgot to exclude VPN traffic form your NAT configuration on the HQ router, so packets get NAT'ed, no longer match the crypto ACL, thus are never sent back through the tunnel. Fix it, and if it doesn't work, generate traffic for all 3 networks you want to be reachable from HQ, and paste the following outputs:
HQ NAT FIX:
ip access-list extended 151
1 deny ip 192.168.50.0 0.0.0.255 172.31.0.0 0.0.0.7
2 deny ip 192.168.69.0 0.0.0.255 172.31.0.0 0.0.0.7
3 deny ip 10.110.0.0 0.0.0.255 172.31.0.0 0.0.0.7
Collect outputs:
show crypto isakmp sa
show crypto IPsec sa peer x.y.z.w
show crypto session remote x.y.z.w detail
Regards,
Cristian Matei.
03-25-2020 06:41 AM
Hi,
Yes, DMVPN can co-exist with other VPN technologies configured on the same device. As far as i understand from your statements and by looking at the configs, the IKE and IPsec tunnel are up, it's just data-plane which does not seem to be working. It seems that HQ router received encrypted packets, but fails to send back, as you forgot to exclude VPN traffic form your NAT configuration on the HQ router, so packets get NAT'ed, no longer match the crypto ACL, thus are never sent back through the tunnel. Fix it, and if it doesn't work, generate traffic for all 3 networks you want to be reachable from HQ, and paste the following outputs:
HQ NAT FIX:
ip access-list extended 151
1 deny ip 192.168.50.0 0.0.0.255 172.31.0.0 0.0.0.7
2 deny ip 192.168.69.0 0.0.0.255 172.31.0.0 0.0.0.7
3 deny ip 10.110.0.0 0.0.0.255 172.31.0.0 0.0.0.7
Collect outputs:
show crypto isakmp sa
show crypto IPsec sa peer x.y.z.w
show crypto session remote x.y.z.w detail
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide