Solved: IPSEC Only starting from one side (Spoke side) - Cisco Community

1896

Views

0

Helpful

4

Replies

Hi,

I have a hub and spoke setup with IPSEC.

If interesting traffic comes from the spoke, the IPSEC SA starts and works perfectly. However, once the link idles out and there is no more traffic, the hub shows this with the sh crypto isa sa command

196.47.133.38 185.20.242.61 QM_IDLE 1017 ACTIVE

sh cryp ips sa peer 196.47.133.38 shows nothing at all.

I have checked my routing and NAT deny's to make sure that is not the issue.

I then checked the crypto ACL's when i send traffic, i see the crypto ACL's are incrementing correctly but still the SA wont activate. If i look at the ipsec debug i also see nothing.

I am using a dynamic map with each spoke end on its own ACL, as follows;

crypto dynamic-map dynmap 5

set peer 111.116.206.92

set transform-set des-transform

match address 171

crypto dynamic-map dynmap 10

set peer 111.47.132.38

set transform-set des-transform

match address 172

crypto dynamic-map dynmap 15

set peer 111.174.150.47

set transform-set des-transform

match address 173

crypto dynamic-map dynmap 20

set peer 111.166.108.250

set transform-set des-transform

match address 174

crypto dynamic-map dynmap 100

set transform-set des-transform

match address 170

c2800nm-adventerprisek9_ivs_li-mz.151-4.m6.bin on a 2811

Any ideas?

Thanks
Alan

1 Accepted Solution

Accepted Solutions

HI Alan,

1. Please always remember that when you user dynamic cryptomaps they are most of the times used for site to client or say Remote access VPN but can also be used in site to site vpn when you wan to restrict that only one party can initiate the tunnel and other party with dynamic map can never inititte a tunnel , and in those condition your gateways never knows the IP of the other side clientand hence will never initiate a connection for Home or Internet users so as to build a tunnel. Only home user have to inititite a connection for establising a tunnel as and when needed as there IP could be dynamic and you HUB never know hihc IP they will come from as IP could change based on the location or vendor internet you connect from.

2. Once you give a dynamic cryptomap on you ASA, you mean to say you dont knwo other side peer IP as told above, and only when other side Peer in this case client will initiate a tunnel and hence set peer IP have no meaning within dyanamic crypto map.

3. Once you define a dynamic crypto maps , you always havve to associate it to the statsic crypto map as you cannot associate dynamic crypto map directly to an device our=tside interface.

example

step 1

define dyanmic crypto map as follows:

crypto dynamic-map mymap 1 set transform-set myset
crypto dynamic-map mymap 1 set reverse-route
(in line 2 you are instructing your ASA or HUB device that 
other client after establishing a client to site tunnel with this machine can insert 
a static route dynamically on the rop of the routing table so that the trafic for client can use static route instead of using defaut route and could save tie else it has to traverse through all the router to reach deault route very time communication happens between 
the new IP of the cleint machine from HOme iNternet to office firewall /ASAthe so that )


step 2
Now call this above dynamic map named mymap into a static crypto map(named dyn-map) as follows 
 crypto map dyn-map 10 IPSec-isakmp dynamic mymap

step 3

Assign this static crypto map to an interface so as to actually apply dynamic crpto map as told befor eit cant be applied directly:

crypto map dyn-map interface outside

Please share the configuration of HUB and spoke ina  separate separate fille and state who is HU and who are spoke 1 spoke 2 spoke 3 and so on.

Hope I could offer you more clear help after that.

best regards

sachin garg
sachin.koenig@gmail.com

View solution in original post

4 Replies 4

HI Alan,

1. Please always remember that when you user dynamic cryptomaps they are most of the times used for site to client or say Remote access VPN but can also be used in site to site vpn when you wan to restrict that only one party can initiate the tunnel and other party with dynamic map can never inititte a tunnel , and in those condition your gateways never knows the IP of the other side clientand hence will never initiate a connection for Home or Internet users so as to build a tunnel. Only home user have to inititite a connection for establising a tunnel as and when needed as there IP could be dynamic and you HUB never know hihc IP they will come from as IP could change based on the location or vendor internet you connect from.

2. Once you give a dynamic cryptomap on you ASA, you mean to say you dont knwo other side peer IP as told above, and only when other side Peer in this case client will initiate a tunnel and hence set peer IP have no meaning within dyanamic crypto map.

3. Once you define a dynamic crypto maps , you always havve to associate it to the statsic crypto map as you cannot associate dynamic crypto map directly to an device our=tside interface.

example

step 1

define dyanmic crypto map as follows:

crypto dynamic-map mymap 1 set transform-set myset
crypto dynamic-map mymap 1 set reverse-route
(in line 2 you are instructing your ASA or HUB device that 
other client after establishing a client to site tunnel with this machine can insert 
a static route dynamically on the rop of the routing table so that the trafic for client can use static route instead of using defaut route and could save tie else it has to traverse through all the router to reach deault route very time communication happens between 
the new IP of the cleint machine from HOme iNternet to office firewall /ASAthe so that )


step 2
Now call this above dynamic map named mymap into a static crypto map(named dyn-map) as follows 
 crypto map dyn-map 10 IPSec-isakmp dynamic mymap

step 3

Assign this static crypto map to an interface so as to actually apply dynamic crpto map as told befor eit cant be applied directly:

crypto map dyn-map interface outside

Please share the configuration of HUB and spoke ina  separate separate fille and state who is HU and who are spoke 1 spoke 2 spoke 3 and so on.

Hope I could offer you more clear help after that.

best regards

sachin garg
sachin.koenig@gmail.com

Thanks Sachin,

I suspected this was the case with dynamic maps. but your help has guided me to a better approach.

I have now gone for a bunch of static map entries for ky known endpoints and a dynamic at the bottom for the non known endpoints

Now, I just need to find out why my spoke to spoke isn't very robust, lots of packet loss. I am suspecting the 2811 though

Config really looks fine

HI Alan,

Please share the configuration on the router 2811 so that I can offer you more details in detecting why there is packet loss, is it reaching the limit of traffic that it can handle.

Best Regards

Sachin Garg

Here you go Sachin

Edge routers are 1801's

Hub is a 2811

Edge ACL's are a mirror of what is in the ACL's associated to each map line

As far as I can see the default route is correct and that all the crypo traffic should not be NAT'd or go elsewhere but hit po1.100 on the way out.

Symptoms are that a person pinging from say 10.192.112.5 (spoke) to the dest 10.192.40.10 (hub) will work perfectly, but the same user 10.192.112.5 wont be able to ping 10.192.73.10 (spoke) or 10.192.113.5 (spoke)

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname c2811-test

!

boot-start-marker

boot system flash:/c2800nm-adventerprisek9_ivs_li-mz.151-4.m6.bin

boot-end-marker

!

!

no logging console

!

aaa session-id common

!

!

dot11 syslog

no ip source-route

!

!

ip cef

!

!

!

!

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

voice-card 0

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-1226746475

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1226746475

revocation-check none

rsakeypair TP-self-signed-1226746475

!

!

crypto pki certificate chain TP-self-signed-1226746475

certificate self-signed 01

quit

!

!

license udi pid CISCO2811 sn FCZ1047729M

archive

log config

hidekeys

!

redundancy

!

!

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key address 196.47.132.38

crypto isakmp key address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10 10

crypto isakmp nat keepalive 360

!

!

crypto ipsec transform-set des-transform esp-des esp-md5-hmac

!

crypto dynamic-map dynmap 100

set transform-set des-transform

match address 170

!

!

crypto map dyntrans 10 ipsec-isakmp

set peer 81.174.150.47

set transform-set des-transform

match address 173

crypto map dyntrans 20 ipsec-isakmp

set peer 196.47.132.38

set transform-set des-transform

set reverse-route tag 1

match address 172

crypto map dyntrans 30 ipsec-isakmp

set peer 62.116.206.92

set transform-set des-transform

match address 171

crypto map dyntrans 40 ipsec-isakmp

set peer 95.166.108.250

set transform-set des-transform

match address 174

crypto map dyntrans 50 ipsec-isakmp

set peer 78.193.137.76

set transform-set des-transform

match address 175

crypto map dyntrans 100 ipsec-isakmp dynamic dynmap

!

!

!

!

!

!

!

interface Port-channel1

no ip address

hold-queue 150 in

!

interface Port-channel1.8

encapsulation dot1Q 8

ip address 10.192.8.1 255.255.255.0

!

interface Port-channel1.16

encapsulation dot1Q 16

ip address 10.192.16.1 255.255.255.0

ip information-reply

ip nat inside

ip virtual-reassembly in

!

interface Port-channel1.32

encapsulation dot1Q 32

ip address 10.192.32.1 255.255.255.0

ip information-reply

!

interface Port-channel1.40

encapsulation dot1Q 40

ip address 10.192.40.1 255.255.255.0

ip information-reply

ip nat inside

ip virtual-reassembly in

!

interface Port-channel1.100

encapsulation dot1Q 100

ip address 185.20.242.61 255.255.255.248

ip access-group WORLD-IN in

ip nat outside

ip virtual-reassembly in

crypto map dyntrans

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

channel-group 1

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

channel-group 1

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip nat inside source list 115 interface Loopback2 overload

ip nat inside source list 116 interface Loopback0 overload

ip nat inside source list 161 interface Port-channel1.100 overload

ip nat inside source static tcp 10.192.16.11 25 185.20.242.50 25 extendable

ip nat inside source static tcp 10.192.16.11 143 185.20.242.50 143 extendable

ip nat inside source static tcp 10.192.16.11 993 185.20.242.50 993 extendable

ip nat inside source static tcp 10.192.16.11 25 185.20.242.50 1025 extendable

ip nat inside source static tcp 10.192.16.11 80 185.20.242.51 80 extendable

ip nat inside source static tcp 10.192.16.11 443 185.20.242.51 443 extendable

ip nat inside source static udp 10.192.16.2 5060 185.20.242.52 5060 extendable

ip nat inside source static tcp 10.192.16.32 80 185.20.242.53 80 extendable

ip nat inside source static tcp 10.192.16.31 8081 185.20.242.54 8081 extendable

ip route 0.0.0.0 0.0.0.0 185.20.242.57

ip route 185.20.242.32 255.255.255.240 185.20.242.58

!

ip access-list standard OAM-IN

permit 10.209.2.0 0.0.0.255 log

permit 10.29.32.0 0.0.3.255

permit 10.192.0.0 0.0.255.255 log

!

ip access-list extended WORLD-IN

remark General Stuff

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any unreachable

permit icmp any any ttl-exceeded

permit icmp any any packet-too-big

permit icmp any any traceroute

permit icmp any any administratively-prohibited

deny ip 127.0.0.0 0.255.255.255 any

deny ip 192.0.2.0 0.0.0.255 any

deny ip 224.0.0.0 31.255.255.255 any

deny ip host 255.255.255.255 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

remark Drop SMB/Netbios noise

deny tcp any any eq 445

deny tcp any any eq 137

permit tcp any any established

remark Nianet/TDC NTP servers

permit udp host 83.136.89.6 any eq ntp

permit udp host 83.136.89.4 any eq ntp

permit udp host 193.162.159.194 any eq ntp

remark Nianet DNS

permit udp host 83.136.89.6 eq domain any

permit udp host 83.136.89.4 eq domain any

remark Any DNS to infon

permit udp any eq domain host 185.20.242.61

remark Services

permit tcp any host 185.20.242.50 eq smtp

permit tcp any host 185.20.242.50 eq 143

permit tcp any host 185.20.242.50 eq 993

permit tcp any host 185.20.242.51 eq www

permit tcp any host 185.20.242.51 eq 443

permit tcp any host 185.20.242.54 eq 8081

permit esp host 62.116.206.92 host 185.20.242.61

permit ip host 62.116.206.92 host 185.20.242.61

permit esp host 81.174.150.47 host 185.20.242.61

permit ip host 81.174.150.47 host 185.20.242.61

permit ip host 92.26.172.37 host 185.20.242.61

permit esp host 92.26.172.37 host 185.20.242.61

permit ip 78.147.0.0 0.0.255.255 host 185.20.242.61

permit ip host 78.193.137.76 host 185.20.242.61

permit esp 78.147.0.0 0.0.255.255 host 185.20.242.61

permit ip host 95.166.108.250 host 185.20.242.61

permit esp host 95.166.108.250 host 185.20.242.61

permit ip host 78.147.99.41 host 185.20.242.61

permit tcp any host 185.20.242.61 eq 443

permit udp any host 185.20.242.61 eq netbios-ns

permit ip host 79.170.187.234 host 185.20.242.55

permit tcp any host 185.20.242.61 eq 1723

permit gre any host 185.20.242.61

permit udp host 194.247.61.32 host 185.20.242.52

permit udp host 194.247.61.31 host 185.20.242.52

permit udp 62.41.83.0 0.0.0.255 host 185.20.242.52

permit udp 77.72.168.0 0.0.0.255 host 185.20.242.52

permit udp 77.192.32.0 0.0.0.255 host 185.20.242.52

permit udp 80.239.235.0 0.0.0.255 host 185.20.242.52

permit udp 194.120.0.0 0.0.0.255 host 185.20.242.52

permit udp 195.219.64.0 0.0.0.255 host 185.20.242.52

permit udp 203.192.180.224 0.0.0.15 host 185.20.242.52

permit udp 208.176.230.112 0.0.0.15 host 185.20.242.52

permit tcp any host 185.20.242.50 eq 1025

permit tcp any host 185.20.242.53 eq www

permit udp any eq non500-isakmp host 185.20.242.61 eq non500-isakmp

permit udp any eq isakmp host 185.20.242.61 eq isakmp

permit esp any host 185.20.242.61

deny ip any any log

!

access-list 1 permit 196.47.132.38

access-list 15 permit 10.192.16.2

access-list 80 permit 10.192.69.0 0.0.0.255

access-list 115 deny ip host 10.192.16.2 10.192.0.0 0.0.255.255

access-list 115 permit ip host 10.192.16.2 any

access-list 116 permit tcp 10.192.0.0 0.0.255.255 any eq smtp

access-list 161 deny ip any 10.0.0.0 0.255.255.255

access-list 161 permit ip 10.192.40.0 0.0.0.255 any

access-list 161 permit ip 10.192.16.0 0.0.0.255 any

access-list 170 permit ip 10.209.0.0 0.0.255.255 10.192.72.0 0.0.3.255

access-list 170 permit ip 10.209.0.0 0.0.255.255 10.192.112.0 0.0.15.255

access-list 170 permit ip 10.192.0.0 0.0.63.255 10.192.72.0 0.0.3.255

access-list 170 permit ip 10.192.0.0 0.0.63.255 10.192.112.0 0.0.15.255

access-list 170 permit ip 10.192.72.0 0.0.7.255 10.192.112.0 0.0.15.255

access-list 170 permit ip 10.192.112.0 0.0.15.255 10.192.72.0 0.0.3.255

access-list 171 permit ip 10.209.0.0 0.0.255.255 10.192.72.0 0.0.3.255

access-list 171 permit ip 10.192.0.0 0.0.63.255 10.192.72.0 0.0.3.255

access-list 171 permit ip 10.192.64.0 0.0.31.255 10.192.72.0 0.0.3.255

access-list 171 permit ip 10.192.112.0 0.0.15.255 10.192.72.0 0.0.3.255

access-list 171 permit ip 10.192.128.0 0.0.15.255 10.192.72.0 0.0.3.255

access-list 172 permit ip 10.192.0.0 0.0.63.255 10.192.128.0 0.0.0.63

access-list 172 permit ip 10.192.112.0 0.0.15.255 10.192.128.0 0.0.0.63

access-list 172 permit ip 10.192.72.0 0.0.7.255 10.192.128.0 0.0.0.63

access-list 172 permit ip 10.209.2.0 0.0.0.255 10.192.128.0 0.0.0.63

access-list 173 permit ip 10.192.0.0 0.0.63.255 10.192.112.64 0.0.0.63

access-list 173 permit ip 10.192.64.0 0.0.31.255 10.192.112.64 0.0.0.63

access-list 173 permit ip 10.192.112.0 0.0.15.255 10.192.112.64 0.0.0.63

access-list 173 permit ip 10.192.128.0 0.0.15.255 10.192.112.64 0.0.0.63

access-list 173 permit ip 10.209.0.0 0.0.255.255 10.192.112.64 0.0.0.63

access-list 174 permit ip 10.192.0.0 0.0.63.255 10.192.112.0 0.0.0.63

access-list 174 permit ip 10.192.64.0 0.0.31.255 10.192.112.0 0.0.0.63

access-list 174 permit ip 10.192.112.0 0.0.15.255 10.192.112.0 0.0.0.63

access-list 174 permit ip 10.192.128.0 0.0.15.255 10.192.112.0 0.0.0.63

access-list 174 permit ip 10.209.0.0 0.0.255.255 10.192.112.0 0.0.0.63

access-list 175 permit ip 10.192.0.0 0.0.63.255 10.192.113.64 0.0.0.63

access-list 175 permit ip 10.192.64.0 0.0.31.255 10.192.113.64 0.0.0.63

access-list 175 permit ip 10.192.112.0 0.0.15.255 10.192.113.64 0.0.0.63

access-list 175 permit ip 10.192.128.0 0.0.15.255 10.192.113.64 0.0.0.63

access-list 175 permit ip 10.209.0.0 0.0.255.255 10.192.113.64 0.0.0.63

access-list 185 permit udp any any eq 1813

access-list 185 permit udp any any eq 1646

nls resp-timeout 1

cpd cr-id 1

!

!

!

!

control-plane

!

bridge 1 protocol ieee

!

!

!

mgcp profile default

!

!

!

!

!

gatekeeper

shutdown

!

!

!

line con 0

line aux 0

line vty 0 4

access-class OAM-IN in

password hasldfhohdsah

transport input all

!

scheduler allocate 20000 1000

ntp master

ntp server 193.162.159.194

!

c2811-test#

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community