issue withc nat and dmvpn

Jozef Staruch · ‎09-09-2015

Hi all,

I would like to ask your opinion about following:

We have a VPN configured with one of our service provider.

The goal is to allow them to access devices connected behind our DMVPN Spokes (devices in 10.80.0.0/12). Their networks are 192.168.3.0/24, 192.168.104.0/24, 192.168.6.0/24.

To avoid IP conflicts, I implemented NAT from their 192.168.X.X network to 10.242.0.0.

See configuration below.

The problem is that, in a random way, when tunnel establish, it generates a wrong crypto map with strange IPs and subnet (see below).

For example, if I just clear this session (clear crypto session remote 82.193.8.72) manually, the crypto map will look correct (see below in red). Then if I re-clear it again, the crypt map is then completely wrong (see below in red).

This problem creates a lot of other small issue (router not reachable, spokes offlines….).

Best regards,

Configuration :

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

lifetime 28800

crypto isakmp key ******** address 82.193.8.72 no-xauth

crypto map VPN 10 ipsec-isakmp

description Open-Sky

set peer 82.193.8.72

set transform-set trans3

match address Open_Sky_VPN

interface GigabitEthernet0/0/0

….

crypto map VPN

….

ip nat pool Open_Sky_NAT1 10.242.0.1 10.242.0.254 netmask 255.255.255.0 type match-host

ip nat outside source list Open_Sky_NAT1 pool Open_Sky_NAT1

ip access-list extended Open_Sky_NAT1

permit ip 192.168.3.0 0.0.0.255 10.80.0.0 0.15.255.255

permit ip 192.168.104.0 0.0.0.255 10.80.0.0 0.15.255.255

permit ip 192.168.6.0 0.0.0.255 10.80.0.0 0.15.255.255

ip access-list extended Open_Sky_VPN

permit ip 10.80.0.0 0.15.255.255 192.168.3.0 0.0.0.255

permit ip 10.80.0.0 0.15.255.255 192.168.104.0 0.0.0.255

permit ip 10.80.0.0 0.15.255.255 192.168.6.0 0.0.0.255

Correct Crypto map (randomly after a clear crypto sess remote 82.193.8.72)

sh crypto map interface gigabitEthernet 0/0/0

Crypto Map IPv4 "VPN" 10 ipsec-isakmp

Description: Open-Sky

Peer = 82.193.8.72

Extended IP access list Open_Sky_VPN

access-list Open_Sky_VPN permit ip 10.80.0.0 0.15.255.255 192.168.3.0 0.0.0.255

access-list Open_Sky_VPN permit ip 10.80.0.0 0.15.255.255 192.168.104.0 0.0.0.255

access-list Open_Sky_VPN permit ip 10.80.0.0 0.15.255.255 192.168.6.0 0.0.0.255

Current peer: 82.193.8.72

Security association lifetime: 4608000 kilobytes/3600 seconds

Responder-Only (Y/N): N

PFS (Y/N): N

Mixed-mode : Disabled

Transform sets={

trans3: { esp-256-aes esp-sha-hmac } ,

}

Incorrect Crypo Map (randomly after a clear crypto sess remote 82.193.8.72) :

sh crypto map interface gigabitEthernet 0/0/0

Crypto Map IPv4 "VPN" 65536 ipsec-isakmp

Peer = 82.193.8.72

Extended IP access list

access-list permit ip 10.80.0.0 245.160.0.0 host 192.168.6.100

Current peer: 82.193.8.72

dynamic (created from dynamic map VPNCLIENT/100)

Security association lifetime: 4608000 kilobytes/3600 seconds

Responder-Only (Y/N): N

PFS (Y/N): N

Mixed-mode : Disabled

Transform sets={

CLIENT_SET: { esp-256-aes esp-sha-hmac } ,

}

Crypto Map IPv4 "VPN" 65537 ipsec-isakmp

Peer = 82.193.8.72

Extended IP access list

access-list permit ip 10.80.0.0 245.160.0.0 192.168.104.0 63.87.151.0

Current peer: 82.193.8.72

dynamic (created from dynamic map VPNCLIENT/100)

Security association lifetime: 4608000 kilobytes/3600 seconds

Responder-Only (Y/N): N

PFS (Y/N): N

Mixed-mode : Disabled

Transform sets={

CLIENT_SET: { esp-256-aes esp-sha-hmac } ,

}

Interfaces using crypto map VPN:

GigabitEthernet0/0/0

Boris Uskov · ‎09-09-2015

It looks like you have not only static crypto map, but also dynamic crypto map:

Current peer: 82.193.8.72

dynamic (created from dynamic map VPNCLIENT/100)

Could you, please, check, if dynamic crypto map is configured? Is it possible to delete dynamic crypto map from configuration (if it is really in place)?