Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1632
Views
20
Helpful
8
Replies

Site to site VPN

Go to solution
Star Sulaiman
Level 1
Level 1

‎06-08-2020 03:51 PM

Hello All,

 

I have set up site to site vpn on my home lab.

 

I have ospf running between the wan. local and remote site, everything working fin. 

However, when I apply the Crypto map to the interfaces,  I lose routing between the Local LAN, Wan  and Remote sites. 

when I take the crypto map of the interfaces the ospf adjacency is forming and the connectivity comes back but the tunnel goes down, see below 

 

1 00:50:18.575: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /224.0.0.5, src_addr= 1.1.1.2, prot= 89

 

Thank you for your help.

 

Regards,

 

Star
 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP
In response to Star Sulaiman

‎06-10-2020 02:38 PM

Hello,

 

with (S)VTIs, you do not need any access lists anymore. So in your case, access list 100 is not needed anymore.

 

On both your tunnels, you might need to add:

 

ip ospf network broadcast

ip ospf mtu-ignore

View solution in original post

8 Replies 8

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎06-08-2020 10:29 PM

Hi,
Share the VPN Configuration. I think this may a ACL issue.
Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Go to solution
Star Sulaiman
Level 1
Level 1
In response to Deepak Kumar

‎06-10-2020 11:21 AM

Hello Thank you of the info, please see below as requested.

 

 i tried to do access-list per host and network still didn't work.

access-list 100 permit ip host 10.10.10.1 192.168.1.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

 

as soon as i apply the access-list to the interface i lose ospf connectivity,.

 

Thank you

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎06-09-2020 12:00 AM

Hello,

 

try an (S)VTI instead of the crypto map.

 

SVTI looks something like below:

 

crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp key cisco123 address 10.1.1.1
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_P
set transform-set TS
!
interface Tunnel1
ip address 172.16.1.1 255.255.255.0
ip ospf 1 area 0
tunnel source 192.168.1.1
tunnel mode ipsec ipv4
tunnel destination 10.1.1.1
tunnel protection ipsec profile IPSEC_P

Go to solution
Star Sulaiman
Level 1
Level 1
In response to Georg Pauwen

‎06-10-2020 11:19 AM

Hello,

 

Thank you for the info, the tunnel is up and active but when i apply the access-list to the tunnel the ospf connectivity goes down again.

please below, i tried to do access-list per host and network still didn't work.

access-list 100 permit ip host 10.10.10.1 192.168.1.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to Star Sulaiman

‎06-10-2020 01:21 PM

Hello,

 

post the current running configurations of both your routers...

Go to solution
Star Sulaiman
Level 1
Level 1
In response to Georg Pauwen

‎06-10-2020 02:21 PM

Hello Georg,

 

please see below and i have attached lab diagram pic for more clarifications. many thank you 

 

R3#sh running-config
Building configuration...

Current configuration : 2054 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R3
!
boot-start-marker
boot-end-marker
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef

no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated

!
ip tcp synwait-time 5

!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco123 address 1.1.1.1
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_P
set transform-set TS

!
interface Tunnel1
ip address 172.16.1.1 255.255.255.0
ip ospf 1 area 0
tunnel source 2.2.2.1
tunnel mode ipsec ipv4
tunnel destination 1.1.1.1
tunnel protection ipsec profile IPSEC_P
!
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
duplex full
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
ip address 2.2.2.1 255.255.255.0
ip ospf 1 area 0
speed auto
duplex auto
!
router ospf 1
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 2.2.2.1 QM_IDLE 1002 ACTIVE
2.2.2.1 1.1.1.1 QM_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA
!
!
R3#sh crypto ipsec sa

interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 2.2.2.1

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
#pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

+++++++++++++++++++++++++++++++++++++++++++++

R1 output


R1#sh running-config
Building configuration...

Current configuration : 1991 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
ip tcp synwait-time 5
!

crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco123 address 2.2.2.1
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_P
set transform-set TS
!

interface Tunnel1
ip address 172.16.1.2 255.255.255.0
ip ospf 1 area 0
tunnel source 1.1.1.1
tunnel mode ipsec ipv4
tunnel destination 2.2.2.1
tunnel protection ipsec profile IPSEC_P
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex full
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet2/0
ip address 1.1.1.1 255.255.255.0
ip ospf 1 area 0
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
router ospf 1
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
!
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 2.2.2.1 QM_IDLE 1002 ACTIVE
2.2.2.1 1.1.1.1 QM_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA

R1#sh cry
R1#sh crypto ip
R1#sh crypto ipsec sa
R1#sh crypto ipsec sa

interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 1.1.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 2.2.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 34, #pkts encrypt: 34, #pkts digest: 34
#pkts decaps: 36, #pkts decrypt: 36, #pkts verify: 36
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

 

Preview file
47 KB
0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to Star Sulaiman

‎06-10-2020 02:38 PM

Hello,

 

with (S)VTIs, you do not need any access lists anymore. So in your case, access list 100 is not needed anymore.

 

On both your tunnels, you might need to add:

 

ip ospf network broadcast

ip ospf mtu-ignore

Go to solution
Star Sulaiman
Level 1
Level 1
In response to Georg Pauwen

‎06-12-2020 02:39 AM

Hello Geeorg,

 

Thank you for the info it worked, i removed the access-lists and added the commands to the tunnel interface the ospf went down and come back up but unfortunately I am still unable to ping the remote LAN addresses. 

 

Thank you

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card