09-09-2015 12:34 AM - edited 02-21-2020 08:27 PM
Hi all,
I would like to ask your opinion about following:
We have a VPN configured with one of our service provider.
The goal is to allow them to access devices connected behind our DMVPN Spokes (devices in 10.80.0.0/12). Their networks are 192.168.3.0/24, 192.168.104.0/24, 192.168.6.0/24.
To avoid IP conflicts, I implemented NAT from their 192.168.X.X network to 10.242.0.0.
See configuration below.
The problem is that, in a random way, when tunnel establish, it generates a wrong crypto map with strange IPs and subnet (see below).
For example, if I just clear this session (clear crypto session remote 82.193.8.72) manually, the crypto map will look correct (see below in red). Then if I re-clear it again, the crypt map is then completely wrong (see below in red).
This problem creates a lot of other small issue (router not reachable, spokes offlines….).
Best regards,
Configuration :
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ******** address 82.193.8.72 no-xauth
crypto map VPN 10 ipsec-isakmp
description Open-Sky
set peer 82.193.8.72
set transform-set trans3
match address Open_Sky_VPN
interface GigabitEthernet0/0/0
….
crypto map VPN
….
ip nat pool Open_Sky_NAT1 10.242.0.1 10.242.0.254 netmask 255.255.255.0 type match-host
ip nat outside source list Open_Sky_NAT1 pool Open_Sky_NAT1
ip access-list extended Open_Sky_NAT1
permit ip 192.168.3.0 0.0.0.255 10.80.0.0 0.15.255.255
permit ip 192.168.104.0 0.0.0.255 10.80.0.0 0.15.255.255
permit ip 192.168.6.0 0.0.0.255 10.80.0.0 0.15.255.255
ip access-list extended Open_Sky_VPN
permit ip 10.80.0.0 0.15.255.255 192.168.3.0 0.0.0.255
permit ip 10.80.0.0 0.15.255.255 192.168.104.0 0.0.0.255
permit ip 10.80.0.0 0.15.255.255 192.168.6.0 0.0.0.255
Correct Crypto map (randomly after a clear crypto sess remote 82.193.8.72)
sh crypto map interface gigabitEthernet 0/0/0
Crypto Map IPv4 "VPN" 10 ipsec-isakmp
Description: Open-Sky
Peer = 82.193.8.72
Extended IP access list Open_Sky_VPN
access-list Open_Sky_VPN permit ip 10.80.0.0 0.15.255.255 192.168.3.0 0.0.0.255
access-list Open_Sky_VPN permit ip 10.80.0.0 0.15.255.255 192.168.104.0 0.0.0.255
access-list Open_Sky_VPN permit ip 10.80.0.0 0.15.255.255 192.168.6.0 0.0.0.255
Current peer: 82.193.8.72
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
trans3: { esp-256-aes esp-sha-hmac } ,
}
Incorrect Crypo Map (randomly after a clear crypto sess remote 82.193.8.72) :
sh crypto map interface gigabitEthernet 0/0/0
Crypto Map IPv4 "VPN" 65536 ipsec-isakmp
Peer = 82.193.8.72
Extended IP access list
access-list permit ip 10.80.0.0 245.160.0.0 host 192.168.6.100
Current peer: 82.193.8.72
dynamic (created from dynamic map VPNCLIENT/100)
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
CLIENT_SET: { esp-256-aes esp-sha-hmac } ,
}
Crypto Map IPv4 "VPN" 65537 ipsec-isakmp
Peer = 82.193.8.72
Extended IP access list
access-list permit ip 10.80.0.0 245.160.0.0 192.168.104.0 63.87.151.0
Current peer: 82.193.8.72
dynamic (created from dynamic map VPNCLIENT/100)
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
CLIENT_SET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map VPN:
GigabitEthernet0/0/0
09-09-2015 07:40 AM
It looks like you have not only static crypto map, but also dynamic crypto map:
Current peer: 82.193.8.72
dynamic (created from dynamic map VPNCLIENT/100)
Could you, please, check, if dynamic crypto map is configured? Is it possible to delete dynamic crypto map from configuration (if it is really in place)?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide