09-30-2016 01:23 AM - edited 02-21-2020 08:59 PM
Hello,
I actually try to have an IPSEC tunnel between a branche office (with dynamic public IP) to my headquarter (with static public IP).
In my headquarter, I have a router with VRF.
Here is my configuration from branche office :
crypto logging session
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
lifetime 28800
crypto isakmp key toto address A.B.C.D no-xauth
crypto isakmp keepalive 10 periodic
crypto isakmp nat keepalive 10
!
!
crypto ipsec transform-set TS_AES_SHA ah-sha-hmac esp-aes
no crypto ipsec nat-transparency udp-encaps
!
crypto map CM_Client 1 ipsec-isakmp
set peer A.B.C.D
set transform-set TS_AES_SHA
set pfs group5
match address DE-LAN_Client
!
interface FastEthernet4
description *** 4G vers TP-Link ***
ip address 192.168.254.2 255.255.255.252
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
crypto map CM_Client
!
interface Vlan1
description *** ID01-LAN ***
ip address 172.16.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
no autostate
!
ip nat inside source list 100 interface FastEthernet4 overload
!
ip access-list extended DE-LAN_Client
permit ip 172.16.0.0 0.0.0.255 host 10.10.10.10
permit ip host 10.10.10.10 172.16.0.0 0.0.0.255
!
ip sla 1
icmp-echo 10.10.10.10 source-ip 172.16.0.254
ip sla schedule 1 life forever start-time now
!
access-list 100 deny ip 172.16.0.0 0.0.0.255 host 10.10.10.10
access-list 100 permit ip 172.16.0.0 0.0.0.255 any
Here is my configuration for my headquarter :
crypto keyring KR_Client vrf VRF
pre-shared-key address 0.0.0.0 0.0.0.0 key toto
crypto logging session
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
lifetime 28800
crypto isakmp keepalive 10 periodic
crypto isakmp nat keepalive 10
crypto isakmp profile CI_Client
vrf VRF
keyring KR_Client
match identity address 0.0.0.0 VRF
!
!
crypto ipsec transform-set TS_AES_SHA ah-sha-hmac esp-aes
!
crypto dynamic-map CDM_Client 10
set transform-set TS_AES_SHA
set pfs group5
match address DE-LAN_Client
!
!
crypto map CM_Client 1 ipsec-isakmp dynamic CDM_Client
interface Loopback254
description *** Lo 4G via IPSEC ***
ip vrf forwarding VRF
ip address 178.23.152.8 255.255.255.255
ip nat outside
crypto map CM_Client
!
interface Loopback255
description *** Lo 4G via IPSEC ***
ip vrf forwarding VRF
ip address 10.10.10.10 255.255.255.255
ip nat inside
ip nat inside source list 100 interface Loopback254 vrf VRF overload
ip access-list extended DE-LAN_Client
permit ip host 10.10.10.10 172.16.0.0 0.0.0.255
permit ip 172.16.0.0 0.0.0.255 host 10.10.10.10
access-list 100 deny ip host 10.10.10.10 172.16.0.0 0.0.0.255
access-list 100 permit ip host 10.10.10.10 any
Phase 1 is up :
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
178.23.152.8 192.168.254.2 QM_IDLE 2002 0 ACTIVE
IPv6 Crypto ISAKMP SA
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
178.23.152.8 80.215.202.236 QM_IDLE 1004 ACTIVE
IPv6 Crypto ISAKMP SA
Phase 2 is up :
local ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/0/0)
current_peer 178.23.152.8 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 51, #pkts encrypt: 51, #pkts digest: 51
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
interface: Loopback254
Crypto map tag: CM_Client, local addr 178.23.152.8
protected vrf: VRF
local ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
current_peer 80.215.202.236 port 18932
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
Ping between my two LAN is NOK :
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
Packet sent with a source address of 172.16.0.254
.....
Success rate is 0 percent (0/5)
Encrypted packets are OK but not decryped :
#pkts encaps: 51, #pkts encrypt: 51, #pkts digest: 51
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
Do you have some idea regarding this problem ?
Thanks a lot
BR
Solved! Go to Solution.
09-30-2016 03:49 AM
Thanks a lot
09-30-2016 04:11 AM
You can try one workaround change subnet mask for Lo254 from /32 to /31 and give next hop IP address as next IP as 178.23.52.9
10-05-2016 12:53 AM
Hi !
I just tried your workaround 5 minutes ago and it's work perfectly !
Tahnks a lot.
BR
10-05-2016 12:57 AM
You are always Welcome
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide