08-10-2011 07:49 AM - edited 02-21-2020 05:30 PM
Good day All.
Have troubles with multiple tunnels.
I have following application:
My topology is hub and spoke. On hub router I configures RA-VPN, l2tp and GRE tunnel with ipsec.
My remote peer is behind NAT. I cannot make it work. It connects to hub router, but after some time connectivity disappear. sh isakmp sa shows, that remote peer exits and connection should be active. I do not understand why it works that way. Please help.
Hub router.
crypto keyring TestKeyR
pre-shared-key address 0.0.0.0 0.0.0.0 key ckey1
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 11
encr 3des
group 2
!
crypto isakmp policy 12
encr aes 256
authentication pre-share
group 2
crypto isakmp key ckey2 address EXT_STATIC_PEER_IP no-xauth
crypto isakmp keepalive 90 3
!
crypto isakmp client configuration group VPN
key RaccKey
pool pl_vpn
acl acl_VPNSel
pfs
netmask 255.255.255.240
!
crypto isakmp peer address EXT_STATIC_PEER_IP
description ATA_VOICE_RTR
crypto isakmp profile cp_RemVPN
match identity group VPN
client authentication list vpn_xauth
isakmp authorization list vpn_grp
client configuration address initiate
client configuration address respond
client configuration group VPN
crypto isakmp profile l2prof
keyring TestKeyR
match identity address 0.0.0.0
keepalive 90 retry 3
!
!
crypto ipsec transform-set ts_vpn esp-aes esp-md5-hmac
crypto ipsec transform-set ts_VOIP esp-des esp-md5-hmac
crypto ipsec transform-set ts_YVOIP esp-3des
mode transport
crypto ipsec transform-set ts_BVOIP esp-3des esp-md5-hmac
!
crypto ipsec profile cpVOICE
set transform-set ts_BVOIP
!
!
crypto dynamic-map dm_AccVPN 10
set transform-set ts_YVOIP
set isakmp-profile l2prof
match address 114
crypto dynamic-map dm_AccVPN 1000
set transform-set ts_vpn
set isakmp-profile cp_RemVPN
!
!
crypto map cm_vpns 10 ipsec-isakmp
set peer EXT_STATIC_PEER_IP
set security-association lifetime seconds 86400
set transform-set ts_VOIP
match address acl_ATA_VOIP
crypto map cm_vpns 1000 ipsec-isakmp dynamic dm_AccVPN
!
!
crypto key pubkey-chain rsa
addressed-key EXT_STATIC_PEER_IP
address EXT_STATIC_PEER_IP
key-string
307C300D
quit
!
!
!
interface Tunnel2
ip address 192.168.252.1 255.255.255.252
tunnel source EXT_IP
tunnel destination EXT_STATIC_PEER_IP
tunnel mode ipsec ipv4
tunnel protection ipsec profile cpVOICE
!
interface FastEthernet0/0
description to_Telecom
no ip address
no ip redirects
no ip proxy-arp
speed auto
full-duplex
no cdp enable
no mop enabled
!
interface FastEthernet0/0.34
encapsulation dot1Q 34
ip address 172.16.34.1 255.255.255.252
no ip redirects
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface FastEthernet0/1
description to_local_25
no ip address
no ip redirects
no ip proxy-arp
duplex auto
speed auto
auto qos voip
no cdp enable
no mop enabled
!
interface FastEthernet0/1.7
description tunnel_to_3745
encapsulation dot1Q 7
ip address EXT_IP 255.255.255.252
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no cdp enable
crypto map cm_vpns
!
interface FastEthernet0/1.8
encapsulation dot1Q 8
ip address 192.168.8.4 255.255.255.128
no ip redirects
no ip proxy-arp
no cdp enable
!
ip local pool lp_DialIN 172.16.12.0 172.16.12.31
ip local pool pl_vpn 192.168.7.2 192.168.7.6
!
ip nat inside source route-map rm_nonat interface FastEthernet0/1.7 overload
!
ip access-list extended acl_VPNSel
permit ip 172.16.31.0 0.0.0.63 192.168.7.0 0.0.0.15
permit ip 172.16.32.0 0.0.0.63 192.168.7.0 0.0.0.15
permit ip 172.16.34.12 0.0.0.3 192.168.7.0 0.0.0.15
!
access-list 105 deny ip 172.16.31.0 0.0.0.63 192.168.7.0 0.0.0.15
access-list 105 deny ip 172.16.31.0 0.0.0.63 192.168.253.0 0.0.0.255
access-list 105 deny ip 172.16.31.0 0.0.0.63 192.168.251.0 0.0.0.255
access-list 105 permit ip 172.16.31.0 0.0.0.63 any
access-list 106 deny ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255
access-list 106 deny ip 172.16.0.0 0.15.255.255 192.168.0.0 0.0.255.255
access-list 106 deny ip 172.16.0.0 0.15.255.255 172.16.0.0 0.15.255.255
access-list 106 deny ip 95.59.136.208 0.0.0.7 192.168.7.0 0.0.0.255
access-list 106 permit ip 172.16.31.0 0.0.0.63 any
access-list 112 permit ip host 192.168.252.1 host 192.168.252.2
access-list 112 permit ip 192.168.253.8 0.0.0.7 host 192.168.252.2
access-list 112 permit ip 192.168.253.8 0.0.0.7 192.168.253.0 0.0.0.7
access-list 112 permit ip host 192.168.168.69 host 192.168.252.2
access-list 114 permit ip 172.16.31.0 0.0.0.255 172.16.34.12 0.0.0.3
access-list 114 permit ip 192.168.7.0 0.0.0.7 172.16.34.12 0.0.0.3
access-list 114 permit ip 192.168.8.0 0.0.0.255 172.16.34.12 0.0.0.3
access-list 114 permit ip 192.168.251.0 0.0.0.255 172.16.34.12 0.0.0.3
!
!
!
route-map rm_nonat permit 10
match ip address 106
!
!
end
Spoke router config:
service timestamps debug datetime msec
aaa new-model
aaa local authentication attempts max-fail 3
!
!
aaa authentication login default local
!
aaa session-id common
clock timezone AST 6
network-clock-participate slot 1
no network-clock-participate wic 0
network-clock-select 1 E1 1/0
voice-card 1
!
ip cef
!
!
!
!
no ip bootp server
ip domain name ytel.kz
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip sla monitor 1
type echo protocol ipIcmpEcho 192.168.251.3 source-ipaddr 172.16.34.13
timeout 100
frequency 300
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type echo protocol ipIcmpEcho 192.168.8.4 source-interface FastEthernet0/1
timeout 1000
threshold 10
frequency 300
ip sla monitor schedule 2 life forever start-time now
!
!
!
ip ssh source-interface FastEthernet0/1
ip ssh version 2
!
translation-rule 1
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key y6x8dte5ny1f address HUB_EXT_IP
crypto isakmp keepalive 90 3 periodic
crypto isakmp nat keepalive 90
!
!
crypto ipsec transform-set ts_YVOIP esp-3des
mode transport
crypto ipsec transform-set ts_test esp-3des esp-sha-hmac
mode transport
!
crypto map cm_Ytel 10 ipsec-isakmp
set peer HUB_EXT_IP
set transform-set ts_YVOIP
match address 114
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.7 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map cm_Ytel
!
interface FastEthernet0/1
ip address 172.16.34.13 255.255.255.252
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
speed 10
full-duplex
no cdp enable
no mop enabled
h323-gateway voip interface
h323-gateway voip bind srcaddr 172.16.34.13
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 172.16.34.14 23 172.16.34.13 3344 extendable
!
access-list 114 permit ip 172.16.34.12 0.0.0.3 172.16.31.0 0.0.0.255
access-list 114 permit ip 172.16.34.12 0.0.0.3 192.168.7.0 0.0.0.7
access-list 114 permit ip 172.16.34.12 0.0.0.3 192.168.8.0 0.0.0.255
access-list 114 permit ip 172.16.34.12 0.0.0.3 192.168.251.0 0.0.0.255
08-14-2011 09:54 PM
Currently both peers cannot authentificate each other. I cannot findout where is problem. Here debug:
Aug 15 04:49:02.299: ISAKMP:(0:1:SW:1): sending packet to 92.46.125.222 my_port 500 peer_port 500 (I) MM_SA_SETUP
Aug 15 04:49:02.299: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Aug 15 04:49:02.299: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM3
Aug 15 04:49:02.443: ISAKMP (0:134217729): received packet from 92.46.125.222 dport 500 sport 500 Global (I) MM_SA_SETUP
Aug 15 04:49:02.447: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 15 04:49:02.447: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM3 New State = IKE_I_MM4
Aug 15 04:49:02.447: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0
Aug 15 04:49:03.052: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0
Aug 15 04:49:03.052: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 92.46.125.222
Aug 15 04:49:03.056: ISAKMP:(0:1:SW:1):SKEYID state generated
Aug 15 04:49:03.056: ISAKMP:(0:1:SW:1): processing vendor id payload
Aug 15 04:49:03.056: ISAKMP:(0:1:SW:1): vendor ID is Unity
Aug 15 04:49:03.060: ISAKMP:(0:1:SW:1): processing vendor id payload
Aug 15 04:49:03.060: ISAKMP:(0:1:SW:1): vendor ID is DPD
Aug 15 04:49:03.060: ISAKMP:(0:1:SW:1): processing vendor id payload
Aug 15 04:49:03.060: ISAKMP:(0:1:SW:1): speaking to another IOS box!
Aug 15 04:49:03.060: ISAKMP (0:134217729): NAT found, the node inside NAT
Aug 15 04:49:03.064: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Aug 15 04:49:03.064: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM4
Aug 15 04:49:03.068: ISAKMP:(0:1:SW:1):Send initial contact
Aug 15 04:49:03.068: ISAKMP:(0:1:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Aug 15 04:49:03.068: ISAKMP (0:134217729): ID payload
next-payload : 8
type : 1
address : 192.168.1.7
protocol : 17
port : 0
length : 12
Aug 15 04:49:03.068: ISAKMP:(0:1:SW:1):Total payload length: 12
Aug 15 04:49:03.072: ISAKMP:(0:1:SW:1): sending packet to 92.46.125.222 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Aug 15 04:49:03.076: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Aug 15 04:49:03.076: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM5
Aug 15 04:49:12.444: ISAKMP (0:134217729): received packet from 92.46.125.222 dport 500 sport 500 Global (I) MM_KEY_EXCH
Aug 15 04:49:12.444: ISAKMP:(0:1:SW:1): phase 1 packet is a duplicate of a previous packet.
Aug 15 04:49:12.444: ISAKMP:(0:1:SW:1): retransmitting due to retransmit phase 1
Aug 15 04:49:12.944: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Aug 15 04:49:12.944: ISAKMP (0:134217729): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Aug 15 04:49:12.944: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH
Aug 15 04:49:12.944: ISAKMP:(0:1:SW:1): sending packet to 92.46.125.222 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Aug 15 04:49:13.590: ISAKMP: received ke message (1/1)
Aug 15 04:49:13.590: ISAKMP: set new node 0 to QM_IDLE
Aug 15 04:49:13.594: ISAKMP:(0:1:SW:1):SA is still budding. Attached new ipsec request to it. (local 192.168.1.7, remote 92.46.125.222)....
Aug 15 04:49:22.440: ISAKMP (0:134217729): received packet from 92.46.125.222 dport 500 sport 500 Global (I) MM_KEY_EXCH
Aug 15 04:49:22.444: ISAKMP:(0:1:SW:1): phase 1 packet is a duplicate of a previous packet.
Aug 15 04:49:22.444: ISAKMP:(0:1:SW:1): retransmitting due to retransmit phase 1
Aug 15 04:49:22.945: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Aug 15 04:49:22.945: ISAKMP (0:134217729): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Aug 15 04:49:22.945: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH
Aug 15 04:49:22.945: ISAKMP:(0:1:SW:1): sending packet to 92.46.125.222 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH.
Aug 15 04:49:31.696: ISAKMP: received ke message (1/1)
Aug 15 04:49:31.696: ISAKMP: set new node 0 to QM_IDLE
Aug 15 04:49:31.696: ISAKMP:(0:1:SW:1):SA is still budding. Attached new ipsec request to it. (local 192.168.1.7, remote 92.46.125.222)
Aug 15 04:49:32.441: ISAKMP (0:134217729): received packet from 92.46.125.222 dport 500 sport 500 Global (I) MM_KEY_EXCH
Aug 15 04:49:32.441: ISAKMP:(0:1:SW:1): phase 1 packet is a duplicate of a previous packet.
Aug 15 04:49:32.445: ISAKMP:(0:1:SW:1): retransmitting due to retransmit phase 1
Aug 15 04:49:32.946: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Aug 15 04:49:32.946: ISAKMP (0:134217729): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Aug 15 04:49:32.946: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH
Aug 15 04:49:32.946: ISAKMP:(0:1:SW:1): sending packet to 92.46.125.222 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Aug 15 04:49:42.441: ISAKMP (0:134217729): received packet from 92.46.125.222 dport 500 sport 500 Global (I) MM_KEY_EXCH
Aug 15 04:49:42.441: ISAKMP:(0:1:SW:1): phase 1 packet is a duplicate of a previous packet.
Aug 15 04:49:42.441: ISAKMP:(0:1:SW:1): retransmitting due to retransmit phase 1
Aug 15 04:49:42.942: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Aug 15 04:49:42.942: ISAKMP (0:134217729): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Aug 15 04:49:42.942: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH
Aug 15 04:49:42.942: ISAKMP:(0:1:SW:1): sending packet to 92.46.125.222 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Aug 15 04:49:43.591: ISAKMP: received ke message (1/1)
Aug 15 04:49:43.591: ISAKMP: set new node 0 to QM_IDLE
Aug 15 04:49:43.591: ISAKMP:(0:1:SW:1):SA is still budding. Attached new ipsec request to it. (local 192.168.1.7, remote 92.46.125.222)
Aug 15 04:49:52.438: ISAKMP (0:134217729): received packet from 92.46.125.222 dport 500 sport 500 Global (I) MM_KEY_EXCH
Aug 15 04:49:52.442: ISAKMP:(0:1:SW:1): phase 1 packet is a duplicate of a previous packet.
Aug 15 04:49:52.442: ISAKMP:(0:1:SW:1): retransmitting due to retransmit phase 1
Aug 15 04:49:52.943: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Aug 15 04:49:52.943: ISAKMP (0:134217729): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Aug 15 04:49:52.943: ISAKMP:(0:1:SW:1): retransmitting phase 1 MM_KEY_EXCH
Aug 15 04:49:52.943: ISAKMP:(0:1:SW:1): sending packet to 92.46.125.222 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Aug 15 04:50:01.697: ISAKMP: received ke message (3/1)
Aug 15 04:50:01.697: ISAKMP:(0:1:SW:1):peer does not do paranoid keepalives.
Aug 15 04:50:01.697: ISAKMP:(0:1:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer 92.46.125.222)
Aug 15 04:50:01.701: ISAKMP:(0:1:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer 92.46.125.222)
Aug 15 04:50:01.701: ISAKMP: Unlocking IKE struct 0x850CE18C for isadb_mark_sa_deleted(), count 0
Aug 15 04:50:01.701: ISAKMP: Deleting peer node by peer_reap for 92.46.125.222: 850CE18C
Aug 15 04:50:01.705: ISAKMP:(0:1:SW:1):deleting node -1020871609 error FALSE reason "IKE deleted"
Aug 15 04:50:01.705: ISAKMP:(0:1:SW:1):deleting node 1916440234 error FALSE reason "IKE deleted"
Aug 15 04:50:01.705: ISAKMP:(0:1:SW:1):deleting node -161909214 error FALSE reason "IKE deleted"
Aug 15 04:50:01.705: ISAKMP:(0:1:SW:1):deleting node -125886963 error FALSE reason "IKE deleted"
Aug 15 04:50:01.705: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide