HI

here is under example for one point two another two point for VPN.

If center point dc and other two point is ho and fex

one want interface fastethernet1/0 then configer in dc.if you have serial interface then subinterface like this.

---------------------------------------------

crypto isakmp policy 110

encr 3des

hash md5

group 2

!

crypto ipsec transform-set dc-all ah-md5-hmac esp-3des esp-md5-hmac

crypto map dc-ho 10 ipsec-isakmp

set peer 192.168.5.2

set transform-set dc-all

match address 100

!

crypto map dc-fex 10 ipsec-isakmp

set peer 192.168.5.22

set transform-set dc-all

match address 105

interface FastEthernet1/0.1

encapsulation dot1Q 100

ip address 192.168.5.1 255.255.255.252

crypto map dc-ho

!

interface FastEthernet1/0.6

encapsulation dot1Q 105

ip address 192.168.5.21 255.255.255.252

crypto map dc-fex

access-list 100 permit ip host 192.168.5.1 host 192.168.5.2

access-list 105 permit ip host 192.168.5.21 host 192.168.5.22

--------------------- for remote branch example======

crypto isakmp policy 110

encr 3des

hash md5

group 2

!

!

crypto ipsec transform-set dbbl_ho ah-md5-hmac esp-3des esp-md5-hmac

!

crypto map ho-dc 10 ipsec-isakmp

set peer 192.168.5.1

set transform-set dbbl_ho

match address 100

!

!

!

interface Loopback0

ip address 10.90.255.1 255.255.255.0

!

interface Ethernet0/0

ip address 10.65.50.1 255.255.255.0

half-duplex

!

interface FastEthernet0/0

no ip address

speed auto

!

interface FastEthernet0/0.2

encapsulation dot1Q 100

ip address 192.168.5.2 255.255.255.252

crypto map ho-dc

!

-------------------------------

I think this example help you

Thanks

Biplob

My subinterface is a serial0/0/0.1 that is my ISP endpoint on a frame connection. Can I make another subinterface with an IP address that is not global(private) and have it work, or do I have to contact my ISP and get a second endpoint with a global address? The config makes sense, but I only have one public IP for the interface.

Thanks again for your help,

Bobby

It seemed logical to me, but since I can't get it to work...I had some question. Maybe about myself ;) Here is the config:

crypto isakmp policy 10

hash md5

authentication pre-share

!

crypto isakmp policy 20

hash md5

authentication pre-share

!

crypto isakmp key ??????? address 109.155.1.150 255.255.255.252

crypto isakmp key ??????? address 109.207.9.114 255.255.255.252

!

!

crypto ipsec transform-set strong esp-des esp-md5-hmac

crypto ipsec df-bit clear

!

!

crypto map myset 10 ipsec-isakmp

description site A to Site B Tunnel

set peer 109.155.1.150

set transform-set strong

match address 101

crypto map myset 20 ipsec-isakmp

set peer 109.207.9.114

set transform-set strong

match address 103

!

!

!

interface Loopback0

ip address 192.168.71.4 255.255.255.0

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$

ip address 171.66.104.193 255.255.255.192

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 172.20.92.6 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0/0

description USLEC frame circuit

no ip address

ip virtual-reassembly

encapsulation frame-relay IETF

frame-relay lmi-type ansi

!

interface Serial0/0/0.1 point-to-point

description frame

ip address 45.46.60.218 255.255.255.252

ip access-group 135 in

ip nat outside

ip virtual-reassembly

frame-relay interface-dlci 284

crypto map myset

!

access-list 101 permit ip 172.20.92.0 0.0.0.255 172.20.93.0 0.0.0.255

access-list 101 permit ip 192.168.71.0 0.0.0.255 172.20.93.0 0.0.0.255

access-list 101 permit ip host 172.31.92.2 172.20.93.0 0.0.0.255

access-list 101 permit ip host 71.16.104.205 172.20.93.0 0.0.0.255

access-list 101 permit ip host 172.31.91.156 172.20.93.0 0.0.0.255

access-list 101 permit ip host 172.31.92.2 host 172.20.93.14

access-list 103 permit ip 192.168.71.0 0.0.0.255 172.20.94.0 0.0.0.255

access-list 103 permit ip 172.20.92.0 0.0.0.255 172.20.94.0 0.0.0.255

Ok will need information about the NAT acl also if any. IF yes, explicitly deny the IPSec traffic in the NAT ACL. What exactly does sh crypto isakmp sa and sh crypto ipsec sa give you ?

There is no NAT acl on this particular router. The sh crypto isakmp sa and the sh crypto ipsec sa, both show the original tunnel, but make no mention of the second tunnel that I am trying to build. What I do find strange is that if I do a sh crypto map, the second tunnel lists the peer on the remote end (at the top of the results), but under "current peer" the address is blank.

Thanks for your help on this,

Bobby

Are the configs at either end match ? Any chance of a peek at the remote end config. Atleast ISAKMP should come up. What exactly is happening in the NAT ?

here is the relevent config from the remote end of the second tunnel:

!

!

crypto isakmp policy 40

hash md5

authentication pre-share

crypto isakmp key ???????? address 45.x.x.218

!

!

crypto ipsec transform-set strong esp-des esp-md5-hmac

!

crypto map wpoaub 40 ipsec-isakmp

set peer 45.x.x.218

set transform-set strong

match address 104

!

call rsvp-sync

!

!

!

!

!

!

!

!

interface Ethernet0/0

ip address 172.x.x.x.255.255.0

ip nat inside

full-duplex

no cdp enable

!

interface Serial0/0

ip address 109.207.x.x.x.255.252

ip nat outside

fair-queue

crypto map wpoaub

!

interface Ethernet0/1

no ip address

ip nat inside

half-duplex

no cdp enable

!

ip nat pool Tests 1.1.1.1 1.1.1.1 netmask 255.255.255.248

ip nat inside source route-map Internet pool Test overload

ip classless

ip route 0.0.0.0 0.x.x.x.207.9.113

ip route 172.20.92.0 255.255.255.0 Serial0/0

ip route 192.168.61.0 255.255.255.0 Serial0/0

no ip http server

ip http authentication local

!

logging history alerts

logging facility syslog

logging source-interface Serial0/0

access-list 2 permit 172.20.94.0 0.0.0.255

access-list 101 deny ip 172.20.94.0 0.0.0.255 172.20.92.0 0.0.0.255

access-list 101 deny ip 172.20.94.0 0.0.0.255 192.168.71.0 0.0.0.255

access-list 101 permit ip 172.20.94.0 0.0.0.255 any

access-list 104 permit ip 172.20.94.0 0.0.0.255 192.168.71.0 0.0.0.255

access-list 104 permit ip 172.20.94.0 0.0.0.255 172.20.92.0 0.0.0.255

route-map Internet permit 40

match ip address 101

!

linkdown linkup coldstart warmstart

snmp-server enable traps tty

snmp-server enable traps syslog

!

ntp clock-period 17208671

ntp peer 208.x.x.241

ntp server 192.5.41.209

end

I can see traffic traveling through the 103 access-list on the local end so I know it atleast is directed toward the tunnel. I do not see hits on the access-list at the remote end though.

Best regards,

Bobby

Hi,

Please try with just ACL 103 in crypto map and confirm whether you can able to create ISAKMP and IPSec SAs or not for this particular peer.

And although it is bit silly question, did you try to initiate any traffic as permitted in ACL 103 as the ISAKMP negotiation happens only after matching the traffic in the ACL.

Thank you,

Regards...

-Ashok.

No sa shows up for either isakmp or ipsec. Question- do you have to "reapply" a crypto map to an interface after you modify it?

Respectfully,

Bobby

Any chance of a debug at the remote end just to see if there is any isakmp negotiation happening at all ? I was wondering if there is a firewall on the path which totally blocks out all communication. There is an access-list 135 on the hub. Does it have the necessary permissions for the remote peer ? I think it is a good idea to remove the crypto map and apply it again at the hub.

The access-list 135 is not applied at this point because there is nothing attached by a laptop. I figured I would get this working and then lock it down. I will reapply the map and see what happens.

Thanks!

Bobby

Here is the debug from the central router for an attempted connection to the remote:

Apr 18 13:51:24.488: ISAKMP: received ke message (1/1)

Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)

Apr 18 13:51:24.488: ISAKMP: Created a peer struct for 2.2.2.2, peer port 500

Apr 18 13:51:24.488: ISAKMP: Locking peer struct 0x43E75690, IKE refcount 1 for isakmp_initiator

Apr 18 13:51:24.488: ISAKMP: local port 500, remote port 500

Apr 18 13:51:24.488: ISAKMP: set new node 0 to QM_IDLE

Apr 18 13:51:24.488: insert sa successfully sa = 43EB0EE0

Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.

Apr 18 13:51:24.488: ISAKMP: Looking for a matching key for 2.2.2.2 in default : success

Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 2.2.2.2

Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID

Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID

Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1

Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange

Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE

Apr 18 13:52:09.487: ISAKMP: quick mode timer expired.

Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):src 1.1.1.1 dst 2.2.2.2, SA is not authenticated

Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.

Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):deleting SA reason "QM_TIMER expired" state (I) MM_NO_STATE (peer 2.2.2.2)

Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):deleting SA reason "QM_TIMER expired" state (I) MM_NO_STATE (peer 2.2.2.2)

Apr 18 13:52:09.487: ISAKMP: Unlocking IKE struct 0x43E75690 for isadb_mark_sa_deleted(), count 0

Apr 18 13:52:09.487: ISAKMP: Deleting peer node by peer_reap for 2.2.2.2: 43E75690

Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):deleting node 1524471441 error FALSE reason "IKE deleted"

Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):deleting node -714872047 error FALSE reason "IKE deleted"

Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_DEST_SA