07-22-2013 08:54 PM - edited 03-04-2019 08:31 PM
I have two geographically dispersed campuses attached via static routed MPLS. With the limitation of the MPLS, I attempted to configure an IPSEC tunnel between the two sites using cable connections (gateway at 10.XXX.10.3) located at each of the two sites. The traffic is unfortunately not being sent over the tunnel. Below is applicable config. As a note, I am using a route map on this device, but it was removed temporarily as a possible cause and it did not resolve the issue. debug showed no entries. the two networks are (source - destination) 10.104.0.0/16 - 10.119.0.0/16.
crypto isakmp policy 10
authentication pre-share
encry AES
group 5
crypto isakmp key THEKEY address xxx.xxx.xxx.xxx
!
crypto ipsec transform-set High ah-sha-hmac esp-sha-hmac
!
crypto map IPSEC 10 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set High
match address 128
!
ip route 0.0.0.0 0.0.0.0 10.104.10.3 name default-to-cable-router
ip route 10.0.0.0.0 255.0.0.0 multi1 name All-Internal-Networks
!
!
interface Ethernet0/0
crypto map IPSEC
!
access-list 128 permit ip 10.104.0.0 0.0.255.255 10.119.0.0 0.0.255.255
access-list 128 remark Crypto ACL
07-22-2013 09:05 PM
David,
Am I assuming correctly that Ethernet0/0 is your WAN interface? With the addressing removed, it is kind of hard to know if the crypto map is placed appropriately on your WAN interface. Also, the "multi1" is a PPP Multilink1 interface? What connectivity does it provide?
In any case, can you please post the following output after creating a traffic that should be tunneled?
show crypto isakmp sa
show crypto ipsec sa
show crypto map
Best regards,
Peter
07-23-2013 06:39 AM
This device does not host a nat, or firewall or even a public ip address. It simply terminates 3xT1's bundled into a multilink. The G0/0 is the internal facing interface. Unfortunately the router is production so I cannot re-add the config again and test until off-hours but as soon as I can I will. Below are the interface configs:
interface Loopback5
ip address 10.104.5.1 255.255.255.255
!
!
interface Loopback100
description . Management IP Address
ip address 199.X.X.X 255.255.255.255
!
!
interface Multilink1
ip address 172.20.X.X 255.255.255.252
ip flow ingress
rate-limit output access-group 152 2352000 442368 884736 conform-action transmit exceed-action drop
no peer neighbor-route
ppp multilink
ppp multilink group 1
!
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 10.104.10.1 255.255.255.0
ip policy route-map LABS
duplex auto
speed auto
07-23-2013 08:10 AM
While I do understand wanting to hide information like public IP addresses, it does make it difficult to understand what the issue is here. I can not tell whether the peer address in the key and crypto map is a public address or a private address and that complicates understanding the issue here.
It does look to me to be clear that the remote subnet reached through the tunnel is 10.119.0.0/16 and is fairly clear that the static route
ip route 10.0.0.0.0 255.0.0.0 multi1 name All-Internal-Networks
will send the traffic via multilink. So the crypto map should probably be on the multilink. Or there needs to be a more specific static route that will send the traffic out Eth0/0.
The other question I would ask would be to verify that each of the routers does have IP connectivity to the peer address of the other router. (probably ping
HTH
Rick
09-18-2013 12:15 PM
I found the issue - int order to force a three leg router to pass traffic over the vpn, you need to add a route to an IP on the OTHER side of the interface that the crypto map is on. Example. I want to conf an IPSEC tunnel to pass traffic destined for 10.100.100.0/24 and I have three interfaces that are active and I want all three interfaces to recieve traffic for that tunnel. Trick is adding the crypt map to an interface - example 10.50.50.1 255.255.255.0, and router traffic to any ip in that subnet (IE ip route 10.100.100.0 255.255.255.0 10.50.50.100). The crypto map will then see all the traffic bound for the 10.100.100.0/24 subnet and encapsulate.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide