08-06-2019 05:40 AM - edited 08-11-2019 06:22 AM
Hello Experts,
I am trying to establish a Site-to-Site IPSec VPN between Plant A and Plant B.
Plant A: is feting private IP(192.168.1.2) from LTE/Vodafone router
Plant B: is directly connected to ISU and getting a public IP (88.xxx.21.xxx)
Is there any method to make this setup working ? Please provide me the sample config .
Thanks in advance.
Solved! Go to Solution.
08-07-2019 12:30 AM - edited 08-07-2019 12:35 AM
Hello ,
it is not negotiating ISAKMP SA on UDP 500.
When NAT and firewalls are involved NAT-T may be used that uses UDP 4500 for both the ISAKMP and ESP protocols.
Can your spoke ping google 8.8.8.8 ?
I wonder if NAT is happening on the device.
Just a moment, if you have an LTE connection on the spoke you need to configure the crypto map on the dialer interface or the cellular interface or the LTE device is external to your router ?
Edit:
I have reviewed your network diagram in your initial post there is a Vodafone LTE router so it is correct to have the crypto map applied to the giga interface.
Edit2:
Can you provide info on the router models and SW version ?
I would like to search for using NAT-T but it would be handy to know what devices are involved.
Hope to help
Giuseppe
08-06-2019 07:01 AM
Hello ,
you need to use a dynamic crypto map on the side with a public IP address and let the other side to start the VPN connection because its public IP address can change at each session.
see
Hope to help
Giuseppe
08-06-2019 07:15 AM - edited 08-11-2019 06:18 AM
Thanks. Could you please provide me an example config....
Thanks
08-06-2019 11:08 PM
could anyone help please!!
08-06-2019 11:22 PM
Hello ,
If you just need to create a single LAN to LAN IPSec VPN you can use the dynamic crypto.
However,
with the following isakmp configuration:
pre-shared-key address 0.0.0.0 0.0.0.0 key TestLTE99zuHAS18
Your hub router is able to accept any ISAKMP peer if it uses the correct pre shared key.
So your proposed configuration should work and the ACLs 101 are the mirror of each other.
Can you check with
show crypto isakmp sa
Then you can trigger IPSec attemping to ping from spoke LAN to Hub LAN
check
show crypto ipsec sa
Hope to help
Giuseppe
08-06-2019 11:43 PM - edited 08-11-2019 06:18 AM
Still not working...
PlantA#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
!
PlantA#sh cryp ipsec sa
interface: GigabitEthernet0/0/2
Crypto map tag: DMVPN-MAP-LTE, local addr 192.168.1.2
protected vrf: ISP3
local ident (addr/mask/prot/port): (10.99.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.17.0.0/255.255.0.0/0/0)
current_peer 80.XXX.21.XXX port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.2, remote crypto endpt.: <ip>
plaintext mtu 1300, path mtu 1300, ip mtu 1300, ip mtu idb GigabitEthernet0/0/2
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
and i cant ping from Spoke to HUB router.
08-07-2019 12:30 AM - edited 08-07-2019 12:35 AM
Hello ,
it is not negotiating ISAKMP SA on UDP 500.
When NAT and firewalls are involved NAT-T may be used that uses UDP 4500 for both the ISAKMP and ESP protocols.
Can your spoke ping google 8.8.8.8 ?
I wonder if NAT is happening on the device.
Just a moment, if you have an LTE connection on the spoke you need to configure the crypto map on the dialer interface or the cellular interface or the LTE device is external to your router ?
Edit:
I have reviewed your network diagram in your initial post there is a Vodafone LTE router so it is correct to have the crypto map applied to the giga interface.
Edit2:
Can you provide info on the router models and SW version ?
I would like to search for using NAT-T but it would be handy to know what devices are involved.
Hope to help
Giuseppe
08-07-2019 01:09 AM
Thanks for quick help.
I can ping 8.8.8.8 from spoke router:
PlantA#ping vrf ISP3 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 30/53/143 ms
Spoke is using Lucom(vodafone) router model 3200.
Thanks in advance
08-07-2019 01:50 AM - edited 08-07-2019 01:58 AM
Hello Ok,
you have internet access on vrf ISP3
I would like to know what type of routers are PlantA and PlantB, what the Vodofone router is, it is less interesting as it should only do NAT and I suppose you cannot configure it.
Edit:
you are using IPSec in VRF I think you need an ISAKMP profile specifying the vrf ISP3 also on the spoke.
see the following document on VRF aware IPSec
Hope to help
Giuseppe
08-07-2019 01:53 AM - edited 08-07-2019 02:09 AM
Spoke is having LUCOM(vodafone router), behind it from where i am trying to have connection is a cisco 4331 router.
HUB have cisco 3945 router.
Thanks
08-07-2019 02:26 AM - edited 08-11-2019 06:19 AM
UPDATE:
i changed the ACL 101: allowed permit any any
and see this result:
PlantA#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
<ip> 192.168.1.2 QM_IDLE 1017 ACTIVE
IPv6 Crypto ISAKMP SA
But still i cant ping the HUB router from spoke !! what could be the reason.
08-07-2019 02:58 AM - edited 08-07-2019 03:04 AM
Hello,
changing the ACL to permit any any is not the correct way to address this issue.
Cisco strongly advices against using an ACL like this to define traffic to be encrypted.
As I have explained in my previous you need a symmetrical configuration using an ISAKMP profile that refers to vrf ISP3 also on the Spoke router.
By the way ACL 101 has no effects on what you see now, as it is intended to say what traffic should be encrypted and not to decide who can be your ISAKMP peer.
Edit:
you need this also on the Spoke IMHO:
crypto isakmp profile DMVPN-PRO-LTE
vrf ISP3
keyring ISP3
match identity address 80.152.21.187 ISP3
Hope to help
Giuseppe
08-07-2019 03:16 AM - edited 08-11-2019 06:20 AM
yes i have already done it...
NOw i restart the spoke router and crypto is not coming up again.
Thanks
08-07-2019 09:28 AM
I would suggest that it is less important to look at show crypto isakmp sa and more important to look at show crypto ipsec sa. In a previous response you had this output
PlantA#sh cryp ipsec sa
interface: GigabitEthernet0/0/2
Crypto map tag: DMVPN-MAP-LTE, local addr 192.168.1.2
protected vrf: ISP3
local ident (addr/mask/prot/port): (10.99.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.18.0.0/255.255.0.0/0/0)
current_peer 80.152.21.187 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
The first important thing is that the ipsec sa was successfully negotiated (which tells us that the isakmp was also successful).
The second important thing is that encaps and decaps are both zero. So the vpn is up but is not passing any traffic.
I think that some changes have been made since this output. So could you give us a fresh output of show crypto ipsec sa?
HTH
Rick
08-07-2019 09:54 AM - edited 08-11-2019 06:21 AM
Thanks..
at the moment my problem is traffic is not traversing via this link.
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: