09-29-2002 03:07 PM - edited 02-21-2020 12:05 PM
Hi All,
Got a curly one. I have a VPN based WAN with 827's and 801's at the remote sites (13 of em) with the 827's doing GRE tunneling over IPSEC via ADSL to a 2620XM. The 801's dial a 2620 with a PRI using dialer-watch if the ADSL goes down. Routing is all EIGRP and the 827 / 801 are running HSRP incase one of them pops. My problem is that I peridically have to "clear cry sa" on the remote routers in order to get the IPSEC sessions active again. It's like the SA is timing out but not then invoking IKE to re-establish the session. Any ideas ? Similar configs out there ? Thanks.
10-04-2002 07:49 AM
You could set up 'crypto isakmp keepalive' commands on both sides so that if either side went down keepalives would be missed and tunnels would automatically delete after missing 3 keepalives (approx 45 seconds with default 15 keepalive interval).
10-04-2002 04:40 PM
Thanks for your input, but I already have keepalives set. To explain a little further....
The remote sites are all using a "home" ADSL product with no static IP address, and so must initiate the IPSEC negotiation to the 2620 at the central site. The central site router is configured with dynamic maps. Perhaps if I include some configs, someone out there might see the problem. It may be related to some issues I had in getting the IPSEC to work in the first place. As is evidenced by ths configs, I have to bouce the traffic off a loopback for some reason. Anyway below is the edited config
Remote Site.
Using 2753 out of 131072 bytes
!
version 12.2
no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname mrc_rout_rt1
!
logging rate-limit console 10 except errors
enable secret
enable password
!
ip subnet-zero
ip name-server 192.168.41.1
!
ip ssh time-out 120
ip ssh authentication-retries 3
no ip dhcp-client network-discovery
!
crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 28800
crypto isakmp key
crypto isakmp keepalive 60
!
!
crypto ipsec transform-set s8 esp-des
!
crypto map mrc local-address Dialer0
crypto map mrc 5 ipsec-isakmp
set peer
set transform-set s8
match address 120
!
!
!
!
interface Loopback0
ip address 192.168.249.1 255.255.255.0
crypto map mrc
!
interface Tunnel0
bandwidth 256
ip address 192.168.11.42 255.255.255.252
tunnel source Loopback0
tunnel destination 192.168.253.1
crypto map mrc
!
interface Ethernet0
ip address 192.168.42.9 255.255.255.0
ip nat inside
standby ip 192.168.42.10
standby priority 100
standby preempt
standby track AT0
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
bundle-enable
dsl operating-mode auto
crypto map mrc
!
interface Dialer0
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname
ppp chap password
ppp timeout ncp 20
crypto map mrc
!
router eigrp 7739
network 192.168.11.0
network 192.168.42.0
default-metric 512 8 255 1 1500
no auto-summary
no eigrp log-neighbor-changes
!
ip nat inside source route-map nonat interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.253.1 255.255.255.255 Loopback0
no ip http server
!
access-list 105 deny ip 192.168.42.0 0.0.0.255 192.168.41.0 0.0.0.255
access-list 105 permit ip 192.168.42.0 0.0.0.255 any
access-list 120 permit ip host 192.168.249.1 host 192.168.253.1
dialer-list 1 protocol ip permit
route-map nonat permit 10
match ip address 105
!
snmp-server engineID local 800000090300000196A490C7
snmp-server community
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps rsvp
snmp-server enable traps entity
snmp-server enable traps syslog
snmp-server host
!
line con 0
stopbits 1
line vty 0 4
exec-timeout 0 0
password
login
!
scheduler max-task-time 5000
end
mrc_rout_rt1#
Central Site 2620;
Using 10320 out of 29688 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname s8_vpn_rout
!
logging buffered 4096 debugging
enable secret
enable password
!
memory-size iomem 10
ip subnet-zero
!
!
ip name-server 192.168.41.1
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 28800
crypto isakmp key
crypto isakmp keepalive 60
!
!
crypto ipsec transform-set test esp-des
!
crypto dynamic-map pho 5
description dynamic map to phoenician
set transform-set test
match address 130
!
crypto dynamic-map equ 6
description dynamic map to equinox
set transform-set test
match address 135
!
crypto dynamic-map imp 7
description dynamic map to imperial surf
set transform-set test
match address 140
!
crypto dynamic-map mrc 8
description dynamic map to moroccan
set transform-set test
match address 145
!
crypto dynamic-map stp 9
description dynamic map to st. tropez
set transform-set test
match address 150
!
crypto dynamic-map ray 10
description dynamic map to rays
set transform-set test
match address 155
!
crypto dynamic-map alo 11
description dynamic map to aloha
set transform-set test
match address 160
!
crypto dynamic-map end 12
description dynamic map to enderley gardens
set transform-set test
match address 165
!
crypto dynamic-map arb 13
description dynamic map to aruba beach
set transform-set test
match address 170
!
crypto dynamic-map sir 14
description dynamic map to sirocco
set transform-set test
match address 175
!
crypto dynamic-map zan 15
description dynamic map to zanzibar
set transform-set test
match address 180
!
crypto dynamic-map spn 16
description dynamic map to south pacific noosa
set transform-set test
match address 185
!
!
crypto map fitbiz local-address Virtual-Template1
crypto map fitbiz 1 ipsec-isakmp
set peer
set transform-set test
match address 120
crypto map fitbiz 2 ipsec-isakmp dynamic pho
crypto map fitbiz 3 ipsec-isakmp dynamic equ
crypto map fitbiz 4 ipsec-isakmp dynamic imp
crypto map fitbiz 5 ipsec-isakmp dynamic mrc
crypto map fitbiz 6 ipsec-isakmp dynamic stp
crypto map fitbiz 7 ipsec-isakmp dynamic ray
crypto map fitbiz 8 ipsec-isakmp dynamic alo
crypto map fitbiz 9 ipsec-isakmp dynamic end
crypto map fitbiz 10 ipsec-isakmp dynamic arb
crypto map fitbiz 11 ipsec-isakmp dynamic sir
crypto map fitbiz 12 ipsec-isakmp dynamic zan
crypto map fitbiz 13 ipsec-isakmp dynamic spn
!
!
!
!
!
!
!
!
fax interface-type fax-mail
mta receive maximum-recipients 0
!
!
!
!
interface Loopback0
ip address 192.168.253.1 255.255.255.0
crypto map fitbiz
!
interface Tunnel0
description tunnel interface to fitbiz nmc
bandwidth 256
ip address 192.168.11.2 255.255.255.252
tunnel source Loopback0
tunnel destination 192.168.254.1
crypto map fitbiz
!
interface Tunnel1
description tunnel interface to phoenician
bandwidth 128
ip address 192.168.11.33 255.255.255.252
tunnel source Loopback0
tunnel destination 192.168.250.1
crypto map fitbiz
!
interface Tunnel2
description tunnel interface to equinox
bandwidth 128
ip address 192.168.11.37 255.255.255.252
tunnel source Loopback0
tunnel destination 192.168.248.1
crypto map fitbiz
!
interface Tunnel3
description tunnel interface to moroccan
bandwidth 128
ip address 192.168.11.41 255.255.255.252
tunnel source Loopback0
tunnel destination 192.168.249.1
crypto map fitbiz
!
interface Tunnel4
description tunnel interface to st. tropez
bandwidth 128
ip address 192.168.11.45 255.255.255.252
tunnel source Loopback0
tunnel destination 192.168.247.1
crypto map fitbiz
!
interface Tunnel5
description tunnel interface to aruba beach
bandwidth 128
ip address 192.168.11.49 255.255.255.252
tunnel source Loopback0
tunnel destination 192.168.246.1
crypto map fitbiz
!
interface Tunnel6
description tunnel interface to Imperial Surf
bandwidth 128
ip address 192.168.11.53 255.255.255.252
tunnel source Loopback0
tunnel destination 192.168.245.1
crypto map fitbiz
!
interface Tunnel7
description tunnel interface to enderley gardens
bandwidth 128
ip address 192.168.11.57 255.255.255.252
tunnel source Loopback0
tunnel destination 192.168.244.1
crypto map fitbiz
!
interface Tunnel8
description tunnel interface to rays
bandwidth 128
ip address 192.168.11.61 255.255.255.252
tunnel source Loopback0
tunnel destination 192.168.243.1
crypto map fitbiz
!
interface Tunnel9
description tunnel interface to aloha
bandwidth 128
ip address 192.168.11.65 255.255.255.252
tunnel source Loopback0
tunnel destination 192.168.242.1
crypto map fitbiz
!
interface Tunnel10
description tunnel interface to south pacific
bandwidth 128
ip address 192.168.11.69 255.255.255.252
tunnel source Loopback0
tunnel destination 192.168.241.1
crypto map fitbiz
!
interface Tunnel11
description tunnel interface to sirocco
bandwidth 128
ip address 192.168.11.73 255.255.255.252
tunnel source Loopback0
tunnel destination 192.168.239.1
crypto map fitbiz
!
interface Tunnel12
description tunnel interface to zanzibar
bandwidth 128
ip address 192.168.11.77 255.255.255.252
tunnel source Loopback0
tunnel destination 192.168.240.1
crypto map fitbiz
!
interface ATM0/0
no ip address
ip nat outside
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp Virtual-Template1
!
dsl operating-mode auto
no fair-queue
crypto map fitbiz
!
interface FastEthernet0/0
ip address 192.168.41.10 255.255.255.0
ip nat inside
no ip split-horizon
duplex auto
speed auto
!
interface ATM0/1
no ip address
ip nat outside
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp Virtual-Template1
!
dsl operating-mode auto
no fair-queue
crypto map fitbiz
!
interface Virtual-Template1
ip address
ip nat outside
ip tcp header-compression passive
ppp authentication chap callin optional
ppp chap hostname
ppp chap password
ppp direction callout
crypto map fitbiz
!
router eigrp 7739
network 192.168.11.0
network 192.168.41.0
no auto-summary
no eigrp log-neighbor-changes
!
ip nat pool extip
ip nat inside source route-map nonat pool extip overload
ip classless
ip route 0.0.0.0 0.0.0.0
no ip http server
ip pim bidir-enable
!
!
access-list 105 deny ip 192.168.41.0 0.0.0.255 192.168.10.0 0.0.0.25
access-list 105 deny ip 192.168.41.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 105 deny ip 192.168.41.0 0.0.0.255 192.168.43.0 0.0.0.255
access-list 105 deny ip 192.168.41.0 0.0.0.255 192.168.44.0 0.0.0.255
access-list 105 deny ip 192.168.41.0 0.0.0.255 192.168.45.0 0.0.0.255
access-list 105 deny ip 192.168.41.0 0.0.0.255 192.168.46.0 0.0.0.255
access-list 105 deny ip 192.168.41.0 0.0.0.255 192.168.47.0 0.0.0.255
access-list 105 deny ip 192.168.41.0 0.0.0.255 192.168.48.0 0.0.0.255
access-list 105 deny ip 192.168.41.0 0.0.0.255 192.168.49.0 0.0.0.255
access-list 105 deny ip 192.168.41.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 105 deny ip 192.168.41.0 0.0.0.255 192.168.51.0 0.0.0.255
access-list 105 deny ip 192.168.41.0 0.0.0.255 192.168.52.0 0.0.0.255
access-list 105 deny ip 192.168.41.0 0.0.0.255 192.168.53.0 0.0.0.255
access-list 105 permit ip 192.168.41.0 0.0.0.255 any
access-list 120 permit ip host 192.168.253.1 host 192.168.254.1
access-list 130 permit ip host 192.168.253.1 host 192.168.250.1
access-list 135 permit ip host 192.168.253.1 host 192.168.248.1
access-list 140 permit ip host 192.168.253.1 host 192.168.245.1
access-list 145 permit ip host 192.168.253.1 host 192.168.249.1
access-list 150 permit ip host 192.168.253.1 host 192.168.247.1
access-list 155 permit ip host 192.168.253.1 host 192.168.243.1
access-list 160 permit ip host 192.168.253.1 host 192.168.242.1
access-list 165 permit ip host 192.168.253.1 host 192.168.244.1
access-list 170 permit ip host 192.168.253.1 host 192.168.246.1
access-list 175 permit ip host 192.168.253.1 host 192.168.239.1
access-list 180 permit ip host 192.168.253.1 host 192.168.240.1
access-list 185 permit ip host 192.168.253.1 host 192.168.241.1
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
match ip address 105
!
snmp-server community
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstar
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps envmon
snmp-server enable traps bgp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-mess
ge
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps rsvp
snmp-server enable traps frame-relay
snmp-server enable traps rtr
snmp-server enable traps syslog
snmp-server enable traps dlsw
snmp-server enable traps dial
snmp-server enable traps dsp card-status
snmp-server enable traps pppoe
snmp-server enable traps ipmobile
snmp-server enable traps vtp
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps voice poor-qov
snmp-server enable traps dnis
snmp-server enable traps xgcp
snmp-server host
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password
login
!
!
end
s8_vpn_rout#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide