ISR 931 IPSEC Tunnel issue

SargenYung06306 · ‎01-10-2020

I bought cisco ISR 931 router recently and struggled to setup 2 IPSEC tunnels. The router is put as edge router that directly faces internet with one fixed IP and connects to 2 remote sites with 2 fixed IPs for the 2 IPSEC tunnels.

To begin with, I create 2 vlans with vlan interfaces as below.

interface Vlan1
ip address 10.249.102.193 255.255.255.192
ip pim sparse-mode
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
ip address 172.28.207.177 255.255.255.240
ip pim sparse-mode
ip nat inside
ip virtual-reassembly in

Then, the Gigabit WAN interface facing internet with fixed IP (x.x.x.x).

interface GigabitEthernet4
ip address x.x.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto

Then, NAT 2 vlans to access internet,

access-list 10 permit 10.249.102.192 0.0.0.63
access-list 20 permit 172.28.207.176 0.0.0.15
!
ip nat pool INTERNET x.x.x.x x.x.x.x netmask 255.255.255.252
ip nat inside source list 10 pool INTERNET overload
ip nat inside source list 20 pool INTERNET overload

Then, define 2 crypto isakmp policies.

crypto isakmp policy 1
encr 3des
authentication pre-share
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share

Then, define the pre-shared keys.

crypto isakmp key SECRET_KEY address y.y.y.y
crypto isakmp key SECRET_KEY address z.z.z.z

Then, define ipsec transform-set.

crypto ipsec transform-set setvpn esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set cmevpn esp-3des esp-md5-hmac
mode tunnel

Then, define the access list for IPSEC tunnels.

access-list 100 permit ip 10.249.102.192 0.0.0.63 69.50.112.0 0.0.0.255
access-list 110 permit ip 172.28.207.176 0.0.0.15 172.19.214.0 0.0.0.255
access-list 110 permit ip 172.28.207.176 0.0.0.15 172.19.215.0 0.0.0.255
access-list 110 permit ip 172.28.207.176 0.0.0.15 10.3.14.0 0.0.0.255
access-list 110 permit ip 172.28.207.176 0.0.0.15 10.3.27.0 0.0.0.255
access-list 110 permit ip 172.28.207.176 0.0.0.15 172.19.7.0 0.0.0.255
access-list 110 permit ip 172.28.207.176 0.0.0.15 10.22.6.0 0.0.0.255
access-list 110 permit ip 172.28.207.176 0.0.0.15 10.22.61.0 0.0.0.255
access-list 110 permit ip 172.28.207.176 0.0.0.15 10.232.6.0 0.0.0.255

Then, define the cryto map with 2 indices.

crypto map CRYTOMAP 1 ipsec-isakmp
set peer y.y.y.y
set transform-set setvpn
match address 110
crypto map CRYTOMAP 2 ipsec-isakmp
set peer z.z.z.z
set transform-set cmevpn
match address 100

Then, apply it to the WAN interface.

interface GigabitEthernet4
ip address x.x.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map CRYTOMAP

After it is applied, the 1st IPSEC phase 1 is not initiated and the 2nd IPSEC tunnel is UP-IDLE. With debug crypto ipsec on, I can see the following error,

*Jan 10 14:40:57.347: IPSEC: Expand action denied, discard or forward packet.
*Jan 10 14:40:57.347: IPSEC: Expand action denied, discard or forward packet.
*Jan 10 14:40:57.347: IPSEC: Expand action denied, discard or forward packet.
*Jan 10 14:40:57.347: IPSEC: Expand action denied, discard or forward packet.
*Jan 10 14:40:57.347: IPSEC: Expand action denied, discard or forward packet.
*Jan 10 14:40:57.347: IPSEC: Expand action denied, notify RP
*Jan 10 14:40:57.347: IPSEC: Expand action denied, discard or forward packet.
*Jan 10 14:40:57.347: IPSEC: Expand action denied, discard or forward packet.
*Jan 10 14:40:57.347: IPSEC: Expand action denied, discard or forward packet.
*Jan 10 14:40:57.347: IPSEC: Expand action denied, notify RP
*Jan 10 14:40:57.347: IPSEC: Expand action denied, discard or forward packet.
*Jan 10 14:40:57.347: IPSEC: Expand action denied, discard or forward packet.
*Jan 10 14:40:57.347: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Would someone help give me some hints on what might be going on and how to fix it? what "Expand action denied, discard or forward packet" means? Thank you!

Georg Pauwen · ‎01-10-2020

Hello,

in your NAT access lists, you need to deny the traffic that is flowing through the VPNs. Change the access lists as below:

ip nat pool INTERNET x.x.x.x x.x.x.x netmask 255.255.255.252
ip nat inside source list 101 pool INTERNET overload
ip nat inside source list 102 pool INTERNET overload

!

access-list 101 deny ip 10.249.102.192 0.0.0.63 69.50.112.0 0.0.0.255
access-list 101 permit ip 10.249.102.192 0.0.0.63 any
!
access-list 102 deny ip 172.28.207.176 0.0.0.15 172.19.214.0 0.0.0.255
access-list 102 deny ip 172.28.207.176 0.0.0.15 172.19.215.0 0.0.0.255
access-list 102 deny ip 172.28.207.176 0.0.0.15 10.3.14.0 0.0.0.255
access-list 102 deny ip 172.28.207.176 0.0.0.15 10.3.27.0 0.0.0.255
access-list 102 deny ip 172.28.207.176 0.0.0.15 172.19.7.0 0.0.0.255
access-list 102 deny ip 172.28.207.176 0.0.0.15 10.22.6.0 0.0.0.255
access-list 102 deny ip 172.28.207.176 0.0.0.15 10.22.61.0 0.0.0.255
access-list 102 deny ip 172.28.207.176 0.0.0.15 10.232.6.0 0.0.0.255
access-list 102 permit ip 172.28.207.176 0.0.0.15 any

SargenYung06306 · ‎01-10-2020

@Georg Pauwen Thank you for your suggestion. I just change it accordingly, the issue is still there with the same error messages as before. Do you have other suggestions? Thank you very much!

Georg Pauwen · ‎01-10-2020

Hello,

post the full running configuration (sh run) including the changes you made...

SargenYung06306 · ‎01-10-2020

@Georg PauwenPlease find the complete config as. thanks alot!

version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
ip dhcp excluded-address 172.28.207.177 172.28.207.179
!
ip dhcp pool pool1
network 10.249.102.192 255.255.255.192
dns-server 203.80.96.33
default-router 10.249.102.193
!
ip dhcp pool pool2
network 172.28.207.176 255.255.255.240
default-router 172.28.207.177
dns-server 203.80.96.33
!
ip dhcp pool YASSVR
host 172.28.207.179 255.255.255.240
hardware-address 44a8.4234.0510
default-router 172.28.207.177
dns-server 203.80.96.33
!
ip dhcp pool iDRAC
host 172.28.207.178 255.255.255.240
client-identifier 0144.a842.3405.12
default-router 172.28.207.177
dns-server 203.80.96.33
!
!
!
ip name-server 203.80.96.33
ip multicast-routing
no ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid C931-4P sn PSZ23091D50
license boot module c900 technology-package securityk9
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
crypto isakmp key SEC_KEY address y.y.y.y
crypto isakmp key SEC_KEY address z.z.z.z
crypto isakmp keepalive 60 5
!
!
crypto ipsec transform-set setvpn esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set cmevpn esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CRYTOMAP 1 ipsec-isakmp
set peer y.y.y.y
set transform-set setvpn
match address 110
crypto map CRYTOMAP 2 ipsec-isakmp
set peer z.z.z.z
set transform-set cmevpn
match address 100
!
!
!
!
!
interface GigabitEthernet0
no ip address
no mop enabled
!
interface GigabitEthernet1
switchport access vlan 2
switchport trunk native vlan 2
no ip address
!
interface GigabitEthernet2
switchport access vlan 2
switchport trunk native vlan 2
no ip address
!
interface GigabitEthernet3
switchport access vlan 2
switchport trunk native vlan 2
no ip address
!
interface GigabitEthernet4
ip address x.x.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map CRYTOMAP
!
interface GigabitEthernet5
ip address dhcp
duplex auto
speed auto
!
interface Vlan1
ip address 10.249.102.193 255.255.255.192
ip pim sparse-mode
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
ip address 172.28.207.177 255.255.255.240
ip pim sparse-mode
ip nat inside
ip virtual-reassembly in
!
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat pool INTERNET x.x.x.x x.x.x.x netmask 255.255.255.252
ip nat inside source list 101 pool INTERNET overload
ip nat inside source list 111 pool INTERNET overload
ip route 0.0.0.0 0.0.0.0 b.b.b.b
!
!
!
access-list 10 permit 10.249.102.192 0.0.0.63
access-list 20 permit 172.28.207.176 0.0.0.15
access-list 100 permit ip 10.249.102.192 0.0.0.63 69.50.112.0 0.0.0.255
access-list 101 deny ip 10.249.102.192 0.0.0.63 69.50.112.0 0.0.0.255
access-list 101 permit ip 10.249.102.192 0.0.0.63 any
access-list 110 permit ip 172.28.207.176 0.0.0.15 172.19.214.0 0.0.0.255
access-list 110 permit ip 172.28.207.176 0.0.0.15 172.19.215.0 0.0.0.255
access-list 110 permit ip 172.28.207.176 0.0.0.15 10.3.14.0 0.0.0.255
access-list 110 permit ip 172.28.207.176 0.0.0.15 10.3.27.0 0.0.0.255
access-list 110 permit ip 172.28.207.176 0.0.0.15 172.19.7.0 0.0.0.255
access-list 110 permit ip 172.28.207.176 0.0.0.15 10.22.6.0 0.0.0.255
access-list 110 permit ip 172.28.207.176 0.0.0.15 10.22.61.0 0.0.0.255
access-list 110 permit ip 172.28.207.176 0.0.0.15 10.232.6.0 0.0.0.255
access-list 111 deny ip 172.28.207.176 0.0.0.15 172.19.214.0 0.0.0.255
access-list 111 deny ip 172.28.207.176 0.0.0.15 172.19.215.0 0.0.0.255
access-list 111 deny ip 172.28.207.176 0.0.0.15 10.3.14.0 0.0.0.255
access-list 111 deny ip 172.28.207.176 0.0.0.15 10.3.27.0 0.0.0.255
access-list 111 deny ip 172.28.207.176 0.0.0.15 172.19.7.0 0.0.0.255
access-list 111 deny ip 172.28.207.176 0.0.0.15 10.22.6.0 0.0.0.255
access-list 111 deny ip 172.28.207.176 0.0.0.15 10.22.61.0 0.0.0.255
access-list 111 deny ip 172.28.207.176 0.0.0.15 10.232.6.0 0.0.0.255
access-list 111 permit ip 172.28.207.176 0.0.0.15 any
!
control-plane
!
!
line con 0
password 7 052B1217294A4A1D4B5546475B5B
login
line vty 0 4
password 7 03244F130E0925581C5948504745
login
transport input none
!
scheduler allocate 20000 1000
!
end

Georg Pauwen · ‎01-11-2020

Hello,

I have made some changes (marked in bold), try to apply those and check if you have connectvity. If not, shut/unshut interface GigabitEthernet4 and turn on 'debug crypto ipsec' and post the output:

version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
ip dhcp excluded-address 10.249.102.193
ip dhcp excluded-address 172.28.207.177 172.28.207.179
!
ip dhcp pool pool1
network 10.249.102.192 255.255.255.192
dns-server 203.80.96.33
default-router 10.249.102.193
!
ip dhcp pool pool2
network 172.28.207.176 255.255.255.240
default-router 172.28.207.177
dns-server 203.80.96.33
!
ip dhcp pool YASSVR
host 172.28.207.179 255.255.255.240
hardware-address 44a8.4234.0510
default-router 172.28.207.177
dns-server 203.80.96.33
!
ip dhcp pool iDRAC
host 172.28.207.178 255.255.255.240
client-identifier 0144.a842.3405.12
default-router 172.28.207.177
dns-server 203.80.96.33
!
ip name-server 203.80.96.33
ip multicast-routing
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid C931-4P sn PSZ23091D50
license boot module c900 technology-package securityk9
!
redundancy
!
crypto isakmp policy 1
encr 3des
authentication pre-share
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
crypto isakmp key SEC_KEY address y.y.y.y
crypto isakmp key SEC_KEY address z.z.z.z
crypto isakmp keepalive 60 5
!
crypto ipsec transform-set setvpn esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set cmevpn esp-3des esp-md5-hmac
mode tunnel
!
crypto map CRYTOMAP 1 ipsec-isakmp
set peer y.y.y.y
set transform-set setvpn
match address 110
crypto map CRYTOMAP 2 ipsec-isakmp
set peer z.z.z.z
set transform-set cmevpn
match address 100
!
interface GigabitEthernet0
no ip address
no mop enabled
!
interface GigabitEthernet1
switchport access vlan 2
spanning-tree portfast
!
interface GigabitEthernet2
switchport access vlan 2
spanning-tree portfast
!
interface GigabitEthernet3
switchport access vlan 2
spanning-tree portfast
!
interface GigabitEthernet4
ip address x.x.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map CRYTOMAP
!
interface GigabitEthernet5
ip address dhcp
duplex auto
speed auto
!
interface Vlan1
ip address 10.249.102.193 255.255.255.192
ip pim sparse-mode
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
ip address 172.28.207.177 255.255.255.240
ip pim sparse-mode
ip nat inside
ip virtual-reassembly in
!
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 101 interface GigabitEthernet4 overload
ip nat inside source list 111 interface GigabitEthernet4 overload
!
ip route 0.0.0.0 0.0.0.0 b.b.b.b
!
access-list 100 permit ip 10.249.102.192 0.0.0.63 69.50.112.0 0.0.0.255
access-list 101 deny ip 10.249.102.192 0.0.0.63 69.50.112.0 0.0.0.255
access-list 101 permit ip 10.249.102.192 0.0.0.63 any

access-list 110 permit ip 172.28.207.176 0.0.0.15 172.19.214.0 0.0.0.255
access-list 110 permit ip 172.28.207.176 0.0.0.15 172.19.215.0 0.0.0.255
access-list 110 permit ip 172.28.207.176 0.0.0.15 10.3.14.0 0.0.0.255
access-list 110 permit ip 172.28.207.176 0.0.0.15 10.3.27.0 0.0.0.255
access-list 110 permit ip 172.28.207.176 0.0.0.15 172.19.7.0 0.0.0.255
access-list 110 permit ip 172.28.207.176 0.0.0.15 10.22.6.0 0.0.0.255
access-list 110 permit ip 172.28.207.176 0.0.0.15 10.22.61.0 0.0.0.255
access-list 110 permit ip 172.28.207.176 0.0.0.15 10.232.6.0 0.0.0.255

access-list 111 deny ip 172.28.207.176 0.0.0.15 172.19.214.0 0.0.0.255
access-list 111 deny ip 172.28.207.176 0.0.0.15 172.19.215.0 0.0.0.255
access-list 111 deny ip 172.28.207.176 0.0.0.15 10.3.14.0 0.0.0.255
access-list 111 deny ip 172.28.207.176 0.0.0.15 10.3.27.0 0.0.0.255
access-list 111 deny ip 172.28.207.176 0.0.0.15 172.19.7.0 0.0.0.255
access-list 111 deny ip 172.28.207.176 0.0.0.15 10.22.6.0 0.0.0.255
access-list 111 deny ip 172.28.207.176 0.0.0.15 10.22.61.0 0.0.0.255
access-list 111 deny ip 172.28.207.176 0.0.0.15 10.232.6.0 0.0.0.255
access-list 111 permit ip 172.28.207.176 0.0.0.15 any
!
control-plane
!
line con 0
password 7 052B1217294A4A1D4B5546475B5B
login
line vty 0 4
password 7 03244F130E0925581C5948504745
login
transport input none
!
scheduler allocate 20000 1000
!
end

Georg Pauwen · ‎01-11-2020

Also, I am not sure if the Vlans are automatically created when you assign them to the switchports, so you might have to do it manually:

ISR931#conf t

ISR931(config)#vlan 2

SargenYung06306 · ‎01-11-2020

@Georg Pauwenvlan 2 was automatically created when I create vlan 2 interface by issue interface vlan 2.

SargenYung06306 · ‎01-11-2020

@Georg PauwenI have applied the suggestion in bold and try it again. Unfortunately, the issue persists. Please find the new debug message.

*Jan 11 14:09:26.819: IPSEC: Expand action denied, discard or forward packet.
*Jan 11 14:09:26.819: IPSEC: Expand action denied, discard or forward packet.
*Jan 11 14:09:26.819: IPSEC: Expand action denied, discard or forward packet.
*Jan 11 14:09:26.819: IPSEC: Expand action denied, discard or forward packet.
*Jan 11 14:09:26.819: IPSEC: Expand action denied, discard or forward packet.
*Jan 11 14:09:26.819: IPSEC: Expand action denied, notify RP
*Jan 11 14:09:26.819: IPSEC: Expand action denied, discard or forward packet.
*Jan 11 14:09:26.819: IPSEC: Expand action denied, discard or forward packet.
*Jan 11 14:09:26.819: IPSEC: Expand action denied, discard or forward packet.
*Jan 11 14:09:26.819: IPSEC: Expand action denied, notify RP
*Jan 11 14:09:26.819: IPSEC: Expand action denied, discard or forward packet.
*Jan 11 14:09:26.819: IPSEC: Expand action denied, discard or forward packet.
*Jan 11 14:09:26.819: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Jan 11 14:09:35.575: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jan 11 14:09:35.801: IPSEC(validate_proposal_request): proposal part #1
*Jan 11 14:09:35.801: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= x.x.x.x:0, remote= z.z.z.z:0,
local_proxy= 10.249.1.60/255.255.255.255/47/0,
remote_proxy= 10.249.254.1/255.255.255.255/47/0,
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jan 11 14:09:35.801: IPSEC(validate_proposal_request): proposal part #1
*Jan 11 14:09:35.801: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= x.x.x.x:0, remote= z.z.z.z:0,
local_proxy= 10.249.1.60/255.255.255.255/47/0,
remote_proxy= 10.249.254.1/255.255.255.255/47/0,
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Georg Pauwen · ‎01-11-2020

Hello,

do you have access to the other site, and can you post the config of that site ?

SargenYung06306 · ‎01-11-2020

The other site is not controlled by me but we used to use linksys router to do the ipsec tunnel and works fine. Therefore, I don't think there is anything wrong on the other site. FYI, this is the modified config (output from show running).

version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ROUTER_SARYA_00
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$FIbi$LVDQgE7QuEPWnyEAorskK1
enable password 7 1239110F1A0D0810787B757D6362
!
no aaa new-model
!
ip dhcp excluded-address 172.28.207.177 172.28.207.179
ip dhcp excluded-address 10.249.102.193
!
ip dhcp pool pool1
network 10.249.102.192 255.255.255.192
dns-server 203.80.96.33
default-router 10.249.102.193
!
ip dhcp pool pool2
network 172.28.207.176 255.255.255.240
default-router 172.28.207.177
dns-server 203.80.96.33
!
ip dhcp pool YASSVR
host 172.28.207.179 255.255.255.240
hardware-address 44a8.4234.0510
default-router 172.28.207.177
dns-server 203.80.96.33
!
ip dhcp pool iDRAC
host 172.28.207.178 255.255.255.240
client-identifier 0144.a842.3405.12
default-router 172.28.207.177
dns-server 203.80.96.33
!
!
ip multicast-routing
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid C931-4P sn PSZ23091D50
license boot module c900 technology-package securityk9
!
redundancy
!
crypto isakmp policy 1
encr 3des
authentication pre-share
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
crypto isakmp key C@fbrk1F address y.y.y.y
crypto isakmp key S@RYAf1ns0ft20191203 address z.z.z.z
crypto isakmp keepalive 60 5
!
!
crypto ipsec transform-set setvpn esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set cmevpn esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CRYTOMAP 1 ipsec-isakmp
set peer
set transform-set setvpn
match address 110
crypto map CRYTOMAP 2 ipsec-isakmp
set peer z.z.z.z
set transform-set cmevpn
match address 100
!
interface GigabitEthernet0
no ip address
no mop enabled
!
interface GigabitEthernet1
switchport access vlan 2
switchport trunk native vlan 2
no ip address
spanning-tree portfast
!
interface GigabitEthernet2
switchport access vlan 2
switchport trunk native vlan 2
no ip address
spanning-tree portfast
!
interface GigabitEthernet3
switchport access vlan 2
switchport trunk native vlan 2
no ip address
spanning-tree portfast
!
interface GigabitEthernet4
ip address x.x.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map CRYTOMAP
!
interface GigabitEthernet5
ip address dhcp
duplex auto
speed auto
!
interface Vlan1
ip address 10.249.102.193 255.255.255.192
ip pim sparse-mode
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
ip address 172.28.207.177 255.255.255.240
ip pim sparse-mode
ip nat inside
ip virtual-reassembly in
!
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 101 interface GigabitEthernet4 overload
ip nat inside source list 111 interface GigabitEthernet4 overload
ip nat inside source static tcp 172.28.207.179 22 x.x.x.x 22 extendable
ip nat inside source static tcp 172.28.207.179 443 x.x.x.x 443 extendable
ip nat inside source static tcp 172.28.207.178 777 x.x.x.x 777 extendable
ip nat inside source static tcp 172.28.207.178 888 x.x.x.x 888 extendable
ip route 0.0.0.0 0.0.0.0 b.b.b.b
!
!
!
access-list 100 permit ip 10.249.102.192 0.0.0.63 69.50.112.0 0.0.0.255
access-list 101 deny ip 10.249.102.192 0.0.0.63 69.50.112.0 0.0.0.255
access-list 101 permit ip 10.249.102.192 0.0.0.63 any
access-list 110 permit ip 172.28.207.176 0.0.0.15 10.232.6.0 0.0.0.255
access-list 111 deny ip 172.28.207.176 0.0.0.15 172.19.214.0 0.0.0.255
access-list 111 deny ip 172.28.207.176 0.0.0.15 172.19.215.0 0.0.0.255
access-list 111 deny ip 172.28.207.176 0.0.0.15 10.3.14.0 0.0.0.255
access-list 111 deny ip 172.28.207.176 0.0.0.15 10.3.27.0 0.0.0.255
access-list 111 deny ip 172.28.207.176 0.0.0.15 172.19.7.0 0.0.0.255
access-list 111 deny ip 172.28.207.176 0.0.0.15 10.22.6.0 0.0.0.255
access-list 111 deny ip 172.28.207.176 0.0.0.15 10.22.61.0 0.0.0.255
access-list 111 deny ip 172.28.207.176 0.0.0.15 10.232.6.0 0.0.0.255
access-list 111 permit ip 172.28.207.176 0.0.0.15 any
access-list 112 deny ip 172.28.207.176 0.0.0.15 10.232.6.0 0.0.0.255
access-list 112 permit ip 172.28.207.176 0.0.0.15 any
!
control-plane
!
!
line con 0
password 7 052B1217294A4A1D4B5546475B5B
login
line vty 0 4
password 7 03244F130E0925581C5948504745
login
transport input none
!
scheduler allocate 20000 1000
!
end

SargenYung06306 · ‎01-11-2020

@Georg PauwenAlso, the is the show crypto session output and thank you very much for your help!

Crypto session current status

Interface: GigabitEthernet4
Session status: DOWN
Peer: y.y.y.y port 500
IPSEC FLOW: permit ip 172.28.207.176/255.255.255.240 10.232.6.0/255.255.255.0
Active SAs: 0, origin: crypto map

Interface: GigabitEthernet4
Session status: UP-IDLE
Peer: z.z.z.z port 500
Session ID: 0
IKEv1 SA: local x.x.x.x/500 remote z.z.z.z/500 Active
IPSEC FLOW: permit ip 10.249.102.192/255.255.255.192 69.50.112.0/255.255.255.0
Active SAs: 0, origin: crypto map

Georg Pauwen · ‎01-11-2020

Hello,

is it possible that the other side uses something different than the default group 1 ? Try the different group options you have. The lifetime might also need to be configured...

crypto isakmp policy 2
encr 3des
hash md5

group ?
authentication pre-share

lifetime 86400
crypto isakmp key C@fbrk1F address y.y.y.y
crypto isakmp key S@RYAf1ns0ft20191203 address z.z.z.z
crypto isakmp keepalive 60 5

SargenYung06306 · ‎01-11-2020

@Georg PauwenThe group is 2 and by default cisco is using group 2 if I remember correct. do you know what the error message mean? BTW, the one CRYTOMAP 2 is working while CRYTOMAP 1 is not.

crypto isakmp policy 1
encr 3des
authentication pre-share

crypto map CRYTOMAP 1 ipsec-isakmp
set peer y.y.y.y
set transform-set setvpn
match address 110

Georg Pauwen · ‎01-11-2020

Hello,

I am getting a bit confused about the access lists, I think the problem is in that part of your configuration, especially since you say the instance 2 of the crypto map is working, and instance 1 is not. Below are the parts that belong together. Make sure the access lists match as highlighted:

crypto map CRYTOMAP 1 ipsec-isakmp
set peer
set transform-set setvpn
match address 110

ip nat inside source list 112 interface GigabitEthernet4 overload

access-list 110 permit ip 172.28.207.176 0.0.0.15 10.232.6.0 0.0.0.255

access-list 112 deny ip 172.28.207.176 0.0.0.15 10.232.6.0 0.0.0.255
access-list 112 permit ip 172.28.207.176 0.0.0.15 any

crypto map CRYTOMAP 2 ipsec-isakmp
set peer z.z.z.z
set transform-set cmevpn
match address 100

ip nat inside source list 101 interface GigabitEthernet4 overload

access-list 100 permit ip 10.249.102.192 0.0.0.63 69.50.112.0 0.0.0.255

access-list 101 deny ip 10.249.102.192 0.0.0.63 69.50.112.0 0.0.0.255
access-list 101 permit ip 10.249.102.192 0.0.0.63 any