Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
319
Views
0
Helpful
2
Replies

Cisco 1811 site-to-site Troubleshoot

Florin Barhala
Level 6
Level 6

‎02-02-2009 03:51 AM

Hy,

I have this 1811 model, with two physical interface FA0 and FA1, both connected to ISP. From these two BGP is running and we re using our own IP network.

There are three VPNs site to site with three equipments:

- Juniper

- PIX

- Cisco router

All these three are connecting here to one of my own BGP network. In order to assing connectivity I defined Vlan interface

interface Vlan100

ip address 86.107.A.* 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

!

All these three VPN access the same resource, an internal server;

So for all three there are three access lists, like this:

access-list 100 permit ip Internal_CLASS VPN1_Remote

access-list 100 permit ip Internal_CLASS VPN2_Remote

access-list 100 permit ip Internal_CLASS VPN3_Remote

All three were on one crypto map:

crypto map NAME 10 ipsec-isakmp

!

!

crypto map NAME 20 ipsec-isakmp

!

!

crypto map NAME 30 ipsec-isakmp

!

!

applied on Fa1. Since Friday it stopped working;

So without any idead I moved VPN 1 crypto map on Fa0 which was free, and it's working fine.

But I am to assign another crypto map on Fa1: the tunnel goes up, but I have only Decapsulated Packets, and no Encapsulation Packets !!

What can I do in this case? Don't understand what went wrong !

Thanks in advance,

Florin.

Labels:
0 Helpful
2 Replies 2

celiocarreto
Level 1
Level 1

‎02-02-2009 10:45 AM

Hi,

use a loopback for terminating IPSec.

I applied the crypto map on loopback0 and both physical interfaces and use

crypto map MYMAP local-address loopback0

It works even one interface is down.

Regards, Celio

0 Helpful

Florin Barhala
Level 6
Level 6
In response to celiocarreto

‎02-03-2009 03:22 AM

Last evening the ISP on FastEthernet1, where all the crypto maps were originally applied admit that he had serious problems since Friday 'till yesterday afternoon!!

Now I have all three VPN kept into one crypto map on FastEthernet0:

crypto map Fa0_map local-address Vlan100

crypto map Fa0_map 20 ipsec-isakmp

crypto map Fa0_map 30 ipsec-isakmp

crypto map Fa0_map 40 ipsec-isakmp

If I am to create an identical crypto map: Fa1_map and apply it on Fa1 which of the two interfaces will be used for VPN ?

0 Helpful
Customers Also Viewed These Support Documents