cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5173
Views
25
Helpful
39
Replies

IPSec VPN with Public IP on end and other side Private WAN Address

ittechk4u1
Level 4
Level 4

Hello Experts,

 

I am trying to establish a Site-to-Site IPSec VPN between Plant A and Plant B.

 

Plant A: is feting private IP(192.168.1.2) from LTE/Vodafone router

Plant B: is directly connected to ISU and getting a public IP (88.xxx.21.xxx)

 

Is there any method to make this setup working ? Please provide me the sample config .

 

 

 

Thanks in advance.

1 Accepted Solution

Accepted Solutions

Hello ,

it is not negotiating ISAKMP SA on UDP 500.

When NAT and firewalls are involved NAT-T may be used that uses UDP 4500 for both the ISAKMP and ESP protocols.

 

Can your spoke ping google 8.8.8.8 ?

I wonder if NAT is happening on the device.

 

Just a moment,  if you have an LTE connection on the spoke you need to configure the crypto map on the dialer interface or the cellular interface or the LTE device is external to your router ?

 

Edit:

I have reviewed your network diagram in your initial post there is a Vodafone LTE router so it is correct to have the crypto map applied to the giga interface.

 

Edit2:

Can you provide info on the router models and SW version ?

I would like to search for using NAT-T but it would be handy to know what devices are involved.

 

 

Hope to help

Giuseppe

 

View solution in original post

39 Replies 39

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello ,

you need to use a dynamic crypto map on the side with a public IP address and let the other side to start the VPN connection because its public IP address can change at each session.

 

see

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-c4.html?dtid=osscdc000283#wp3721963508

 

Hope to help

Giuseppe

 

Thanks. Could you please provide me an example config....

 

Thanks

 

 

could anyone help please!!

Hello ,

 

 

If you just need to create a single LAN to LAN IPSec VPN you can use the dynamic crypto.

However,

with the following isakmp configuration:

pre-shared-key address 0.0.0.0 0.0.0.0 key TestLTE99zuHAS18

 

Your hub router is able to accept any ISAKMP peer if it uses the correct pre shared key.

 

So your proposed configuration should work and the ACLs 101 are the mirror of each other.

 

Can you check with

show crypto isakmp sa

 

Then you can trigger IPSec attemping to ping from spoke LAN to Hub LAN

check

show crypto ipsec sa

 

Hope to help

Giuseppe

 

Still not working...

 

 

PlantA#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status

IPv6 Crypto ISAKMP SA

!
PlantA#sh cryp ipsec sa

interface: GigabitEthernet0/0/2
Crypto map tag: DMVPN-MAP-LTE, local addr 192.168.1.2

protected vrf: ISP3
local ident (addr/mask/prot/port): (10.99.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.17.0.0/255.255.0.0/0/0)
current_peer 80.XXX.21.XXX port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.1.2, remote crypto endpt.: <ip>
plaintext mtu 1300, path mtu 1300, ip mtu 1300, ip mtu idb GigabitEthernet0/0/2
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

 

 

and i cant ping from Spoke to HUB router.

Hello ,

it is not negotiating ISAKMP SA on UDP 500.

When NAT and firewalls are involved NAT-T may be used that uses UDP 4500 for both the ISAKMP and ESP protocols.

 

Can your spoke ping google 8.8.8.8 ?

I wonder if NAT is happening on the device.

 

Just a moment,  if you have an LTE connection on the spoke you need to configure the crypto map on the dialer interface or the cellular interface or the LTE device is external to your router ?

 

Edit:

I have reviewed your network diagram in your initial post there is a Vodafone LTE router so it is correct to have the crypto map applied to the giga interface.

 

Edit2:

Can you provide info on the router models and SW version ?

I would like to search for using NAT-T but it would be handy to know what devices are involved.

 

 

Hope to help

Giuseppe

 

Thanks for quick help.

 

I can ping 8.8.8.8 from spoke router:

 

PlantA#ping vrf ISP3 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 30/53/143 ms

 

Spoke is using Lucom(vodafone) router model 3200.

 

Thanks in advance

Hello Ok,

you have internet access on vrf ISP3

 

I would like to know what type of routers are PlantA and PlantB, what the Vodofone router is, it is  less interesting as it should only do NAT and I suppose you cannot configure it.

 

Edit:

you are using IPSec in VRF I think you need an ISAKMP profile specifying the vrf ISP3 also on the spoke.

see the following document on VRF aware IPSec

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/xe-16-11/sec-ike-for-ipsec-vpns-xe-16-11-book/sec-vrf-aware-ipsec.html?dtid=osscdc000283#GUID-2396F435-5D6B-45D3-8CD0-93AAF6653FF5

 

Hope to help

Giuseppe

 

 

Spoke is having LUCOM(vodafone router), behind it from where i am trying to have connection is a cisco 4331 router.

HUB have cisco 3945 router.

 

Thanks

UPDATE:

 

i changed the ACL 101: allowed permit any any

and see this result:

 

PlantA#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
<ip> 192.168.1.2 QM_IDLE 1017 ACTIVE

IPv6 Crypto ISAKMP SA

 

But still i cant ping the HUB router from spoke !! what could be the reason.

Hello,

changing the ACL to permit any any is not the correct way to address this issue.

Cisco strongly advices against using an ACL like this to define traffic to be encrypted.

 

As I have explained in my previous you need a symmetrical configuration using an ISAKMP profile that refers to vrf ISP3 also on the Spoke router.

 

By the way ACL 101 has no effects on what you see now, as it is intended to say what traffic should be encrypted and not to decide who can be your ISAKMP peer.

 

Edit:

you need this also on the Spoke IMHO:

 

crypto isakmp profile DMVPN-PRO-LTE
vrf ISP3
keyring ISP3
match identity address 80.152.21.187 ISP3

 

Hope to help

Giuseppe

 

yes i have already done it...

 

NOw i restart the spoke router and crypto is not coming up again.

 

Thanks

I would suggest that it is less important to look at show crypto isakmp sa and more important to look at show crypto ipsec sa. In a previous response you had this output

PlantA#sh cryp ipsec sa

interface: GigabitEthernet0/0/2
Crypto map tag: DMVPN-MAP-LTE, local addr 192.168.1.2

protected vrf: ISP3
local ident (addr/mask/prot/port): (10.99.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.18.0.0/255.255.0.0/0/0)
current_peer 80.152.21.187 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

 

The first important thing is that the ipsec sa was successfully negotiated (which tells us that the isakmp was also successful).

 

The second important thing is that encaps and decaps are both zero. So the vpn is up but is not passing any traffic.

 

I think that some changes have been made since this output. So could you give us a fresh output of show crypto ipsec sa?

 

HTH

 

Rick

HTH

Rick

Thanks..

 

at the moment my problem is traffic is not traversing via this link.

 

Thanks

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: