04-23-2018 07:45 AM - edited 03-12-2019 05:13 AM
Hello,
I am trying to configure IPSEC vpn between Sonicwall firewall(108.60.x.x) and Cisco IOS router(74.62.x.x) that is also DMVPN HUB. Sonicwall is behind Velocloud SD-WAN (don't have much information besides public ip address). Sonicwall support suggested using aggressive mode since firewall is behind NAT.
Interesting traffic:
Sonicwall side 10.120.1.0/24; 10.120.2.0/24
Cisco IOS side: 10.100.1.132 (test host that is responding to icmp); 172.23.22.23(static route on the router)
I am getting phase 1 up:
BHP-11011-SM-RTR01#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
74.62.x.x 108.60.x.x QM_IDLE 7081 ACTIVE Fiber-ISAKMP
But phase 2 has decaps but not encaps:
RTR01#sh crypto ipsec sa peer 108.60.x.x
interface: Port-channel10.199
Crypto map tag: VPN1, local addr 74.62.x.x
protected vrf: A-Side-DMVPN
local ident (addr/mask/prot/port): (10.100.1.132/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.120.1.0/255.255.255.0/0/0)
current_peer 108.60.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 40, #pkts decrypt: 40, #pkts verify: 40
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 74.62.x.x, remote crypto endpt.: 108.60.x.x
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb Port-channel10.199
current outbound spi: 0x42802CE5(1115696357)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x75B7D6DC(1974982364)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3771, flow_id: Onboard VPN:1771, sibling_flags 80000040, crypto map: VPN1
sa timing: remaining key lifetime (k/sec): (4177953/3158)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x42802CE5(1115696357)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3772, flow_id: Onboard VPN:1772, sibling_flags 80000040, crypto map: VPN1
sa timing: remaining key lifetime (k/sec): (4177953/3158)
IV size: 8 bytes
replay detection support: Y
Here are debugs from debug crypto ipsec
530741: Apr 19 16:14:41.074 PDT: ISAKMP (7077): received packet from 108.60.x.x dport 500 sport 500 A-Side-DMVPN (R) QM_IDLE
530742: Apr 19 16:14:41.074 PDT: ISAKMP: set new node 1655629518 to QM_IDLE
530743: Apr 19 16:14:41.074 PDT: ISAKMP:(7077): processing HASH payload. message ID = 1655629518
530744: Apr 19 16:14:41.074 PDT: ISAKMP:(7077): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 1655629518, sa = 0x24A115C8
530745: Apr 19 16:14:41.074 PDT: ISAKMP:(7077):deleting node 1655629518 error FALSE reason "Informational (in) state 1"
530746: Apr 19 16:14:41.074 PDT: ISAKMP:(7077):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
530747: Apr 19 16:14:41.074 PDT: ISAKMP:(7077):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
530748: Apr 19 16:14:41.078 PDT: ISAKMP (7077): received packet from 108.60.x.x dport 500 sport 500 A-Side-DMVPN (R) QM_IDLE
530749: Apr 19 16:14:41.078 PDT: ISAKMP: set new node -1339841267 to QM_IDLE
530750: Apr 19 16:14:41.078 PDT: ISAKMP:(7077): processing HASH payload. message ID = 2955126029
530751: Apr 19 16:14:41.078 PDT: ISAKMP:(7077): processing SA payload. message ID = 2955126029
530752: Apr 19 16:14:41.078 PDT: ISAKMP:(7077):Checking IPSec proposal 1
530753: Apr 19 16:14:41.078 PDT: ISAKMP: transform 1, ESP_3DES
530754: Apr 19 16:14:41.078 PDT: ISAKMP: attributes in transform:
530755: Apr 19 16:14:41.078 PDT: ISAKMP: SA life type in seconds
530756: Apr 19 16:14:41.078 PDT: ISAKMP: SA life duration (basic) of 28800
530757: Apr 19 16:14:41.078 PDT: ISAKMP: encaps is 1 (Tunnel)
530758: Apr 19 16:14:41.078 PDT: ISAKMP: authenticator is HMAC-MD5
530759: Apr 19 16:14:41.078 PDT: ISAKMP:(7077):atts are acceptable.
530760: Apr 19 16:14:41.078 PDT: IPSEC(validate_proposal_request): proposal part #1
530761: Apr 19 16:14:41.078 PDT: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 74.62.x.x:0, remote= 108.60.x.x:0,
local_proxy= 10.100.1.132/255.255.255.255/256/0,
remote_proxy= 10.120.2.0/255.255.255.0/256/0,
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
530762: Apr 19 16:14:41.078 PDT: map_db_find_best did not find matching map
530763: Apr 19 16:14:41.078 PDT: Crypto mapdb : proxy_match
src addr : 10.100.1.132
dst addr : 10.120.2.0
protocol : 0
src port : 0
dst port : 0
530764: Apr 19 16:14:41.078 PDT: map_db_check_isakmp_profile profile did not match,
ike passed profile : Fiber-ISAKMP,
map_ike_profile: VPN1-RA,
head_ike_profile: NULL
530765: Apr 19 16:14:41.078 PDT: map_db_check_isakmp_profile profile did not match,
ike passed profile : Fiber-ISAKMP,
map_ike_profile: VPN1-RA,
head_ike_profile: NULL
530766: Apr 19 16:14:41.078 PDT: map_db_find_best did not find matching map
530767: Apr 19 16:14:41.078 PDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-3des esp-md5-hmac }
530768: Apr 19 16:14:41.078 PDT: ISAKMP:(7077): IPSec policy invalidated proposal with error 256
530769: Apr 19 16:14:41.078 PDT: ISAKMP:(7077): phase 2 SA policy not acceptable! (local 74.62.x.x remote 108.60.x.x)
530770: Apr 19 16:14:41.078 PDT: ISAKMP: set new node -2147111992 to QM_IDLE
530771: Apr 19 16:14:41.078 PDT: ISAKMP:(7077):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 576000832, message ID = 2147855304
530772: Apr 19 16:14:41.078 PDT: ISAKMP:(7077): sending packet to 108.60.x.x my_port 500 peer_port 500 (R) QM_IDLE
530773: Apr 19 16:14:41.078 PDT: ISAKMP:(7077):Sending an IKE IPv4 Packet.
530774: Apr 19 16:14:41.078 PDT: ISAKMP:(7077):purging node -2147111992
530775: Apr 19 16:14:41.078 PDT: ISAKMP:(7077):deleting node -1339841267 error TRUE reason "QM rejected"
530776: Apr 19 16:14:41.082 PDT: ISAKMP:(7077):Node 2955126029, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
530777: Apr 19 16:14:41.082 PDT: ISAKMP:(7077):Old State = IKE_QM_READY New State = IKE_QM_READY
530778: Apr 19 16:14:41.082 PDT: ISAKMP:(7077):DPD/R_U_THERE received from peer 108.60.x.x, sequence 0x6D61FF19
530779: Apr 19 16:14:41.082 PDT: ISAKMP: set new node 387959618 to QM_IDLE
530780: Apr 19 16:14:41.082 PDT: ISAKMP:(7077):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 576001888, message ID = 387959618
530781: Apr 19 16:14:41.082 PDT: ISAKMP:(7077): seq. no 0x6D61FF19
530782: Apr 19 16:14:41.082 PDT: ISAKMP:(7077): sending packet to 108.60.x.x my_port 500 peer_port 500 (R) QM_IDLE
530783: Apr 19 16:14:41.082 PDT: ISAKMP:(7077):Sending an IKE IPv4 Packet.
530784: Apr 19 16:14:41.082 PDT: ISAKMP:(7077):purging node 387959618
530785: Apr 19 16:14:41.082 PDT: ISAKMP:(7077):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
530786: Apr 19 16:14:41.082 PDT: ISAKMP:(7077):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
530787: Apr 19 16:15:31.074 PDT: ISAKMP:(7077):purging node 1655629518
530788: Apr 19 16:15:31.078 PDT: ISAKMP:(7077):purging node -1339841267
530789: Apr 19 16:15:46.074 PDT: ISAKMP (7077): received packet from 108.60.x.x dport 500 sport 500 A-Side-DMVPN (R) QM_IDLE
530790: Apr 19 16:15:46.074 PDT: ISAKMP: set new node 894828764 to QM_IDLE
530791: Apr 19 16:15:46.074 PDT: ISAKMP:(7077): processing HASH payload. message ID = 894828764
530792: Apr 19 16:15:46.074 PDT: ISAKMP:(7077): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 894828764, sa = 0x24A115C8
530793: Apr 19 16:15:46.074 PDT: ISAKMP:(7077):deleting node 894828764 error FALSE reason "Informational (in) state 1"
530794: Apr 19 16:15:46.074 PDT: ISAKMP:(7077):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
530795: Apr 19 16:15:46.074 PDT: ISAKMP:(7077):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
530796: Apr 19 16:15:46.074 PDT: ISAKMP (7077): received packet from 108.60.x.x dport 500 sport 500 A-Side-DMVPN (R) QM_IDLE
530797: Apr 19 16:15:46.074 PDT: ISAKMP: set new node 856835205 to QM_IDLE
530798: Apr 19 16:15:46.074 PDT: ISAKMP:(7077): processing HASH payload. message ID = 856835205
530799: Apr 19 16:15:46.074 PDT: ISAKMP:(7077): processing SA payload. message ID = 856835205
530800: Apr 19 16:15:46.074 PDT: ISAKMP:(7077):Checking IPSec proposal 1
530801: Apr 19 16:15:46.074 PDT: ISAKMP: transform 1, ESP_3DES
530802: Apr 19 16:15:46.074 PDT: ISAKMP: attributes in transform:
530803: Apr 19 16:15:46.074 PDT: ISAKMP: SA life type in seconds
530804: Apr 19 16:15:46.074 PDT: ISAKMP: SA life duration (basic) of 28800
530805: Apr 19 16:15:46.074 PDT: ISAKMP: encaps is 1 (Tunnel)
530806: Apr 19 16:15:46.074 PDT: ISAKMP: authenticator is HMAC-MD5
530807: Apr 19 16:15:46.074 PDT: ISAKMP:(7077):atts are acceptable.
530808: Apr 19 16:15:46.074 PDT: IPSEC(validate_proposal_request): proposal part #1
530809: Apr 19 16:15:46.074 PDT: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 74.62.x.x:0, remote= 108.60.x.x:0,
local_proxy= 10.100.1.132/255.255.255.255/256/0,
remote_proxy= 10.120.2.0/255.255.255.0/256/0,
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
530810: Apr 19 16:15:46.074 PDT: map_db_find_best did not find matching map
530811: Apr 19 16:15:46.074 PDT: Crypto mapdb : proxy_match
src addr : 10.100.1.132
dst addr : 10.120.2.0
protocol : 0
src port : 0
dst port : 0
530812: Apr 19 16:15:46.074 PDT: map_db_check_isakmp_profile profile did not match,
ike passed profile : Fiber-ISAKMP,
map_ike_profile: VPN1-RA,
head_ike_profile: NULL
530813: Apr 19 16:15:46.074 PDT: map_db_check_isakmp_profile profile did not match,
ike passed profile : Fiber-ISAKMP,
map_ike_profile: VPN1-RA,
head_ike_profile: NULL
530814: Apr 19 16:15:46.074 PDT: map_db_find_best did not find matching map
530815: Apr 19 16:15:46.074 PDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-3des esp-md5-hmac }
530816: Apr 19 16:15:46.074 PDT: ISAKMP:(7077): IPSec policy invalidated proposal with error 256
530817: Apr 19 16:15:46.078 PDT: ISAKMP:(7077): phase 2 SA policy not acceptable! (local 74.62.x.x remote 108.60.x.x)
530818: Apr 19 16:15:46.078 PDT: ISAKMP: set new node 89639739 to QM_IDLE
530819: Apr 19 16:15:46.078 PDT: ISAKMP:(7077):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 576000832, message ID = 89639739
530820: Apr 19 16:15:46.078 PDT: ISAKMP:(7077): sending packet to 108.60.x.x my_port 500 peer_port 500 (R) QM_IDLE
530821: Apr 19 16:15:46.078 PDT: ISAKMP:(7077):Sending an IKE IPv4 Packet.
530822: Apr 19 16:15:46.078 PDT: ISAKMP:(7077):purging node 89639739
--More-- 530823: Apr 19 16:15:46.078 PDT: ISAKMP:(7077):deleting node 856835205 error TRUE reason "QM rejected"
530824: Apr 19 16:15:46.078 PDT: ISAKMP:(7077):Node 856835205, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
530825: Apr 19 16:15:46.078 PDT: ISAKMP:(7077):Old State = IKE_QM_READY New State = IKE_QM_READY
530826: Apr 19 16:15:46.078 PDT: ISAKMP:(7077):DPD/R_U_THERE received from peer 108.60.x.x, sequence 0x6D61FF1A
530827: Apr 19 16:15:46.078 PDT: ISAKMP: set new node -1258502155 to QM_IDLE
530828: Apr 19 16:15:46.082 PDT: ISAKMP:(7077):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 576001888, message ID = 3036465141
530829: Apr 19 16:15:46.082 PDT: ISAKMP:(7077): seq. no 0x6D61FF1A
530830: Apr 19 16:15:46.082 PDT: ISAKMP:(7077): sending packet to 108.60.x.x my_port 500 peer_port 500 (R) QM_IDLE
530831: Apr 19 16:15:46.082 PDT: ISAKMP:(7077):Sending an IKE IPv4 Packet.
530832: Apr 19 16:15:46.082 PDT: ISAKMP:(7077):purging node -1258502155
530833: Apr 19 16:15:46.082 PDT: ISAKMP:(7077):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
530834: Apr 19 16:15:46.082 PDT: ISAKMP:(7077):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Relevant config:
!
vrf definition 11011-Inside
rd 65000:102
route-target export 65000:102
route-target import 65000:102
!
address-family ipv4
route-replicate from vrf A-Side-DMVPN unicast connected
route-replicate from vrf B-Side-DMVPN unicast connected
exit-address-family
!
vrf definition A-Side-DMVPN
rd 65000:100
route-target export 65000:100
route-target import 65000:100
!
address-family ipv4
route-replicate from vrf 11011-Inside unicast connected
exit-address-family
!
vrf definition B-Side-DMVPN
rd 65000:101
route-target export 65000:101
route-target import 65000:101
!
address-family ipv4
route-replicate from vrf 11011-Inside unicast connected
exit-address-family
!
aaa authorization network VPN1-RA-LIST local
!
!
!
no ip source-route
no ip gratuitous-arps
!
!
!!
ip multicast-routing vrf 11011-Inside
ip inspect WAAS flush-timeout 10
ip ips config location flash: retries 1
ip cef
!
!
track 10 ip sla 10 reachability
!
track 20 ip sla 20 reachability
!
crypto keyring B-Side-Keyring vrf B-Side-DMVPN
pre-shared-key address 0.0.0.0 0.0.0.0 key 6 Fc_SXcREXJXTUX`GLCeITEYV`JPgcMKbN
crypto keyring A-Side-Keyring vrf A-Side-DMVPN
pre-shared-key address 0.0.0.0 0.0.0.0 key 6 SRfJ``DMK[BVaHcHbdMBPF[EP]OLhAFBC
!
crypto vpn anyconnect flash0:/webvpn/anyconnect-win-4.0.02052-k9.pkg sequence 1
no crypto isakmp default policy
!
crypto isakmp policy 5
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
encr aes 256
hash sha512
authentication pre-share
group 2
!
crypto isakmp policy 15
encr 3des
hash md5
authentication pre-share
lifetime 3600
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key 6 _bBK^cQL`bhRbZB]ANBdJN^CTLUZI`YfJZgcJ_Z address 108.60.x.x no-xauth
crypto isakmp key 6 Uh\SDWVZ[TLPAH[^Hd_PdJWhR[fKUIVA\ address 0.0.0.0 no-xauth
crypto isakmp keepalive 300
!
crypto isakmp client configuration group VPN1-RA-GROUP
key 6 N\cPLYLX]chY[hZAeGeW]UfGOA]eBfAAB
pool VPN1-RA
!
crypto isakmp peer address 108.60.x.x
set aggressive-mode password 6 WZANYYaX[DGb^OgZVcFHKOCRWVVNM\cOTgIGVGf
set aggressive-mode client-endpoint ipv4-address 108.60.x.x
crypto isakmp profile Fiber-ISAKMP
vrf A-Side-DMVPN
keyring A-Side-Keyring
match identity address 0.0.0.0 A-Side-DMVPN
keepalive 30 retry 3
local-address Port-channel10.199
crypto isakmp profile Cable-ISAKMP
vrf B-Side-DMVPN
keyring B-Side-Keyring
match identity address 0.0.0.0 B-Side-DMVPN
keepalive 30 retry 3
local-address Port-channel10.198
crypto isakmp profile VPN1-RA
vrf A-Side-DMVPN
match identity group VPN1-RA-GROUP
client authentication list Default
isakmp authorization list VPN1-RA-LIST
client configuration address initiate
client configuration address respond
!
!
crypto ipsec transform-set BHP11011 esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec transform-set VPN1-RA esp-3des esp-md5-hmac
mode transport
crypto ipsec transform-set SONICWALL esp-3des esp-sha-hmac
mode tunnel
crypto ipsec fragmentation after-encryption
no crypto ipsec nat-transparency udp-encapsulation
!
crypto ipsec profile BHP-DMVPN
set security-association lifetime seconds 86400
set transform-set BHP11011
set pfs group14
set isakmp-profile Fiber-ISAKMP
!
crypto ipsec profile BHP-DMVPN2
set security-association lifetime seconds 86400
set transform-set BHP11011
set pfs group14
set isakmp-profile Cable-ISAKMP
!
!
!
crypto dynamic-map VPN1-RA 65535
set transform-set VPN1-RA
set isakmp-profile VPN1-RA
reverse-route
!
!
crypto map VPN1 10 ipsec-isakmp
set peer 108.60.x.x
set security-association lifetime seconds 28800
set transform-set SONICWALL
match address VPN-SONICWALL
crypto map VPN1 65535 ipsec-isakmp dynamic VPN1-RA
!
!
!
!
!
interface Tunnel0
description Fiber Handoff DMVPN
bandwidth 50000
vrf forwarding 11011-Inside
ip address 10.255.255.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 AUTH-EIGRP
ip hello-interval eigrp 100 1
ip hold-time eigrp 100 5
no ip split-horizon eigrp 100
ip pim sparse-dense-mode
ip nhrp authentication XXXXX
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp holdtime 300
ip nhrp server-only
ip nhrp redirect
ip tcp adjust-mss 1360
delay 1000
qos pre-classify
cdp enable
tunnel source Port-channel10.199
tunnel mode gre multipoint
tunnel key 100
tunnel vrf A-Side-DMVPN
tunnel protection ipsec profile BHP-DMVPN shared
!
interface Tunnel1
description Cable Handoff DMVPN
bandwidth 10000
vrf forwarding 11011-Inside
ip address 10.255.254.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 AUTH-EIGRP
ip hello-interval eigrp 100 1
ip hold-time eigrp 100 5
no ip split-horizon eigrp 100
ip pim sparse-dense-mode
ip nhrp authentication XXXX
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp holdtime 60
ip nhrp server-only
ip nhrp redirect
ip tcp adjust-mss 1360
delay 1000
qos pre-classify
cdp enable
tunnel source Port-channel10.198
tunnel mode gre multipoint
tunnel key 100
tunnel vrf B-Side-DMVPN
tunnel protection ipsec profile BHP-DMVPN2
!
interface Null0
no ip unreachables
!
interface Port-channel10
no ip address
hold-queue 150 in
!
interface Port-channel10.101
description sub-port to data vlan 101
encapsulation dot1Q 101
vrf forwarding 11011-Inside
ip address 10.100.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
!
interface Port-channel10.102
description to voice vlan 102
encapsulation dot1Q 102
vrf forwarding 11011-Inside
ip address 10.100.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
ip verify unicast source reachable-via rx
!
interface Port-channel10.103
description to video vlan 103
encapsulation dot1Q 103
vrf forwarding 11011-Inside
ip address 10.100.3.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
!
interface Port-channel10.198
description Cable Transit Interface
bandwidth 10000
encapsulation dot1Q 198
vrf forwarding B-Side-DMVPN
ip address 24.43.x.x 255.255.255.248
ip access-group Generic-Ingress-Policy in
ip nat outside
ip virtual-reassembly in max-fragments 64
service-policy output Cable-Shape
!
interface Port-channel10.199
description Fiber Transit Interface
bandwidth 50000
encapsulation dot1Q 199
vrf forwarding A-Side-DMVPN
ip address 74.62.x.x 255.255.255.248
ip access-group Generic-Ingress-Policy in
ip nat outside
ip virtual-reassembly in max-fragments 64
crypto map VPN1
service-policy output Fiber-Shape
!
!
interface Virtual-Template1
vrf forwarding 11011-Inside
ip unnumbered Port-channel10.101
!
!
ip nat inside source list temp-nat interface Port-channel10.101 vrf 11011-Inside overload
ip nat inside source static tcp 10.100.3.10 50333 interface Port-channel10.199 50333
ip nat inside source route-map Fiber-PAT interface Port-channel10.199 vrf 11011-Inside overload
ip route vrf 11011-Inside 0.0.0.0 0.0.0.0 74.62.x.x track 10
ip route vrf 11011-Inside 0.0.0.0 0.0.0.0 24.43.x.x 20 track 20
ip route vrf 11011-Inside 172.23.22.23 255.255.255.255 10.100.1.25 name Advent-BHP
ip route vrf A-Side-DMVPN 0.0.0.0 0.0.0.0 74.62.x.x name Fiber-Default
ip route vrf B-Side-DMVPN 0.0.0.0 0.0.0.0 24.43.x.x name Cable-Default
ip access-list extended NAT-11011
deny ip host 10.100.1.132 10.120.1.0 0.0.0.255
permit ip 10.100.1.0 0.0.0.255 any
permit ip 10.100.3.0 0.0.0.255 any
permit ip 10.100.2.0 0.0.0.255 any
ip access-list extended VPN-SONICWALL
permit ip host 172.23.22.23 10.120.1.0 0.0.0.255
permit ip host 172.23.22.23 10.120.2.0 0.0.0.255
permit ip host 10.100.1.132 10.120.1.0 0.0.0.255
ip access-list extended temp-nat
deny ip 10.120.1.0 0.0.0.255 172.23.22.0 0.0.0.255
deny ip 10.120.2.0 0.0.0.255 172.23.22.0 0.0.0.255
permit ip any 172.23.22.0 0.0.0.255
!
ip sla 10
icmp-echo 8.8.8.8 source-interface Port-channel10.199
vrf A-Side-DMVPN
threshold 100
timeout 200
frequency 1
ip sla schedule 10 life forever start-time now
ip sla 20
icmp-echo 8.8.8.8 source-interface Port-channel10.198
vrf B-Side-DMVPN
threshold 100
timeout 200
frequency 1
ip sla schedule 20 life forever start-time now
route-map Fiber-PAT permit 10
match ip address NAT-11011
match interface Port-channel10.199
!
!
From what I saw router is complaining that phase 2 doesn't match on both sides. I have exact phase 2 settings on Sonicwall.
Appreciate any help! Thank you!
04-23-2018 10:29 AM
Phase1 and Phase2 are ok.
Looks like you are missing NAT statements to exempt VPN traffic from NAT.
04-23-2018 10:39 AM
This is what I have. Not sure if I posted the most recent config:
ip access-list extended NAT-11011
deny ip host 10.100.1.132 10.120.1.0 0.0.0.255
permit ip 10.100.1.0 0.0.0.255 any
permit ip 10.100.3.0 0.0.0.255 any
permit ip 10.100.2.0 0.0.0.255 any
172.23.22.23 is not part of nat so I did not add it here. I added it here. Not even sure what this NAT is for:
ip access-list extended temp-nat
deny ip 10.120.1.0 0.0.0.255 172.23.22.0 0.0.0.255
deny ip 10.120.2.0 0.0.0.255 172.23.22.0 0.0.0.255
permit ip any 172.23.22.0 0.0.0.255
Where do you think I am missing NAT statements to exempt VPN traffic?
ip nat inside source list temp-nat interface Port-channel10.101 vrf 11011-Inside overload
ip nat inside source route-map Fiber-PAT interface Port-channel10.199 vrf 11011-Inside overload
!
route-map Fiber-PAT permit 10
match ip address NAT-11011
match interface Port-channel10.199
Thanks
04-23-2018 11:11 AM
I Think it is your match statement in the route-map that is not being hit. Is there a reason you have both ACL and interface match in the statement? Would you be able to remove the interface match for testing?
04-23-2018 11:33 AM
Someone else configured that part. Not sure why they did it that way. Why would my access list not been hit?
Don't have the access to the router at the moment but I am pretty sure that I saw hits on the access list. Can post output later or tomorrow.
ip access-list extended NAT-11011
deny ip host 10.100.1.132 10.120.1.0 0.0.0.255
172.23.22.23 is host that is not part of internal subnets. It is a server behind another router/firewall. We just route to it from the router I want to setup ipsec vpn. So that is why it is not part of regular nat/pat.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide