Re: Crypto IPSEC do NOT START

AlexBar76 · ‎05-28-2021

Goodmorning

I'm try to set up a dynamic VPN between two router Cisco

The main router is connected to a static Internet IP ADDRESS and the remote Router Use a Sla Monitor and Track to choose the alternate way via VPN use a crypto IPSEC vpn via 4g Gateway

But seems that nothing append if I type SHOW Crypto ISAKMP SA or enable debug nothing append

this is the configurazion of Main Router

!
!
crypto isakmp policy 1
encryption 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxx address 0.0.0.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto dynamic-map hq-vpn 10
set security-association lifetime seconds 86400
set transform-set ESP-3DES-SHA
match address VPN
!
!
crypto map VPN 1 ipsec-isakmp dynamic hq-vpn
!
!
!
interface GigabitEthernet0/0/0
description OUTSIDE
ip address 2.2.2.2 255.255.255.248
ip nat outside
negotiation auto
crypto map VPN
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
description INSIDE
ip address 1.1.1.1 255.255.255.0
ip nat inside
negotiation auto
ip virtual-reassembly
!

ip http server
ip http authentication local
no ip http secure-server
ip forward-protocol nd
ip tftp source-interface GigabitEthernet0/0/1
ip nat inside source list WEB interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 2.2.2.2
ip ssh version 2
!
!
!
ip access-list extended WEB
10 deny ip 1.1.1.0 0.0.0.255 a.a.a.0 0.0.0.255
20 deny ip 1.1.1.0 0.0.0.255 a.a.b.0 0.0.0.255
30 deny ip 1.1.1.0 0.0.0.255 a.a.c.0 0.0.0.255
40 deny ip 1.1.1.0 0.0.0.255 a.a.d.0 0.0.0.255
50 deny ip 1.1.1.0 0.0.0.255 a.a.e.0 0.0.0.255
1000 permit ip 1.1.1.0 0.0.0.255 any
ip access-list extended VPN
10 permit ip 1.1.1.0 0.0.0.255 a.a.a.0 0.0.0.255
!
!
!
!

And this is the config of the other side

!
crypto isakmp policy 1
encryption 3des
authentication pre-share
group 2
crypto isakmp key yyyyyyyyyy address xxx.xxx.xxx.xxx
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map vpn-to-hq 10 ipsec-isakmp
set peer 2.2.2.2
set transform-set TS
match address VPNHQ
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
ip address 10.1.1.1 255.255.255.0
ip nat inside
negotiation auto

!
interface GigabitEthernet0/1/0
switchport access vlan 102
switchport mode access
!

!
interface Vlan102
description PLC-IOT
ip address 10.2.2.2 255.255.255.0
ip nat outside
crypto map vpn-to-hq
!
!
no ip http server
ip http authentication local
no ip http secure-server
ip forward-protocol nd
ip nat inside source list WEB interface Vlan102 overload
ip route 1.1.1.0 255.255.255.0 10.1.1.254 track 1
ip route 8.8.8.8 255.255.255.255 10.0.173.102 ( this is just for testing the web reachibility )
ip route 1.1.1.0 255.255.255.0 10.2.2.102 100
ip ssh version 2
!
ip access-list extended WEB
10 deny ip 10.1.1.0 0.0.0.255 1.1.10 0.0.0.255
1000 permit ip 10.1.1.0 0.0.0.255 any

ip access-list extended VPNHQ
10 permit ip 10.1.1.0 0.0.0.255 1.1.1.0 0.0.0.255
!
ip sla 1
icmp-echo 10.1.1.254 source-interface GigabitEthernet0/0/0
threshold 2
timeout 1000
frequency 5
ip sla schedule 1 life forever start-time now
!
!
!
control-plane

Any Idea why doesnt work ??

Thanks in advance !!!

balaji.bandi · ‎05-28-2021

before review the config, is the Main VPN worksi, when it fail fall back not working ? or nothing working ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

AlexBar76 · ‎05-28-2021

Nothing work !

Rob Ingram · ‎05-28-2021

@AlexBar76

You've defined the peer IP address as 2.2.2.2 (obviously false) but you don't appear to have a route to that IP address. Have you just incorrectly hidden this information or do you not actually have a route to the peer?

crypto map vpn-to-hq 10 ipsec-isakmp
set peer 2.2.2.2
!
ip route 1.1.1.0 255.255.255.0 10.1.1.254 track 1
ip route 8.8.8.8 255.255.255.255 10.0.173.102 ( this is just for testing the web reachibility )
ip route 1.1.1.0 255.255.255.0 10.2.2.102 100

If you have made a mistake in hiding this information, please re-provide more accurate information.

Can you ping the peer IP address?

Have you generated interesting traffic to bring up the tunnel?

Turn on IKE debugging and provide the output for review.

AlexBar76 · ‎05-28-2021

Hi have the route for the traffic 0.0.0.0 0.0.0.0 10.2.2.102

i can ping the peer 2.2.2.2

i have turned on the IKE debug and try to make some traffic to bring up the vpn but nothing happend

the logging console and term mon are right ant i see some other info but nothing from IKE in Both SIdes

thanks

Rob Ingram · ‎05-28-2021

Your routers have a crypto license?

You are sourcing the traffic from the correct network, as per the crypto ACL?

You are generating the traffic on the spoke router right?

AlexBar76 · ‎05-28-2021

Yes the routers had the Crypto License

The source is correct and i try to generate the traffic from the spoke ( remote site)

The main Site is ready to receive from Dynamic Address

Rob Ingram · ‎05-28-2021

So what route is 1.1.1.0 or whatever the real destination network is actually taking? Via vlan102?

EDIT: Change the ACL used in your NAT rule, it is case sensitive - you are using "web" but the access-list is called "WEB".

ip access-list extended WEB
10 deny ip 10.1.1.0 0.0.0.255 1.1.10 0.0.0.255

no ip nat inside source list web interface Vlan102 overload
ip nat inside source list WEB interface Vlan102 overload

AlexBar76 · ‎05-30-2021

Thanks, is an error here in the topic The ACL name was write in the same way in both lines