IPSEC tunnel not initiating

davidjknapp · ‎07-22-2013

I have two geographically dispersed campuses attached via static routed MPLS. With the limitation of the MPLS, I attempted to configure an IPSEC tunnel between the two sites using cable connections (gateway at 10.XXX.10.3) located at each of the two sites. The traffic is unfortunately not being sent over the tunnel. Below is applicable config. As a note, I am using a route map on this device, but it was removed temporarily as a possible cause and it did not resolve the issue. debug showed no entries. the two networks are (source - destination) 10.104.0.0/16 - 10.119.0.0/16.

crypto isakmp policy 10

authentication pre-share

encry AES

group 5

crypto isakmp key THEKEY address xxx.xxx.xxx.xxx

!

crypto ipsec transform-set High ah-sha-hmac esp-sha-hmac

!

crypto map IPSEC 10 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set transform-set High

match address 128

!

ip route 0.0.0.0 0.0.0.0 10.104.10.3 name default-to-cable-router

ip route 10.0.0.0.0 255.0.0.0 multi1 name All-Internal-Networks

!

interface Ethernet0/0

crypto map IPSEC

!

access-list 128 permit ip 10.104.0.0 0.0.255.255 10.119.0.0 0.0.255.255

access-list 128 remark Crypto ACL

Peter Paluch · ‎07-22-2013

David,

Am I assuming correctly that Ethernet0/0 is your WAN interface? With the addressing removed, it is kind of hard to know if the crypto map is placed appropriately on your WAN interface. Also, the "multi1" is a PPP Multilink1 interface? What connectivity does it provide?

In any case, can you please post the following output after creating a traffic that should be tunneled?

show crypto isakmp sa

show crypto ipsec sa

show crypto map

Best regards,

Peter

davidjknapp · ‎07-23-2013

This device does not host a nat, or firewall or even a public ip address. It simply terminates 3xT1's bundled into a multilink. The G0/0 is the internal facing interface. Unfortunately the router is production so I cannot re-add the config again and test until off-hours but as soon as I can I will. Below are the interface configs:

interface Loopback5

ip address 10.104.5.1 255.255.255.255

!

interface Loopback100

description . Management IP Address

ip address 199.X.X.X 255.255.255.255

!

interface Multilink1

ip address 172.20.X.X 255.255.255.252

ip flow ingress

rate-limit output access-group 152 2352000 442368 884736 conform-action transmit exceed-action drop

no peer neighbor-route

ppp multilink

ppp multilink group 1

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

ip address 10.104.10.1 255.255.255.0

ip policy route-map LABS

duplex auto

speed auto

Richard Burts · ‎07-23-2013

While I do understand wanting to hide information like public IP addresses, it does make it difficult to understand what the issue is here. I can not tell whether the peer address in the key and crypto map is a public address or a private address and that complicates understanding the issue here.

It does look to me to be clear that the remote subnet reached through the tunnel is 10.119.0.0/16 and is fairly clear that the static route

ip route 10.0.0.0.0 255.0.0.0 multi1 name All-Internal-Networks

will send the traffic via multilink. So the crypto map should probably be on the multilink. Or there needs to be a more specific static route that will send the traffic out Eth0/0.

The other question I would ask would be to verify that each of the routers does have IP connectivity to the peer address of the other router. (probably ping is a reasonable test of this).

HTH

Rick

HTH

Rick

davidjknapp · ‎09-18-2013

I found the issue - int order to force a three leg router to pass traffic over the vpn, you need to add a route to an IP on the OTHER side of the interface that the crypto map is on. Example. I want to conf an IPSEC tunnel to pass traffic destined for 10.100.100.0/24 and I have three interfaces that are active and I want all three interfaces to recieve traffic for that tunnel. Trick is adding the crypt map to an interface - example 10.50.50.1 255.255.255.0, and router traffic to any ip in that subnet (IE ip route 10.100.100.0 255.255.255.0 10.50.50.100). The crypto map will then see all the traffic bound for the 10.100.100.0/24 subnet and encapsulate.