Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
541
Views
0
Helpful
3
Replies

Encrypt IPSEC VPN tunnel - Cisco 867s over Vdsl

davidfield
Level 3
Level 3

‎11-22-2015 12:02 PM - edited ‎02-21-2020 08:34 PM

Hello All,

I'm in need of some assistance as I'm going around in circles and to be honest I cant work it out.  

I have a client who for the past 4yrs has 2 sites with buls standard ADSL+ at each location and an IPsec Gre tunnel between the 2.  The client has upgraded both  locations to VDSL and as such we've swapped the routers to 867's.  We have internet access and the same config but the VPN tunnel will not come up with IPSec applied.  If I remove the ipsec profile form the tunnel interface I can ping etc.. no problem between the sites.  I apply the Ipsec profile and the Crypto session fails.  I know its got to be something to do with the VDSL and I suspect its MTU but for the life of me I cannot work it out.  The config has not changed. ie... same config applied to a dialer.

Has anyone had this issue? Am I on the right track with the MTU?  

My configs.  Note using an open 0.0.0.0 source address for the encryption and No ACLS applied to the dialer at the moment as just tryng to ge tthe tunnel up.

Router A - Tunnel config

crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key xxxxxx address 0.0.0.0
!
!
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
mode tunnel
!
!
crypto ipsec profile encrypt-tunnel
set transform-set vpnset
!
!
!
!
!
!
!
interface Tunnel0
ip address 192.168.255.14 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source Dialer0
tunnel destination 81.A.A.A
tunnel path-mtu-discovery

tunnel protection ipsec profile encrypt-tunnel

!

interface Ethernet0
no ip address
!
interface Ethernet0.101
encapsulation dot1Q 101
pppoe-client dial-pool-number 1

!

interface Vlan1
description Home
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan2
description Phones
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan3
description Media
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer0

ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1340
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname xxxx@cccc.dddd
ppp chap password 0 ABCD


!ip nat inside source list 1 interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.34.0 255.255.255.0 Tunnel0

Router B

crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key xxxxxx address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
!
crypto ipsec profile encrypt-tunnel
set transform-set vpnset
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface Tunnel0
description vpn link to Main House
ip address 192.168.255.13 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source Dialer0
tunnel destination 81.B.B.B
tunnel path-mtu-discovery

tunnel protection ipsec profile encrypt-tunnel

!

interface Dialer0

ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1340
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname xxxx@cccc.dddd
ppp chap password 0 ABCD

ip route 0.0.0.0 0.0.0.0 dialer0

ip route 192.168.0.0 255.255.255.0 Tunnel0
ip route 192.168.1.0 255.255.255.0 Tunnel0
ip route 192.168.2.0 255.255.255.0 Tunnel0
ip route 192.168.3.0 255.255.255.0 Tunnel0
ip route 192.168.10.0 255.255.255.0 Tunnel0
!
ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip nat inside source list 1 interface Dialer0 overload

Any ideas woudl be appreciated.

Thanks

David

Labels:
0 Helpful
3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

‎11-22-2015 01:14 PM

You are missing access-list 1, to control the NAT, however that alone will not break it.

I suspect you might have an IOS with bugs.  Try changing to a "gold star" release on both routers, and make sure both routers are running the same version.

I would also enable keepalives just in case you have managed to get the SPI's out of sync during testing, and there is in fact nothing wrong.

crypto isakmp keepalive 60

0 Helpful

davidfield
Level 3
Level 3
In response to Philip D'Ath

‎11-22-2015 01:21 PM

Hi P.dath

Thanks for the reponse. I abridged the config in the post and ACL1 is presnet.  All works fine except cant encrypt the traffic.  Unencrypted I can ping etc.. no problem.  I'll look into the IOS but I dont think that is the issue as I've tried a few firmwares now.

Noted the the keepalive.

I still think it is something to do with the VDSL as it was working fine on ADSL2+

Cheers for taking the time.

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to davidfield

‎11-22-2015 02:58 PM

If you say it works when with the crypto is removed, and breaks when you add it back in I don't think it is likely to be the VDSL - a layer 2 technology.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents