11-22-2015 12:02 PM - edited 02-21-2020 08:34 PM
Hello All,
I'm in need of some assistance as I'm going around in circles and to be honest I cant work it out.
I have a client who for the past 4yrs has 2 sites with buls standard ADSL+ at each location and an IPsec Gre tunnel between the 2. The client has upgraded both locations to VDSL and as such we've swapped the routers to 867's. We have internet access and the same config but the VPN tunnel will not come up with IPSec applied. If I remove the ipsec profile form the tunnel interface I can ping etc.. no problem between the sites. I apply the Ipsec profile and the Crypto session fails. I know its got to be something to do with the VDSL and I suspect its MTU but for the life of me I cannot work it out. The config has not changed. ie... same config applied to a dialer.
Has anyone had this issue? Am I on the right track with the MTU?
My configs. Note using an open 0.0.0.0 source address for the encryption and No ACLS applied to the dialer at the moment as just tryng to ge tthe tunnel up.
Router A - Tunnel config
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key xxxxxx address 0.0.0.0
!
!
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
mode tunnel
!
!
crypto ipsec profile encrypt-tunnel
set transform-set vpnset
!
!
!
!
!
!
!
interface Tunnel0
ip address 192.168.255.14 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source Dialer0
tunnel destination 81.A.A.A
tunnel path-mtu-discovery
!
interface Ethernet0
no ip address
!
interface Ethernet0.101
encapsulation dot1Q 101
pppoe-client dial-pool-number 1
!
interface Vlan1
description Home
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan2
description Phones
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan3
description Media
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1340
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname xxxx@cccc.dddd
ppp chap password 0 ABCD
!ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.34.0 255.255.255.0 Tunnel0
Router B
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key xxxxxx address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
!
crypto ipsec profile encrypt-tunnel
set transform-set vpnset
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface Tunnel0
description vpn link to Main House
ip address 192.168.255.13 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source Dialer0
tunnel destination 81.B.B.B
tunnel path-mtu-discovery
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1340
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname xxxx@cccc.dddd
ppp chap password 0 ABCD
ip route 0.0.0.0 0.0.0.0 dialer0
ip route 192.168.0.0 255.255.255.0 Tunnel0
ip route 192.168.1.0 255.255.255.0 Tunnel0
ip route 192.168.2.0 255.255.255.0 Tunnel0
ip route 192.168.3.0 255.255.255.0 Tunnel0
ip route 192.168.10.0 255.255.255.0 Tunnel0
!
ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip nat inside source list 1 interface Dialer0 overload
Any ideas woudl be appreciated.
Thanks
David
11-24-2015 04:22 PM
Hi David,
Fragmentation issues are more common when we use certificates for the authentication.
It will be a good idea to take a look to the debugs first :
* Debug crypto ipsec
* Debug crypto isakmp
Hope it helps
-Randy-
11-24-2015 05:04 PM
I think I have spotted it. On Router A, change:
crypto isakmp key xxxxxx address 0.0.0.0
To:
crypto isakmp key xxxxxx address 0.0.0.0 0.0.0.0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide