Having issue with multiple site to site VPN

jtolbert23 · ‎08-11-2011

We have multiple site to site VPN's. I have a need that involves 2 of them adding a 2nd VPN between them. The basics of this is our corporate office is site A and then 2 of our remote locations will be site B and C.

Site A has a VPN setup and working to both site B and C. Our company wants to have a VPN setup now directly from B to C for that traffic while obviously keeping the current VPN's in place.

Site B has a Cisco UC520 and site C has a Cisco 1841. I have followed everything I can find as far as the config examples out there but I am getting nothing. It is not even failing there is just no traffic going between.

Here is the config for Site B

crypto isakmp policy 100

encr aes

authentication pre-share

group 2

lifetime 28800

crypto isakmp key abcd hostname corporateoffice no-xauth

crypto isakmp key 12345 hostname siteC no-xauth

crypto isakmp identity hostname

crypto isakmp keepalive 10 periodic

crypto isakmp nat keepalive 10

!

crypto isakmp peer address 10.10.10.1

!

crypto isakmp peer address 10.10.30.1

crypto isakmp profile SiteB

keyring default

self-identity fqdn

match identity host corporateoffice

match identity host siteC

initiate mode aggressive

!

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set AES128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set siteB esp-aes esp-sha-hmac

crypto ipsec transform-set siteB-C esp-aes esp-sha-hmac

!

crypto map VPN-siteB isakmp-profile Caleta

crypto map VPN-siteB 10 ipsec-isakmp

set peer 10.10.10.1

set transform-set siteB

match address VPN-list

reverse-route

crypto map VPN-siteB 20 ipsec-isakmp

set peer 10.10.30.1

set transform-set siteB-C

match address VPN-siteC

reverse-route

interface FastEthernet0/0

ip address 10.10.20.1 255.255.255.0

duplex auto

speed auto

crypto map VPN-siteB

Now the config for Site C

crypto isakmp policy 100

encr aes

authentication pre-share

group 2

lifetime 28800

crypto isakmp key abcdefg hostname corporateoffice no-xauth

crypto isakmp key 12345 hostname siteB no-xauth

crypto isakmp identity hostname

crypto isakmp keepalive 10 periodic

crypto isakmp nat keepalive 10

!

crypto isakmp peer address 10.10.10.1

!

crypto isakmp peer address 10.10.20.1

crypto isakmp profile siteC

keyring default

self-identity fqdn

match identity host corporateoffice

match identity host siteB

initiate mode aggressive

!

crypto ipsec transform-set AES128 esp-aes esp-sha-hmac

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set siteC esp-aes esp-sha-hmac

crypto ipsec transform-set siteC-B esp-aes esp-sha-hmac

!

crypto map VPN-siteC isakmp-profile siteC

crypto map VPN-siteC 10 ipsec-isakmp

set peer 10.10.10.1

set transform-set siteC

match address VPN-list

reverse-route

crypto map VPN-siteC 20 ipsec-isakmp

set peer 10.10.20.1

set transform-set siteC-B

match address VPN-siteB

reverse-route

interface FastEthernet0/1

ip address 10.10.30.1 255.255.255.0

duplex auto

speed auto

crypto map VPN-siteC

Again, there is nothing coming through so it is not failing they are just not communicating at all.

I would appreciate any help you guys could give.

mvsheik123 · ‎08-11-2011

Hi,

Have you removed B<-->C traffic subnets from B-->A and C->A tunnel list (VPN-list) and included only in

B (VPN-siteC) and C (VPN-siteB) lists?

Also, Iam not quite sure if having 2 identical transform set options under two diff names ( I never tried that) makes

any difference here.

Thx

MS

jtolbert23 · ‎08-11-2011

Here is the 2 access list for site B

ip access-list extended VPN-siteC

permit ip 10.10.30.0 0.0.0.255 any

permit ip 10.11.30.0 0.0.0.255 any

permit ip 10.12.30.0 0.0.0.255 any

permit ip 10.13.30.0 0.0.0.255 any

ip access-list extended VPN-list

permit ip 10.10.20.0 0.0.0.255 any

permit ip 10.11.20.0 0.0.0.255 any

permit ip 10.12.20.0 0.0.0.255 any

permit ip 10.13.20.0 0.0.0.255 any

deny ip 10.10.30.0 0.0.0.255 any

deny ip 10.11.30.0 0.0.0.255 any

deny ip 10.12.30.0 0.0.0.255 any

deny ip 10.13.30.0 0.0.0.255 any

This is site C

ip access-list extended VPN-siteB

permit ip 10.10.20.0 0.0.0.255 any

permit ip 10.11.20.0 0.0.0.255 any

permit ip 10.12.20.0 0.0.0.255 any

permit ip 10.13.20.0 0.0.0.255 any

ip access-list extended VPN-list

permit ip 10.10.30.0 0.0.0.255 any

permit ip 10.11.30.0 0.0.0.255 any

permit ip 10.12.30.0 0.0.0.255 any

deny ip 10.10.20.0 0.0.0.255 any

deny ip 10.11.20.0 0.0.0.255 any

deny ip 10.12.20.0 0.0.0.255 any

deny ip 10.13.20.0 0.0.0.255 any

But the thing is the 2 remote sites are not even communicating at their WAN interfaces. If I do a debug at the remote sites for the crypto isakmp there is no ike traffic between the 2 sites. So its not that I cannot get traffic for the LAN its I am not even seeing the tunnel trying to get built.

mvsheik123 · ‎08-12-2011

Hi,

Can the both site WAN interfaces see each other directly (ping) or the traffic trace goes via site A?

Also, with permit 'any' in the ACLs, I believe the interesting traffic always try to go via first allowed ACL.

Thx

MS

jtolbert23 · ‎08-12-2011

The WAN interfaces for the remote sites (sites B and C) can ping each other directly without coming to the corporate office (site A).

I will try messing with the ACL's but with the tunnel not even trying to be created could that really be the issue?

mvsheik123 · ‎08-12-2011

As far as I know, the tunnel try to initiate when the interesting traffic triggers.

Also, I never setup on UC520 , so I was checking the data sheet and all the the datasheet tells about is EasyVPN/Remote

access connections. Nothing about Lan-lan unless I miss something. I know you already have connection to site A.

Can you check on SiteA router config?

Thx

MS

jtolbert23 · ‎08-12-2011

Site A is actually an Adtran router so none of it is using the EasyVPN. I noticed that too for the UC520. I am working on the ACL's now to get them how I want them to see if this works.

mvsheik123 · ‎08-12-2011

Ok.. Not that you don't know but you can issue 'Sh ver' on UC520 (if cli supported) and check the supported features.