Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1271
Views
0
Helpful
4
Replies

IPSEC Multiple VPN Tunnel

Forbes Jenalyn Rose
Level 1
Level 1

‎06-13-2017 01:12 AM - edited ‎02-21-2020 09:19 PM

Hi everyone,

I need help in creating multiple vpn tunnel to my router. I am using Cisco router but the other end is a non-cisco device. Anyway, one of the ipsec peering is up, then I added two more ipsec to router B and C. One is stuck in UP-IDLE status and the other one is Down. Please help to check what is wrong with my configuration:

crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5

crypto isakmp policy 4
 encr 3des
 authentication pre-share
 group 2

crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2

crypto isakmp key password1 address 1.1.1.1

crypto isakmp key password2 address 2.2.2.2
crypto isakmp key password3 address 3.3.3.3

crypto ipsec transform-set eq-ipsec esp-3des

crypto map eq-ipsec 1 ipsec-isakmp
 set peer 1.1.1.1
 set security-association lifetime seconds 86400
 set transform-set eq-ipsec
 match address eq-ipsec
 reverse-route static

crypto map eq-ipsec 2 ipsec-isakmp
 set peer 2.2.2.2
 set security-association lifetime seconds 86400
 set transform-set eq-ipsec
 match address eq-ipsec-2
 reverse-route static

crypto map eq-ipsec 3 ipsec-isakmp
 set peer 3.3.3.3
 set security-association lifetime seconds 86400
 set transform-set eq-ipsec
 match address eq-ipsec-3
 reverse-route static

interface GigabitEthernet0/1
 description internet
 ip address 4.4.4.4 255.255.255.255
 ip access-group firewall in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 duplex full
 speed 100
 media-type rj45
 negotiation auto
 crypto map eq-ipsec

ip access-list extended eq-ipsec
 permit ip 10.65.0.0 0.0.63.255 10.1.0.0 0.0.255.255
 permit ip 10.65.33.0 0.0.0.255 10.1.0.0 0.0.255.255
 permit ip 10.152.10.0 0.0.0.255 10.1.0.0 0.0.255.255
 permit ip 10.65.20.0 0.0.0.255 10.1.0.0 0.0.255.255
ip access-list extended eq-ipsec-2
 permit ip 10.65.0.0 0.0.63.255 10.0.0.0 0.0.15.255
 permit ip 10.65.0.0 0.0.63.255 10.0.1.0 0.0.0.255
ip access-list extended eq-ipsec-3
 permit ip 10.65.0.0 0.0.63.255 10.10.128.0 0.0.7.255
 permit ip 10.65.0.0 0.0.63.255 10.10.120.0 0.0.7.255

Appreciate your help!

Cheers,

Jen

Labels:
0 Helpful
4 Replies 4

Forbes Jenalyn Rose
Level 1
Level 1

‎06-13-2017 01:13 AM

Please note that peering to 1.1.1.1 is up but not working to 2.2.2.2 and 3.3.3.3. Hope it make sense.

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Forbes Jenalyn Rose

‎06-13-2017 02:32 AM

Hi Jen,

Please share the logs from the device.

You may need to capture the debugs so that we understand what is the exact issue.

debug crypto condition peer ipv4 <>

debug crypto isakmp

debug crypto ipsec

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Forbes Jenalyn Rose
Level 1
Level 1
In response to Aditya Ganjoo

‎06-13-2017 03:54 AM

Hi Aditya,

Thank you for your reply.

The first debug "debug crypto condition peer ipv4 <>" did not give any result.

For debug crypto isakmp:

Jun 13 10:35:02.585: ISAKMP: set new node 1964164746 to QM_IDLE      
Jun 13 10:35:02.585: ISAKMP:(1459):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 109183832, message ID = 1964164746
Jun 13 10:35:02.585: ISAKMP:(1459): seq. no 0x4D3306A3
Jun 13 10:35:02.585: ISAKMP:(1459): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE      
Jun 13 10:35:02.585: ISAKMP:(1459):purging node 1964164746
Jun 13 10:35:02.585: ISAKMP:(1459):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
Jun 13 10:35:02.585: ISAKMP:(1459):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Jun 13 10:35:02.829: ISAKMP (0:1459): received packet from 2.2.2.2 dport 500 sport 500 Global (R) QM_IDLE      
Jun 13 10:35:02.829: ISAKMP: set new node 1141568911 to QM_IDLE      
Jun 13 10:35:02.829: ISAKMP:(1459): processing HASH payload. message ID = 1141568911
Jun 13 10:35:02.829: ISAKMP:(1459): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 0, message ID = 1141568911, sa = 7889E80
Jun 13 10:35:02.829: ISAKMP:(1459): DPD/R_U_THERE_ACK received from peer 2.2.2.2, sequence 0x4D3306A3
Jun 13 10:35:02.829: ISAKMP:(1459):deleting node 1141568911 error FALSE reason "Informational (in) state 1"
Jun 13 10:35:02.829: ISAKMP:(1459):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Jun 13 10:35:02.829: ISAKMP:(1459):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Jun 13 10:35:52.832: ISAKMP:(1459):purging node 1141568911

Jun 13 10:38:54.381: ISAKMP: set new node 1822817362 to QM_IDLE      
Jun 13 10:38:54.381: ISAKMP:(1459):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 109183832, message ID = 1822817362
Jun 13 10:38:54.381: ISAKMP:(1459): seq. no 0x4D3306A4
Jun 13 10:38:54.381: ISAKMP:(1459): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE      
Jun 13 10:38:54.381: ISAKMP:(1459):purging node 1822817362
Jun 13 10:38:54.381: ISAKMP:(1459):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
Jun 13 10:38:54.381: ISAKMP:(1459):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Jun 13 10:38:54.629: ISAKMP (0:1459): received packet from 2.2.2.2 dport 500 sport 500 Global (R) QM_IDLE      
Jun 13 10:38:54.629: ISAKMP: set new node -1636250267 to QM_IDLE      
Jun 13 10:38:54.629: ISAKMP:(1459): processing HASH payload. message ID = -1636250267
Jun 13 10:38:54.629: ISAKMP:(1459): processing NOTIFY DPD/R_U_THERE_ACK protocol 1 spi 0, message ID = -1636250267, sa = 7889E80
Jun 13 10:38:54.629: ISAKMP:(1459): DPD/R_U_THERE_ACK received from peer 2.2.2.2, sequence 0x4D3306A4
Jun 13 10:38:54.629: ISAKMP:(1459):deleting node -1636250267 error FALSE reason "Informational (in) state 1"
Jun 13 10:38:54.629: ISAKMP:(1459):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Jun 13 10:38:54.629: ISAKMP:(1459):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

For debug crypto ipsec:

Jun 13 10:44:16.439: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Jun 13 10:44:16.439: IPSEC(key_engine_enable_outbound): enable SA with spi 3964532654/50
Jun 13 10:47:25.243: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Jun 13 10:47:25.243: IPSEC(key_engine_enable_outbound): enable SA with spi 1194695309/50
Jun 13 10:48:01.857: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Jun 13 10:48:01.857: IPSEC(key_engine_enable_outbound): enable SA with spi 2847595008/50
Jun 13 10:51:44.888: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Jun 13 10:51:44.888: IPSEC(key_engine_enable_outbound): enable SA with spi 4015930798/50

Thank you.

0 Helpful

Forbes Jenalyn Rose
Level 1
Level 1
In response to Forbes Jenalyn Rose

‎06-27-2017 06:04 AM

Do I need to create crypto isakmp policy on each tunnel?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents