cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1825
Views
0
Helpful
8
Replies

ipsec sequence numbers not working for multi VPN's

Chris Izatt
Level 1
Level 1

one site to one site VPN works no problem, but when I add the second peer in the hub router it does not connect. There is no routing in place all routers are connected to the same switch and with no crypto map they can both ping 192.168.2.1. With crypto map only 192.168.2.2 can ping 192.168.2.1. I am at a loss as to what I am doing wrong this seems simple I just add the entry to Test with a different number, but it will not work.

Please ask any other question you can think of. I followed the same commands on both spoke routers so it seem like it would be in the hub router, but it has me beat as to why.

Thanks for the help.

Hub router:

----------------------------------------------------------------------------------------------------------------------------------------------

r1#sh crypto map

Crypto Map Test 1 ipsec-isakmp

        Peer = 192.168.2.2

        Extended IP access list 110

            access-list 110 permit ip any any

        Current peer: 192.168.2.2

        Security association lifetime: 4608000 kilobytes/86400 seconds

        PFS (Y/N): N

        Transform sets={

                Test,

        }

        Interfaces using crypto map Test:

                FastEthernet0/0

Crypto Map Test 2 ipsec-isakmp

        Peer = 192.168.2.3

        Extended IP access list 110

            access-list 110 permit ip any any

        Current peer: 192.168.2.3

        Security association lifetime: 4608000 kilobytes/86400 seconds

        PFS (Y/N): N

        Transform sets={

                Test,

        }

        Interfaces using crypto map Test:

                FastEthernet0/0

---------------------------------------------------------------------------------------------------------------------------------------------

r2#sh crypto map

Crypto Map Test 1 ipsec-isakmp

        Peer = 192.168.2.1

        Extended IP access list 110

            access-list 110 permit ip any any

        Current peer: 192.168.2.1

        Security association lifetime: 4608000 kilobytes/86400 seconds

        PFS (Y/N): N

        Transform sets={

                Test,

        }

        Interfaces using crypto map Test:

                FastEthernet0/0

----------------------------------------------------------------------------------------------------------------------------------------------

r3#sh crypto map

Crypto Map Test 1 ipsec-isakmp

        Peer = 192.168.2.1

        Extended IP access list 110

            access-list 110 permit ip any any

        Current peer: 192.168.2.1

        Security association lifetime: 4608000 kilobytes/86400 seconds

        PFS (Y/N): N

        Transform sets={

                Test,

        }

        Interfaces using crypto map Test:

                FastEthernet0/0

1 Accepted Solution

Accepted Solutions

There is a typo in the ip-address for the PSK on R3.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

8 Replies 8

You crypto-ACLs are wrong. As a rule of thumb: "never use 'any' in a crypto ACL unless you really know what you do ..."

What do you need:

1) On R1 (your hub) you need two crypto-ACLs. One for the connection to R2, one for the connection to R3. In these ACLs you permit the ip-traffic from your local LAN to the remote Network.

2) On R2 and R3 you use an ACL that is exactly the mirror to the ACL of R1.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

I thought for sure I could use any any, does the router get confused? The whole reason I used any any was to eliminate any access list problems to make sure the VPN config worked.

So I need to have these on the HUB? they are in the same subnet. :

access-list 101 permit ip 192.168.2.1  0.0.0.1
  192.168.2.2  0.0.0.1
access-list 101 permit ip 192.168.2.1  0.0.0.1
  192.168.2.3  0.0.0.1

then the the remote router? That seems very strange.:
access-list 101 permit ip 192.168.2.2  0.0.0.1
  192.168.2.1  0.0.0.1



I thought for sure I could use any any, does the router get confused? The whole reason I used any any was to eliminate any access list problems to make sure the VPN config worked.

one reason the router is confused is that with the first "ip any any" all traffic has to be processed with that first VPN. Then there is no more traffic for the second VPN.

You need *two* ACLs on the Hub (the IP and mask wouldn't work):

access-list 101 permit ip host 192.168.2.1 host 192.168.2.2
access-list 102 permit ip host 192.168.2.1 host 192.168.2.3

The ACL for R2 is correct if you change the mask. Traffic from his IP to the Hub-IP should be encrypted.

BTW: normally the crypto-definition is your local LAN to the remote-LAN. With your definition you only encrypt the router-2-router-communication

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Ok I cannot ping anything now. Can you see any other obvious problems? Seems like I should be close and must be missing something simple.

Thanks for the help by the way.

hostname r1

!

!

!

!

!

!

!

!

crypto isakmp policy 9

authentication pre-share

!

crypto isakmp key Test1234 address 192.168.2.2

crypto isakmp key Test1234 address 192.168.2.3

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set Test esp-3des esp-sha-hmac

!

crypto map Test 1 ipsec-isakmp

set peer 192.168.2.2

set security-association lifetime seconds 86400

set transform-set Test

match address 110

!

crypto map Test 2 ipsec-isakmp

set peer 192.168.2.3

set security-association lifetime seconds 86400

set transform-set Test

match address 111

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

interface FastEthernet0/0

ip address 192.168.2.1 255.255.255.0

duplex auto

speed auto

crypto map Test

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

!

access-list 111 permit ip host 192.168.2.1 host 192.168.2.3

access-list 110 permit ip host 192.168.2.1 host 192.168.2.2

!

!

!

!

!

line con 0

line vty 0 4

login

!

!

!

end

-------------------------------------------------------------------------------------------------------------

hostname r2

!

!

!

!

!

!

!

!

crypto isakmp policy 9

authentication pre-share

!

crypto isakmp key Test1234 address 192.168.2.1

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set Test esp-3des esp-sha-hmac

!

crypto map Test 1 ipsec-isakmp

set peer 192.168.2.1

set security-association lifetime seconds 86400

set transform-set Test

match address 110

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

interface FastEthernet0/0

ip address 192.168.2.2 255.255.255.0

duplex auto

speed auto

crypto map Test

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

!

access-list 110 permit ip host 192.168.2.2 host 192.168.2.1

!

!

!

!

!

line con 0

line vty 0 4

login

!

!

!

end

-------------------------------------------------------------------------------------------------------------

hostname r2

!

!

!

!

!

!

!

!

crypto isakmp policy 9

authentication pre-share

!

crypto isakmp key Test1234 address 192.168.2.1

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set Test esp-3des esp-sha-hmac

!

crypto map Test 1 ipsec-isakmp

set peer 192.168.2.1

set security-association lifetime seconds 86400

set transform-set Test

match address 110

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

interface FastEthernet0/0

ip address 192.168.2.2 255.255.255.0

duplex auto

speed auto

crypto map Test

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

!

access-list 110 permit ip host 192.168.2.2 host 192.168.2.1

!

!

!

!

!

line con 0

line vty 0 4

login

!

!

!

end

you pasted two times the R2-config.

How did you test it? And for Ping-tests, enable "debug ip icmp" on all devices to see if you have a problem in sending or in recieving.

After pinging, do the counters in "show crypto ipsec sa" increment?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Sorry about that. Yeah I was trying doing ping tests between them. Thanks for the help I will try what you posted.

hostname r3

!

!

!

!

!

!

!

!

crypto isakmp policy 9

authentication pre-share

!

crypto isakmp key Test1234 address 192.168.3.1

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set Test esp-3des esp-sha-hmac

!

crypto map Test 1 ipsec-isakmp

set peer 192.168.2.1

set security-association lifetime seconds 86400

set transform-set Test

match address 110

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

interface FastEthernet0/0

ip address 192.168.2.3 255.255.255.0

duplex auto

speed auto

crypto map Test

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

!

access-list 110 permit ip host 192.168.2.3 host 192.168.2.1

!

!

!

!

!

line con 0

line vty 0 4

login

!

!

!

end

There is a typo in the ip-address for the PSK on R3.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Ahhh geez man I cannot beleive I did that always something simple getting me. Thank you for your help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: