Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
373
Views
0
Helpful
2
Replies

Terminate 2 VPN Connections to one Router

mario.jost
Level 3
Level 3

‎03-14-2017 05:07 AM

Please take a look to the nework diagram attached. I try to create two VPN Connections from roLAI01 and roDAI01 to roDLZ01. I attached all 3 configurations aswell.

Fist, i configured the routers roDLZ01 and roDAI01. The VPN between them works fine and continues to work fine. But i cannot seem to get another VPN connection from roDLZ01 to roLAI01. It stays in the MM_NO_STATE all the time:

roDLZ01#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

55.55.55.55 44.44.44.44 QM_IDLE 1065 0 ACTIVE

66.66.66.66 44.44.44.44 MM_NO_STATE 0 0 ACTIVE (deleted)

roLAI01#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

IPv6 Crypto ISAKMP SA

Strange thing is, i can see someting about this connection to 66.66.66.66 in phase 2 even if phase 1 is not up:

roDLZ01#show crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: VPN-DAI, local addr 44.44.44.44

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.20.0.0/255.255.255.0/0/0)
   remote  ident (addr/mask/prot/port): (10.30.0.0/255.255.255.0/0/0)
   current_peer 55.55.55.55 port 500
    PERMIT, flags={origin_is_acl,}
   #pkts encaps: 21, #pkts encrypt: 21, #pkts digest: 0
   #pkts decaps: 21, #pkts decrypt: 21, #pkts verify: 0
   #pkts compressed: 0, #pkts decompressed: 0
   #pkts not compressed: 0, #pkts compr. failed: 0
   #pkts not decompressed: 0, #pkts decompress failed: 0
   #send errors 0, #recv errors 0

     local crypto endpt.: 44.44.44.44, remote crypto endpt.:55.55.55.55
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x2ACF525C(718230108)

     inbound esp sas:
      spi: 0x2966125C(694555228)
        transform: esp-aes 128 esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2008, flow_id: FPGA:1, crypto map: VPN-DAI
        sa timing: remaining key lifetime (k/sec): (4525504/2609)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     outbound esp sas:
      spi: 0x2ACF525C(718230108)
        transform: esp-aes 128 esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2009, flow_id: FPGA:1, crypto map: VPN-DAI
        sa timing: remaining key lifetime (k/sec): (4525504/2609)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     local crypto endpt.: 44.44.44.44, remote crypto endpt.:66.66.66.66
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x0(0)


   local  ident (addr/mask/prot/port): (10.20.0.0/255.255.255.0/0/0)
   remote  ident (addr/mask/prot/port): (10.40.0.0/255.255.255.0/0/0)
   current_peer 66.66.66.66 port 500
    PERMIT, flags={origin_is_acl,}
   #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
   #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
   #pkts compressed: 0, #pkts decompressed: 0
   #pkts not compressed: 0, #pkts compr. failed: 0
   #pkts not decompressed: 0, #pkts decompress failed: 0
   #send errors 0, #recv errors 0

     local crypto endpt.: 44.44.44.44, remote crypto endpt.:66.66.66.66
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x0(0)


     local crypto endpt.: 44.44.44.44, remote crypto endpt.:66.66.66.66
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x0(0)

Is this normal? And what do is miss that the connection is not coming up from roDLZ01 to roLAI01?

I have looked at other solutions with subinterfaces and different crypto maps, but i would need multiple public IPs to realize such a configuration.

Thanks and best regards,

Mario

Labels:
Preview file
2 KB
Preview file
76 KB
Preview file
2 KB
Preview file
2 KB
0 Helpful
2 Replies 2

mario.jost
Level 3
Level 3

‎03-14-2017 09:14 AM

I think i found the problem myself. i forgot to add crypto map VPN-DLZ to the outside interface on roLAI01. I changed so many parameters in the meantime, that i dont know if the original configuraion will hold up. I will try to streamline the config as far as possible and post a clean config afterwards.

0 Helpful

mario.jost
Level 3
Level 3
In response to mario.jost

‎03-14-2017 10:10 AM

Here is just the VPN related configuration you need to put on a router to terminate multiple VPNs on one Router with only 1 public IP:

Router roDLZ01 (in the main office, brach offices connect to this router)

!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp key MerBag4PreSiDent address 55.55.55.55
crypto isakmp key MerBag4PreSiDent address 66.66.66.66
!
crypto ipsec transform-set VPN esp-aes 128 esp-md5-hmac
!
crypto map VPN 1 ipsec-isakmp
 description VPN DAI
 set peer 55.55.55.55
 set transform-set VPN
 match address VPN-DAI
!
crypto map VPN 2 ipsec-isakmp
 description VPN LAI
 set peer 66.66.66.66
 set transform-set VPN
 match address VPN-LAI
!
interface FastEthernet0/0
 ip address 44.44.44.44 255.255.255.0
 crypto map VPN
!
interface FastEthernet0/1
 ip address 10.20.0.1 255.255.255.0
!
ip access-list extended VPN-DAI
 permit ip 10.20.0.0 0.0.0.255 10.30.0.0 0.0.0.255
ip access-list extended VPN-LAI
 permit ip 10.20.0.0 0.0.0.255 10.40.0.0 0.0.0.255
!

Router roLAI01 (brach office 1)

!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp key MerBag4PreSiDent address 44.44.44.44
!
crypto ipsec transform-set DLZ esp-aes 128 esp-md5-hmac
!
crypto map VPN-DLZ 1 ipsec-isakmp
 description VPN DLZ
 set peer 44.44.44.44
 set transform-set DLZ
 match address VPN-DLZ
!
interface FastEthernet0/0
 ip address 66.66.66.66 255.255.255.0
 crypto map VPN-DLZ
!
interface FastEthernet0/1
 ip address 10.40.0.1 255.255.255.0

ip access-list extended VPN-DLZ
 permit ip 10.40.0.0 0.0.0.255 10.20.0.0 0.0.0.255

Router roDAI01 (brach office 2)

!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp key MerBag4PreSiDent address 44.44.44.44
!
crypto ipsec transform-set DLZ esp-aes 128 esp-md5-hmac
!
crypto map VPN-DLZ 1 ipsec-isakmp
 description VPN DLZ
 set peer 44.44.44.44
 set transform-set DLZ
 match address VPN-DLZ
!
interface FastEthernet0/0
 ip address 55.55.55.55 255.255.255.0
 crypto map VPN-DLZ
!
interface FastEthernet0/1
 ip address 10.30.0.1 255.255.255.0
!
ip access-list extended VPN-DLZ
 permit ip 10.30.0.0 0.0.0.255 10.20.0.0 0.0.0.255

Hope i can help someone else with this post...

0 Helpful
Customers Also Viewed These Support Documents