Solved: Site to site VPN

SS2020 · ‎06-08-2020

Hello All,

I have set up site to site vpn on my home lab.

I have ospf running between the wan. local and remote site, everything working fin.

However, when I apply the Crypto map to the interfaces, I lose routing between the Local LAN, Wan and Remote sites.

when I take the crypto map of the interfaces the ospf adjacency is forming and the connectivity comes back but the tunnel goes down, see below

1 00:50:18.575: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /224.0.0.5, src_addr= 1.1.1.2, prot= 89

Thank you for your help.

Regards,

Star

Georg Pauwen · ‎06-10-2020

Hello,

with (S)VTIs, you do not need any access lists anymore. So in your case, access list 100 is not needed anymore.

On both your tunnels, you might need to add:

ip ospf network broadcast

ip ospf mtu-ignore

View solution in original post

Deepak Kumar · ‎06-08-2020

Hi,
Share the VPN Configuration. I think this may a ACL issue.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

SS2020 · ‎06-10-2020

Hello Thank you of the info, please see below as requested.

i tried to do access-list per host and network still didn't work.

access-list 100 permit ip host 10.10.10.1 192.168.1.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

as soon as i apply the access-list to the interface i lose ospf connectivity,.

Thank you

Georg Pauwen · ‎06-09-2020

Hello,

try an (S)VTI instead of the crypto map.

SVTI looks something like below:

crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp key cisco123 address 10.1.1.1
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_P
set transform-set TS
!
interface Tunnel1
ip address 172.16.1.1 255.255.255.0
ip ospf 1 area 0
tunnel source 192.168.1.1
tunnel mode ipsec ipv4
tunnel destination 10.1.1.1
tunnel protection ipsec profile IPSEC_P

SS2020 · ‎06-10-2020

Hello,

Thank you for the info, the tunnel is up and active but when i apply the access-list to the tunnel the ospf connectivity goes down again.

please below, i tried to do access-list per host and network still didn't work.

access-list 100 permit ip host 10.10.10.1 192.168.1.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

Georg Pauwen · ‎06-10-2020

Hello,

post the current running configurations of both your routers...

SS2020 · ‎06-10-2020

Hello Georg,

please see below and i have attached lab diagram pic for more clarifications. many thank you

R3#sh running-config
Building configuration...

Current configuration : 2054 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R3
!
boot-start-marker
boot-end-marker
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef

no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated

!
ip tcp synwait-time 5

!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco123 address 1.1.1.1
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_P
set transform-set TS

!
interface Tunnel1
ip address 172.16.1.1 255.255.255.0
ip ospf 1 area 0
tunnel source 2.2.2.1
tunnel mode ipsec ipv4
tunnel destination 1.1.1.1
tunnel protection ipsec profile IPSEC_P
!
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
duplex full
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
ip address 2.2.2.1 255.255.255.0
ip ospf 1 area 0
speed auto
duplex auto
!
router ospf 1
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 2.2.2.1 QM_IDLE 1002 ACTIVE
2.2.2.1 1.1.1.1 QM_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA
!
!
R3#sh crypto ipsec sa

interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 2.2.2.1

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
#pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

+++++++++++++++++++++++++++++++++++++++++++++

R1 output

R1#sh running-config
Building configuration...

Current configuration : 1991 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
ip tcp synwait-time 5
!

crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco123 address 2.2.2.1
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_P
set transform-set TS
!

interface Tunnel1
ip address 172.16.1.2 255.255.255.0
ip ospf 1 area 0
tunnel source 1.1.1.1
tunnel mode ipsec ipv4
tunnel destination 2.2.2.1
tunnel protection ipsec profile IPSEC_P
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex full
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet2/0
ip address 1.1.1.1 255.255.255.0
ip ospf 1 area 0
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
router ospf 1
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
!
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 2.2.2.1 QM_IDLE 1002 ACTIVE
2.2.2.1 1.1.1.1 QM_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA

R1#sh cry
R1#sh crypto ip
R1#sh crypto ipsec sa
R1#sh crypto ipsec sa

interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 1.1.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 2.2.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 34, #pkts encrypt: 34, #pkts digest: 34
#pkts decaps: 36, #pkts decrypt: 36, #pkts verify: 36
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

Georg Pauwen · ‎06-10-2020

Hello,

with (S)VTIs, you do not need any access lists anymore. So in your case, access list 100 is not needed anymore.

On both your tunnels, you might need to add:

ip ospf network broadcast

ip ospf mtu-ignore

SS2020 · ‎06-12-2020

Hello Geeorg,

Thank you for the info it worked, i removed the access-lists and added the commands to the tunnel interface the ospf went down and come back up but unfortunately I am still unable to ping the remote LAN addresses.

Thank you