08-27-2013 02:24 PM
I'm trying to setup a site to site vpn connection between several sites. One site has a static IP and the rest are dynamic. I'm using 881 routers.
I've been trying to follow this guide:http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/936-cisco-router-vpn-dynamic-endpoint.html
I'm having a problem applying the crypto map on the external interface of the main site. When I try to apply it, I get "cannot apply empty map to interface". This is after I've created the crypto map exactly as instructed in that guide.
If I issue a sh run, I see that the crypto map isn't in the config, but I DEFINITELY created it. If I issue the command to create the crypto map again, it will show in the config, but when I apply it to the interface, I don't see the "ISAKMP is ON" message.
I'm not sure if I'm doing something wrong, if the guide is wrong, or if there's a bug in the IOS I'm using. I'm running IOS 15.0(1)M8.
Any help would be appreciated.
08-27-2013 03:14 PM
Hello,
I beleive you configured the crypto map first and then the dynamic map. Ideally, you should configure the dynamic map first and then bind that to the crypto map. Now, when we apply the dynamic map to the crypto map (when there is no dynamic map configured yet), we should see the following error message:
router(config)#crypto map VPN 1 ipsec-isakmp dynamic hq-vpn
Aug 27 21:35:40.536: Invalid dynamic map tag specified
And, now when we try to apply this crypto map on the physical interface, we see the error:
router(config-if)#crypto map VPN
Cannot apply empty map to interface
Thus, you may configure the dynamic map first, then bind that to the crypto map and then apply the crypto map on the interface.
Also, you may refer the following document for configuring a site to site VPN on Cisco routers with one end having static address while the other having dynamically assigned address:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml
Also, with regards to not seeing:%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON, ensure that the logging level is set to informational or higher. This can be seen by running the command: show logging
Regards,
Nitin.
08-28-2013 07:46 AM
Thanks for your reply.
You were correct about the logging level. I was able to get the tunnel up, but now I have a different issue. I'm unable to ping hosts through the tunnel.
When I try to ping a host, it times out. I see that the access list are matching traffic, but something else is still wrong here.
Router 1 (HQ) has a LAN subnet of 10.5.0.0/24.
Router 2 (R2) has a LAN subnet of 10.0.16.0/29.
I'm using 192.168.202.0/24 as the WAN subnet (this is just a test to get everything working)
If I issue "sh cry session" on HQ, I get the following:
Interface: FastEthernet4
Session status: UP-ACTIVE
Peer: 192.168.202.103 port 500
IKE SA: local 192.168.202.115/500 remote 192.168.202.103/500 Active
IPSEC FLOW: permit ip 10.5.0.0/255.255.255.0 10.0.16.32/255.255.255.240
Active SAs: 2, origin: dynamic crypto map
If I issue "sh cry session" on R2, I get:
Interface: FastEthernet4
Session status: UP-ACTIVE
Peer: 192.168.202.115 port 500
IKE SA: local 192.168.202.103/500 remote 192.168.202.115/500 Active
IPSEC FLOW: permit ip 10.0.16.32/255.255.255.240 10.5.0.0/255.255.255.0
Active SAs: 2, origin: crypto map
I've attached both configs (slightly sanitized). If you could give me any other pointers, I'd be very grateful.
08-28-2013 08:11 AM
Hello,
Are you able to ping the vlan1 of Router2 (10.0.16.44) from vlan1 of HQ (10.5.0.1)? Try running "ping 10.0.16.44 source vlan1" on the HQ router.
Request you to share the output of "show crypto ipsec sa".
Also, when we try to access the hosts through the tunnel, please run the command "show crypto ipsec sa | i ident|encaps|decaps" multiple times to check if we see corresponding encaps on the local router and corresponding decaps on the remote router.
Also, ensure that the hosts have a route for the remote subnet pointing to the router.
Regards,
Nitin.
08-30-2013 01:57 PM
I wiped and reconfigured everything to try again from scratch.
I am able to ping from vlan1 of Router2 (10.0.16.44) to vlan1 of HQ (10.5.0.1), which brings up the tunnel. After doing so, I am also able to ping from vlan1 of HQ (10.5.0.1) to vlan1 of Router2 (10.0.16.44). The output of "show crypto ipsec sa | i ident|encaps|decaps", shows the identical amount of packets on both routers when conducting these pings.
I am unable to ping a host on the LAN side of HQ (10.5.0.0/24) from Router2.
I am unable to ping a host on the LAN side of Router2 (10.0.16.0/28) from HQ.
If I try to ping 10.5.0.5 from Router2 (with a source of vlan1), I see encaps and encrypts increment upwards on Router2, but I do not see the decaps and decryps increment on the HQ router.
If I try to ping 10.0.16.38 from HQ (with a source of vlan1), I see only the encap and encrypts increase on the HQ router, but both encaps, encrypts as well as decaps, decrypts increas on Router2.
As for the routes, I'm not sure what I need to create. Since Router2 has a dynamic IP, I don't really know what I need to set.
Thanks again for your input.
09-12-2013 08:29 AM
Does anyone have any suggestions for me?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide