Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1579
Views
0
Helpful
3
Replies

Site to Site VPN on Sub-interface using HSRP issue CRYPTO MAP ON INSIDE INTERFACE???

Wan_Whisperer
Level 1
Level 1

‎05-23-2019 02:44 AM - edited ‎05-23-2019 03:48 AM

This is my setup. 

I have a sub-interface with private IPs that also uses HSRP.   

I also have "ip nat inside" on the sub interface but have excluded networks going through the VPN. 

I have the VPN source 192.168.100.1 one-to-one NAT to a public IP 1.1.1.1. (not really 1.1.1.1) on my Edge router

The second HSRP router is off to eliminate any extra issues, so Core1 is active (see "show standby brief below)"

The VPN looks up.

 

It looks like the Crpto map is not catching the Private IPs

 

If I trace from a computer with the IP of 192.168.100.25 It hits 192.168.100.2 then to the Edge device.  It should not do this, it should go through the VPN

 

I also made sure that  192.168.100.25 is not being natted on Core1

 

----------------------------------------------------------------

Configs on Core1


crypto isakmp key TESTKEY address 1.1.1.1
!
!

crypto ipsec transform-set MYSET esp-aes 256 esp-md5-hmac
mode tunnel
!
!
!
crypto map BWI 1 ipsec-isakmp
description To-Remote
set peer 1.1.1.1
set transform-set MYSET
match address To-Remote-VPN


interface GigabitEthernet0/0/0.100
description Private
encapsulation dot1Q 100
ip address 192.168.100.2 255.255.255.0
no ip redirects
ip nat inside
standby 100 ip 192.168.100.1
standby 100 name Vlan100
standby 100 track 1 decrement 60
cdp enable
crypto map BWI redundancy Vlan100


ip access-list extended To-Remote-VPN
permit ip 192.168.100.0 0.0.0.255 10.10.10.0 0.0.0.255 log

 

ip access-list extended NAT-SOURCE
deny ip 192.168.100.0 0.0.0.255 10.10.10.0 0.0.0.255
deny ip host 192.168.100.2 any     //////////////// I do not think I need this but I added just to be safe/////////////
deny ip host 192.168.100.1 any     //////////////// I do not think I need this but I added just to be safe/////////////
permit ip 192.168.100.0 0.0.0.255 any

 

 

-----------------------------------------------------

Show commands below.

 

Core1#sho crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.100.1 1.1.1.1 QM_IDLE 1003 ACTIVE

 

 

 

Core1#sho crypto ipse sa

interface: GigabitEthernet0/0/0.100
Crypto map tag: BWI, local addr 192.168.100.1

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.100.1, remote crypto endpt.: 1.1.1.1
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0.100
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

 

/////////////////////////////////////////////as you can see the VPN is up///////////////////////////////////

 


SCore11#sho stan b
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Gi0/0/0.10 100 150 P Active local unknown 192.168.100.1

 

 

-----------------------------------------------------------------------

 

To recap:

The VPN is up but it seems like the IPs 192.168.100.0/24 are not hitting the crypto map entering or exiting.  I feel like this is a simple fix.  I feel like I am just overlooking something.  I have setup VPNs hundreds of time but not like this...

 

If I send packets for the remote side and issue the command "sho crypto ipse sa"  I can see packets getting encrypted and if I issue the same command on Core1 I do not see any packets being decrypted.

 

 

Thanks for your input :) 

0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎05-23-2019 03:03 AM - edited ‎05-23-2019 03:16 AM

 

To be honest I am surprised the VPN is up as I have always applied the crypto map on the outbound interface not the inbound interface as you have. 

 

I suspect because from inside to outside the packet is first routed so the crypto map on the inside interface is never checked. 

 

Jon

0 Helpful

Wan_Whisperer
Level 1
Level 1
In response to Jon Marshall

‎05-23-2019 03:40 AM

Jon,

 

I agree with putting the VPN on the outside.  In my case I don't know how it can be done with my topology and need for redundant VPN.  My two (Core1 and Core2) inside interfaces are redundant Via HSRP but my outsides are not (I do not want to buy a 10g Switch to make this possible) (maybe there is a way I don't know of)  So I am trying to engineer a way to have redundant VPN and with out my outside  being redundant I am trying to place it on my inside.

 

any suggestions or thoughts?

 

:)  

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Wan_Whisperer

‎05-23-2019 03:52 AM - edited ‎05-23-2019 04:03 AM

 

Depends what you mean by redundant.

 

You could use HSRP tracking to switch between routers if a WAN link fails but obviously that would mean the VPN tunnel would need to be setup again. 

 

At the remote end you could configure multiple peer IPs ie. the WAN interface IPs. 

 

However not sure what would happen if you switched to the other router and then tried to bring up the tunnel again to the same remote peer as it already has a tunnel up as far as it is concerned. 

 

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card