11-22-2015 12:02 PM - edited 02-21-2020 08:34 PM
Hello All,
I'm in need of some assistance as I'm going around in circles and to be honest I cant work it out.
I have a client who for the past 4yrs has 2 sites with buls standard ADSL+ at each location and an IPsec Gre tunnel between the 2. The client has upgraded both locations to VDSL and as such we've swapped the routers to 867's. We have internet access and the same config but the VPN tunnel will not come up with IPSec applied. If I remove the ipsec profile form the tunnel interface I can ping etc.. no problem between the sites. I apply the Ipsec profile and the Crypto session fails. I know its got to be something to do with the VDSL and I suspect its MTU but for the life of me I cannot work it out. The config has not changed. ie... same config applied to a dialer.
Has anyone had this issue? Am I on the right track with the MTU?
My configs. Note using an open 0.0.0.0 source address for the encryption and No ACLS applied to the dialer at the moment as just tryng to ge tthe tunnel up.
Router A - Tunnel config
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key xxxxxx address 0.0.0.0
!
!
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
mode tunnel
!
!
crypto ipsec profile encrypt-tunnel
set transform-set vpnset
!
!
!
!
!
!
!
interface Tunnel0
ip address 192.168.255.14 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source Dialer0
tunnel destination 81.A.A.A
tunnel path-mtu-discovery
tunnel protection ipsec profile encrypt-tunnel
!
interface Ethernet0
no ip address
!
interface Ethernet0.101
encapsulation dot1Q 101
pppoe-client dial-pool-number 1
!
interface Vlan1
description Home
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan2
description Phones
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan3
description Media
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1340
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname xxxx@cccc.dddd
ppp chap password 0 ABCD
!ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.34.0 255.255.255.0 Tunnel0
Router B
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key xxxxxx address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
!
crypto ipsec profile encrypt-tunnel
set transform-set vpnset
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface Tunnel0
description vpn link to Main House
ip address 192.168.255.13 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source Dialer0
tunnel destination 81.B.B.B
tunnel path-mtu-discovery
tunnel protection ipsec profile encrypt-tunnel
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1340
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname xxxx@cccc.dddd
ppp chap password 0 ABCD
ip route 0.0.0.0 0.0.0.0 dialer0
ip route 192.168.0.0 255.255.255.0 Tunnel0
ip route 192.168.1.0 255.255.255.0 Tunnel0
ip route 192.168.2.0 255.255.255.0 Tunnel0
ip route 192.168.3.0 255.255.255.0 Tunnel0
ip route 192.168.10.0 255.255.255.0 Tunnel0
!
ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip nat inside source list 1 interface Dialer0 overload
Any ideas woudl be appreciated.
Thanks
David
11-22-2015 01:14 PM
You are missing access-list 1, to control the NAT, however that alone will not break it.
I suspect you might have an IOS with bugs. Try changing to a "gold star" release on both routers, and make sure both routers are running the same version.
I would also enable keepalives just in case you have managed to get the SPI's out of sync during testing, and there is in fact nothing wrong.
crypto isakmp keepalive 60
11-22-2015 01:21 PM
Hi P.dath
Thanks for the reponse. I abridged the config in the post and ACL1 is presnet. All works fine except cant encrypt the traffic. Unencrypted I can ping etc.. no problem. I'll look into the IOS but I dont think that is the issue as I've tried a few firmwares now.
Noted the the keepalive.
I still think it is something to do with the VDSL as it was working fine on ADSL2+
Cheers for taking the time.
11-22-2015 02:58 PM
If you say it works when with the crypto is removed, and breaks when you add it back in I don't think it is likely to be the VDSL - a layer 2 technology.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide