Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1045
Views
0
Helpful
1
Replies

IPSec VPN not established..

arjunysawant
Community Member

‎01-17-2014 04:15 AM - edited ‎03-07-2019 05:37 PM

                

Hi,

I have configured one IPSec VPN (dgcx 1 : ip 94.200.168.198)on router c1900.and it is succefuuly working.

I also configured second IPSec VPN (dgcx 2 : ip 120.63.208.231) instance on same router and remote side having sonicwall firewall.But the VPN connection is not able to established.

At remote side packets are showing as transmited but not received from using IPSec peer ip address.Also we have check debug on our cisco router, but there is no traffic for remote ip.

we have bind the crypto map on external interface, but i dont know why traffic is not showing for dgcx 2 : ip 120.63.208.231.Traffic is only showing for dgcx 1 : ip 94.200.168.198.

Pls find the below config and debug..

Config:::::

****************************************************************************************************************************

!

ip multicast-routing

!

!

no ip domain lookup

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key ***** address 94.200.168.198

crypto isakmp key ***** address 203.199.49.123

!

crypto ipsec security-association lifetime seconds 28800

!

crypto ipsec transform-set dgcxset esp-3des esp-sha-hmac

!

!

!

crypto map dgcx 1 ipsec-isakmp

set peer 94.200.168.198

set transform-set dgcxset

set pfs group2

match address 110

crypto map dgcx 2 ipsec-isakmp

set peer 203.199.49.123

set transform-set dgcxset

match address 120

!

!

!

!

!

interface Tunnel66

description To DGCX

ip unnumbered GigabitEthernet0/0

ip pim sparse-mode

ip igmp join-group 239.140.255.255

tunnel source 203.199.49.123

tunnel destination 94.200.168.198

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description 10.30.30.126 7250

ip address 203.199.49.123 255.255.255.128

ip pim sparse-mode

ip igmp join-group 239.140.255.255

duplex auto

speed auto

crypto map dgcx

!

interface GigabitEthernet0/1

no ip address

ip pim sparse-mode

ip igmp join-group 239.140.255.255

duplex auto

speed auto

!

interface GigabitEthernet0/1.1

description "DGCX"

encapsulation dot1Q 165

ip address 10.228.66.1 255.255.255.224

ip pim sparse-mode

ip igmp join-group 239.140.255.255

ip igmp join-group 239.130.255.255

ip igmp join-group 239.120.255.255

ip igmp join-group 239.110.255.255

!

interface GigabitEthernet0/1.2

description "MGMT"

encapsulation dot1Q 71

ip address 10.228.1.48 255.255.255.192

!

interface GigabitEthernet0/1.3

description USE-VPN

encapsulation dot1Q 515

ip address 192.168.255.121 255.255.255.248

!

interface Serial0/0/0

no ip address

shutdown

clock rate 2000000

!

ip forward-protocol nd

!

ip pim rp-address 10.30.30.1

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 203.199.49.1

ip route 10.30.30.0 255.255.255.0 Tunnel66

ip route 10.228.1.0 255.255.255.0 10.228.1.1

!

access-list 110 permit ip host 203.199.49.123 host 94.200.168.198

access-list 120 permit ip host 203.199.49.123 host 120.63.208.231

access-list 120 permit ip any host 120.63.208.231

access-list 120 permit ip 10.228.0.0 0.0.255.255 192.168.11.0 0.0.0.255

!

!

!

!

!

!

control-plane

!

!

!

line con 0

login local

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

login local

transport input all

!

scheduler allocate 20000 1000

end

*****************************************************************************************************************

Debugg:

*****************************************************************************************************************

DGCX#debug crypto isakmp

Crypto ISAKMP debugging is on

DGCX#debug crypto ips

Jan 17 17:37:01: ISAKMP (1625): received packet from 94.200.168.198 dport 500 sport 500 Global (R) QM_IDLE

Jan 17 17:37:01: ISAKMP: set new node 1220246999 to QM_IDLE

Jan 17 17:37:01: ISAKMP:(1625): processing HASH payload. message ID = 1220246999

Jan 17 17:37:01: ISAKMP:(1625): processing NOTIFY DPD/R_U_THERE protocol 1

        spi 0, message ID = 1220246999, sa = 0x27EE81C4

Jan 17 17:37:01: ISAKMP:(1625):deleting node 1220246999 error FALSE reason "Informational (in) state 1"

Jan 17 17:37:01: ISAKMP:(1625):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Jan 17 17:37:01: ISAKMP:(1625):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Jan 17 17:37:01: ISAKMP:(1625):DPD/R_U_THERE received from peer 94.200.168.198, sequence 0x1E7953

Jan 17 17:37:01: ISAKMP: set new node 2086090381 to QM_IDLE

Jan 17 17:37:01: ISAKMP:(1625):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

        spi 693907840, message ID = 2086090381

Jan 17 17:37:01: ISAKMP:(1625): seq. no 0x1E7953

Jan 17 17:37:01: ISAKMP:(1625): sending packet to 94.200.168.198 my_port 500 peer_port 500 (R) QM_IDLE

Jan 17 17:37:01: ISAKMP:(1625):Sending an IKE IPv4 Packet.

Jan 17 17:37:01: ISAKMP:(1625):purging node 2086090381

Jan 17 17:37:01: ISAKMP:(1625):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

Jan 17 17:37:01: ISAKMP:(1625):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Crypto IPSEC debugging is on

DGCX#

Jan 17 17:37:06: ISAKMP (1625): received packet from 94.200.168.198 dport 500 sport 500 Global (R) QM_IDLE

Jan 17 17:37:06: ISAKMP: set new node -1021258304 to QM_IDLE

Jan 17 17:37:06: ISAKMP:(1625): processing HASH payload. message ID = 3273708992

Jan 17 17:37:06: ISAKMP:(1625): processing NOTIFY DPD/R_U_THERE protocol 1

        spi 0, message ID = 3273708992, sa = 0x27EE81C4

Jan 17 17:37:06: ISAKMP:(1625):deleting node -1021258304 error FALSE reason "Informational (in) state 1"

Jan 17 17:37:06: ISAKMP:(1625):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Jan 17 17:37:06: ISAKMP:(1625):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Jan 17 17:37:06: ISAKMP:(1625):DPD/R_U_THERE received from peer 94.200.168.198, sequence 0x1E7954

Jan 17 17:37:06: ISAKMP: set new node -609773696 to QM_IDLE

Jan 17 17:37:06: ISAKMP:(1625):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

        spi 693907840, message ID = 3685193600

Jan 17 17:37:06: ISAKMP:(1625): seq. no 0x1E7954

Jan 17 17:37:06: ISAKMP:(1625): sending packet to 94.200.168.198 my_port 500 peer_port 500 (R) QM_IDLE

Jan 17 17:37:06: ISAKMP:(1625):Sending an IKE IPv4 Packet.

Jan 17 17:37:06: ISAKMP:(1625):purging node -609773696

Jan 17 17:37:06: ISAKMP:(1625):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

Jan 17 17:37:06: ISAKMP:(1625):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Jan 17 17:37:07: ISAKMP:(1625):purging node -163359897

Jan 17 17:37:12: ISAKMP:(1625):purging node -513894353

DGCX#u all

**************************************************************************************************************************************

Thanx..

Labels:
15374062-IPSec.txt.zip
0 Helpful
1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

‎01-20-2014 07:33 AM

Based on what you have posted here there is inconsistency in the configuration that is probably the source of your problem. It shows that the second peer is 203.199.49.123. But this address is the address of the Gig0/0 interface of the router. How can the router peer with itself?

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents