06-13-2017 01:12 AM - edited 02-21-2020 09:19 PM
Hi everyone,
I need help in creating multiple vpn tunnel to my router. I am using Cisco router but the other end is a non-cisco device. Anyway, one of the ipsec peering is up, then I added two more ipsec to router B and C. One is stuck in UP-IDLE status and the other one is Down. Please help to check what is wrong with my configuration:
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp policy 4
encr 3des
authentication pre-share
group 2
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp key password1 address 1.1.1.1
crypto isakmp key password2 address 2.2.2.2
crypto isakmp key password3 address 3.3.3.3
crypto ipsec transform-set eq-ipsec esp-3des
crypto map eq-ipsec 1 ipsec-isakmp
set peer 1.1.1.1
set security-association lifetime seconds 86400
set transform-set eq-ipsec
match address eq-ipsec
reverse-route static
crypto map eq-ipsec 2 ipsec-isakmp
set peer 2.2.2.2
set security-association lifetime seconds 86400
set transform-set eq-ipsec
match address eq-ipsec-2
reverse-route static
crypto map eq-ipsec 3 ipsec-isakmp
set peer 3.3.3.3
set security-association lifetime seconds 86400
set transform-set eq-ipsec
match address eq-ipsec-3
reverse-route static
interface GigabitEthernet0/1
description internet
ip address 4.4.4.4 255.255.255.255
ip access-group firewall in
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
duplex full
speed 100
media-type rj45
negotiation auto
crypto map eq-ipsec
ip access-list extended eq-ipsec
permit ip 10.65.0.0 0.0.63.255 10.1.0.0 0.0.255.255
permit ip 10.65.33.0 0.0.0.255 10.1.0.0 0.0.255.255
permit ip 10.152.10.0 0.0.0.255 10.1.0.0 0.0.255.255
permit ip 10.65.20.0 0.0.0.255 10.1.0.0 0.0.255.255
ip access-list extended eq-ipsec-2
permit ip 10.65.0.0 0.0.63.255 10.0.0.0 0.0.15.255
permit ip 10.65.0.0 0.0.63.255 10.0.1.0 0.0.0.255
ip access-list extended eq-ipsec-3
permit ip 10.65.0.0 0.0.63.255 10.10.128.0 0.0.7.255
permit ip 10.65.0.0 0.0.63.255 10.10.120.0 0.0.7.255
Appreciate your help!
Cheers,
Jen
06-13-2017 01:13 AM
Please note that peering to 1.1.1.1 is up but not working to 2.2.2.2 and 3.3.3.3. Hope it make sense.
06-13-2017 02:32 AM
Hi Jen,
Please share the logs from the device.
You may need to capture the debugs so that we understand what is the exact issue.
debug crypto condition peer ipv4 <>
debug crypto
debug crypto
Regards,
Aditya
Please rate helpful posts and mark correct answers.
06-13-2017 03:54 AM
Hi Aditya,
Thank you for your reply.
The first debug "debug crypto condition peer ipv4 <>" did not give any result.
For debug crypto isakmp:
Jun 13 10:35:02.585: ISAKMP: set new node 1964164746 to QM_IDLE
Jun 13 10:35:02.585: ISAKMP:(1459):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 109183832, message ID = 1964164746
Jun 13 10:35:02.585: ISAKMP:(1459): seq. no 0x4D3306A3
Jun 13 10:35:02.585: ISAKMP:(1459): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE
Jun 13 10:35:02.585: ISAKMP:(1459):purging node 1964164746
Jun 13 10:35:02.585: ISAKMP:(1459):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
Jun 13 10:35:02.585: ISAKMP:(1459):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Jun 13 10:35:02.829: ISAKMP (0:1459): received packet from 2.2.2.2 dport 500 sport 500 Global (R) QM_IDLE
Jun 13 10:35:02.829: ISAKMP: set new node 1141568911 to QM_IDLE
Jun 13 10:35:02.829: ISAKMP:(1459): processing HASH payload. message ID = 1141568911
Jun 13 10:35:02.829: ISAKMP:(1459): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 0, message ID = 1141568911, sa = 7889E80
Jun 13 10:35:02.829: ISAKMP:(1459): DPD/R_U_THERE_ACK received from peer 2.2.2.2, sequence 0x4D3306A3
Jun 13 10:35:02.829: ISAKMP:(1459):deleting node 1141568911 error FALSE reason "Informational (in) state 1"
Jun 13 10:35:02.829: ISAKMP:(1459):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Jun 13 10:35:02.829: ISAKMP:(1459):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Jun 13 10:35:52.832: ISAKMP:(1459):purging node 1141568911
Jun 13 10:38:54.381: ISAKMP: set new node 1822817362 to QM_IDLE
Jun 13 10:38:54.381: ISAKMP:(1459):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 109183832, message ID = 1822817362
Jun 13 10:38:54.381: ISAKMP:(1459): seq. no 0x4D3306A4
Jun 13 10:38:54.381: ISAKMP:(1459): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE
Jun 13 10:38:54.381: ISAKMP:(1459):purging node 1822817362
Jun 13 10:38:54.381: ISAKMP:(1459):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
Jun 13 10:38:54.381: ISAKMP:(1459):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Jun 13 10:38:54.629: ISAKMP (0:1459): received packet from 2.2.2.2 dport 500 sport 500 Global (R) QM_IDLE
Jun 13 10:38:54.629: ISAKMP: set new node -1636250267 to QM_IDLE
Jun 13 10:38:54.629: ISAKMP:(1459): processing HASH payload. message ID = -1636250267
Jun 13 10:38:54.629: ISAKMP:(1459): processing NOTIFY DPD/R_U_THERE_ACK protocol 1 spi 0, message ID = -1636250267, sa = 7889E80
Jun 13 10:38:54.629: ISAKMP:(1459): DPD/R_U_THERE_ACK received from peer 2.2.2.2, sequence 0x4D3306A4
Jun 13 10:38:54.629: ISAKMP:(1459):deleting node -1636250267 error FALSE reason "Informational (in) state 1"
Jun 13 10:38:54.629: ISAKMP:(1459):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Jun 13 10:38:54.629: ISAKMP:(1459):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
For debug crypto ipsec:
Jun 13 10:44:16.439: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Jun 13 10:44:16.439: IPSEC(key_engine_enable_outbound): enable SA with spi 3964532654/50
Jun 13 10:47:25.243: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Jun 13 10:47:25.243: IPSEC(key_engine_enable_outbound): enable SA with spi 1194695309/50
Jun 13 10:48:01.857: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Jun 13 10:48:01.857: IPSEC(key_engine_enable_outbound): enable SA with spi 2847595008/50
Jun 13 10:51:44.888: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Jun 13 10:51:44.888: IPSEC(key_engine_enable_outbound): enable SA with spi 4015930798/50
Thank you.
06-27-2017 06:04 AM
Do I need to create crypto isakmp policy on each tunnel?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide