08-11-2011 12:43 PM
We have multiple site to site VPN's. I have a need that involves 2 of them adding a 2nd VPN between them. The basics of this is our corporate office is site A and then 2 of our remote locations will be site B and C.
Site A has a VPN setup and working to both site B and C. Our company wants to have a VPN setup now directly from B to C for that traffic while obviously keeping the current VPN's in place.
Site B has a Cisco UC520 and site C has a Cisco 1841. I have followed everything I can find as far as the config examples out there but I am getting nothing. It is not even failing there is just no traffic going between.
Here is the config for Site B
crypto isakmp policy 100
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp key abcd hostname corporateoffice no-xauth
crypto isakmp key 12345 hostname siteC no-xauth
crypto isakmp identity hostname
crypto isakmp keepalive 10 periodic
crypto isakmp nat keepalive 10
!
crypto isakmp peer address 10.10.10.1
!
crypto isakmp peer address 10.10.30.1
crypto isakmp profile SiteB
keyring default
self-identity fqdn
match identity host corporateoffice
match identity host siteC
initiate mode aggressive
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set siteB esp-aes esp-sha-hmac
crypto ipsec transform-set siteB-C esp-aes esp-sha-hmac
!
crypto map VPN-siteB isakmp-profile Caleta
crypto map VPN-siteB 10 ipsec-isakmp
set peer 10.10.10.1
set transform-set siteB
match address VPN-list
reverse-route
crypto map VPN-siteB 20 ipsec-isakmp
set peer 10.10.30.1
set transform-set siteB-C
match address VPN-siteC
reverse-route
interface FastEthernet0/0
ip address 10.10.20.1 255.255.255.0
duplex auto
speed auto
crypto map VPN-siteB
Now the config for Site C
crypto isakmp policy 100
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp key abcdefg hostname corporateoffice no-xauth
crypto isakmp key 12345 hostname siteB no-xauth
crypto isakmp identity hostname
crypto isakmp keepalive 10 periodic
crypto isakmp nat keepalive 10
!
crypto isakmp peer address 10.10.10.1
!
crypto isakmp peer address 10.10.20.1
crypto isakmp profile siteC
keyring default
self-identity fqdn
match identity host corporateoffice
match identity host siteB
initiate mode aggressive
!
!
crypto ipsec transform-set AES128 esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set siteC esp-aes esp-sha-hmac
crypto ipsec transform-set siteC-B esp-aes esp-sha-hmac
!
crypto map VPN-siteC isakmp-profile siteC
crypto map VPN-siteC 10 ipsec-isakmp
set peer 10.10.10.1
set transform-set siteC
match address VPN-list
reverse-route
crypto map VPN-siteC 20 ipsec-isakmp
set peer 10.10.20.1
set transform-set siteC-B
match address VPN-siteB
reverse-route
interface FastEthernet0/1
ip address 10.10.30.1 255.255.255.0
duplex auto
speed auto
crypto map VPN-siteC
Again, there is nothing coming through so it is not failing they are just not communicating at all.
I would appreciate any help you guys could give.
08-11-2011 01:13 PM
Hi,
Have you removed B<-->C traffic subnets from B-->A and C->A tunnel list (VPN-list) and included only in
B (VPN-siteC) and C (VPN-siteB) lists?
Also, Iam not quite sure if having 2 identical transform set options under two diff names ( I never tried that) makes
any difference here.
Thx
MS
08-11-2011 01:51 PM
Here is the 2 access list for site B
ip access-list extended VPN-siteC
permit ip 10.10.30.0 0.0.0.255 any
permit ip 10.11.30.0 0.0.0.255 any
permit ip 10.12.30.0 0.0.0.255 any
permit ip 10.13.30.0 0.0.0.255 any
ip access-list extended VPN-list
permit ip 10.10.20.0 0.0.0.255 any
permit ip 10.11.20.0 0.0.0.255 any
permit ip 10.12.20.0 0.0.0.255 any
permit ip 10.13.20.0 0.0.0.255 any
deny ip 10.10.30.0 0.0.0.255 any
deny ip 10.11.30.0 0.0.0.255 any
deny ip 10.12.30.0 0.0.0.255 any
deny ip 10.13.30.0 0.0.0.255 any
This is site C
ip access-list extended VPN-siteB
permit ip 10.10.20.0 0.0.0.255 any
permit ip 10.11.20.0 0.0.0.255 any
permit ip 10.12.20.0 0.0.0.255 any
permit ip 10.13.20.0 0.0.0.255 any
ip access-list extended VPN-list
permit ip 10.10.30.0 0.0.0.255 any
permit ip 10.11.30.0 0.0.0.255 any
permit ip 10.12.30.0 0.0.0.255 any
deny ip 10.10.20.0 0.0.0.255 any
deny ip 10.11.20.0 0.0.0.255 any
deny ip 10.12.20.0 0.0.0.255 any
deny ip 10.13.20.0 0.0.0.255 any
But the thing is the 2 remote sites are not even communicating at their WAN interfaces. If I do a debug at the remote sites for the crypto isakmp there is no ike traffic between the 2 sites. So its not that I cannot get traffic for the LAN its I am not even seeing the tunnel trying to get built.
08-12-2011 07:48 AM
Hi,
Can the both site WAN interfaces see each other directly (ping) or the traffic trace goes via site A?
Also, with permit 'any' in the ACLs, I believe the interesting traffic always try to go via first allowed ACL.
Thx
MS
08-12-2011 07:54 AM
The WAN interfaces for the remote sites (sites B and C) can ping each other directly without coming to the corporate office (site A).
I will try messing with the ACL's but with the tunnel not even trying to be created could that really be the issue?
08-12-2011 08:20 AM
As far as I know, the tunnel try to initiate when the interesting traffic triggers.
Also, I never setup on UC520 , so I was checking the data sheet and all the the datasheet tells about is EasyVPN/Remote
access connections. Nothing about Lan-lan unless I miss something. I know you already have connection to site A.
Can you check on SiteA router config?
Thx
MS
08-12-2011 08:25 AM
Site A is actually an Adtran router so none of it is using the EasyVPN. I noticed that too for the UC520. I am working on the ACL's now to get them how I want them to see if this works.
08-12-2011 08:32 AM
Ok.. Not that you don't know but you can issue 'Sh ver' on UC520 (if cli supported) and check the supported features.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide