06-13-2017 01:12 AM - edited 02-21-2020 09:19 PM
Hi everyone,
I need help in creating multiple vpn tunnel to my router. I am using Cisco router but the other end is a non-cisco device. Anyway, one of the ipsec peering is up, then I added two more ipsec to router B and C. One is stuck in UP-IDLE status and the other one is Down. Please help to check what is wrong with my configuration:
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp policy 4
encr 3des
authentication pre-share
group 2
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp key password1 address 1.1.1.1
crypto isakmp key password2 address 2.2.2.2
crypto isakmp key password3 address 3.3.3.3
crypto ipsec transform-set eq-ipsec esp-3des
crypto map eq-ipsec 1 ipsec-isakmp
set peer 1.1.1.1
set security-association lifetime seconds 86400
set transform-set eq-ipsec
match address eq-ipsec
reverse-route static
crypto map eq-ipsec 2 ipsec-isakmp
set peer 2.2.2.2
set security-association lifetime seconds 86400
set transform-set eq-ipsec
match address eq-ipsec-2
reverse-route static
crypto map eq-ipsec 3 ipsec-isakmp
set peer 3.3.3.3
set security-association lifetime seconds 86400
set transform-set eq-ipsec
match address eq-ipsec-3
reverse-route static
interface GigabitEthernet0/1
description internet
ip address 4.4.4.4 255.255.255.255
ip access-group firewall in
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
duplex full
speed 100
media-type rj45
negotiation auto
crypto map eq-ipsec
ip access-list extended eq-ipsec
permit ip 10.65.0.0 0.0.63.255 10.1.0.0 0.0.255.255
permit ip 10.65.33.0 0.0.0.255 10.1.0.0 0.0.255.255
permit ip 10.152.10.0 0.0.0.255 10.1.0.0 0.0.255.255
permit ip 10.65.20.0 0.0.0.255 10.1.0.0 0.0.255.255
ip access-list extended eq-ipsec-2
permit ip 10.65.0.0 0.0.63.255 10.0.0.0 0.0.15.255
permit ip 10.65.0.0 0.0.63.255 10.0.1.0 0.0.0.255
ip access-list extended eq-ipsec-3
permit ip 10.65.0.0 0.0.63.255 10.10.128.0 0.0.7.255
permit ip 10.65.0.0 0.0.63.255 10.10.120.0 0.0.7.255
Appreciate your help!
Cheers,
Jen
06-13-2017 01:13 AM
Please note that peering to 1.1.1.1 is up but not working to 2.2.2.2 and 3.3.3.3. Hope it make sense.
06-13-2017 02:32 AM
Hi Jen,
Please share the logs from the device.
You may need to capture the debugs so that we understand what is the exact issue.
debug crypto condition peer ipv4 <>
debug crypto
debug crypto
Regards,
Aditya
Please rate helpful posts and mark correct answers.
06-13-2017 03:54 AM
Hi Aditya,
Thank you for your reply.
The first debug "debug crypto condition peer ipv4 <>" did not give any result.
For debug crypto isakmp:
Jun 13 10:35:02.585: ISAKMP: set new node 1964164746 to QM_IDLE
Jun 13 10:35:02.585: ISAKMP:(1459):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 109183832, message ID = 1964164746
Jun 13 10:35:02.585: ISAKMP:(1459): seq. no 0x4D3306A3
Jun 13 10:35:02.585: ISAKMP:(1459): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE
Jun 13 10:35:02.585: ISAKMP:(1459):purging node 1964164746
Jun 13 10:35:02.585: ISAKMP:(1459):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
Jun 13 10:35:02.585: ISAKMP:(1459):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Jun 13 10:35:02.829: ISAKMP (0:1459): received packet from 2.2.2.2 dport 500 sport 500 Global (R) QM_IDLE
Jun 13 10:35:02.829: ISAKMP: set new node 1141568911 to QM_IDLE
Jun 13 10:35:02.829: ISAKMP:(1459): processing HASH payload. message ID = 1141568911
Jun 13 10:35:02.829: ISAKMP:(1459): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 0, message ID = 1141568911, sa = 7889E80
Jun 13 10:35:02.829: ISAKMP:(1459): DPD/R_U_THERE_ACK received from peer 2.2.2.2, sequence 0x4D3306A3
Jun 13 10:35:02.829: ISAKMP:(1459):deleting node 1141568911 error FALSE reason "Informational (in) state 1"
Jun 13 10:35:02.829: ISAKMP:(1459):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Jun 13 10:35:02.829: ISAKMP:(1459):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Jun 13 10:35:52.832: ISAKMP:(1459):purging node 1141568911
Jun 13 10:38:54.381: ISAKMP: set new node 1822817362 to QM_IDLE
Jun 13 10:38:54.381: ISAKMP:(1459):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 109183832, message ID = 1822817362
Jun 13 10:38:54.381: ISAKMP:(1459): seq. no 0x4D3306A4
Jun 13 10:38:54.381: ISAKMP:(1459): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE
Jun 13 10:38:54.381: ISAKMP:(1459):purging node 1822817362
Jun 13 10:38:54.381: ISAKMP:(1459):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
Jun 13 10:38:54.381: ISAKMP:(1459):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Jun 13 10:38:54.629: ISAKMP (0:1459): received packet from 2.2.2.2 dport 500 sport 500 Global (R) QM_IDLE
Jun 13 10:38:54.629: ISAKMP: set new node -1636250267 to QM_IDLE
Jun 13 10:38:54.629: ISAKMP:(1459): processing HASH payload. message ID = -1636250267
Jun 13 10:38:54.629: ISAKMP:(1459): processing NOTIFY DPD/R_U_THERE_ACK protocol 1 spi 0, message ID = -1636250267, sa = 7889E80
Jun 13 10:38:54.629: ISAKMP:(1459): DPD/R_U_THERE_ACK received from peer 2.2.2.2, sequence 0x4D3306A4
Jun 13 10:38:54.629: ISAKMP:(1459):deleting node -1636250267 error FALSE reason "Informational (in) state 1"
Jun 13 10:38:54.629: ISAKMP:(1459):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Jun 13 10:38:54.629: ISAKMP:(1459):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
For debug crypto ipsec:
Jun 13 10:44:16.439: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Jun 13 10:44:16.439: IPSEC(key_engine_enable_outbound): enable SA with spi 3964532654/50
Jun 13 10:47:25.243: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Jun 13 10:47:25.243: IPSEC(key_engine_enable_outbound): enable SA with spi 1194695309/50
Jun 13 10:48:01.857: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Jun 13 10:48:01.857: IPSEC(key_engine_enable_outbound): enable SA with spi 2847595008/50
Jun 13 10:51:44.888: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Jun 13 10:51:44.888: IPSEC(key_engine_enable_outbound): enable SA with spi 4015930798/50
Thank you.
06-27-2017 06:04 AM
Do I need to create crypto isakmp policy on each tunnel?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: