Solved: Re: IPSEC VPN : failed to etablish a connection on 2nd WAN interface

ilyasseelmengad · ‎07-02-2023

hey There !!

i Am using three cisco routers ISR 4331, 1 central router and 2 branch routers, each branch router is connected on a serial interface with the central router

my goal is to enable IPSecs between the branch routers and the central router, so normally i should create 2 tunnels

when i configure the first tunnel and i apply the crypto map on the ports it works just fine

when i try to configure the second tunnel it says that the procedure stopped MM_KEY_EXCHANGE and that the session is the deleted

------------------------------------------------------------------------------------------------

Branch Router B config

access-list 110 permit ip any any
crypto isakmp policy 10
encr aes 128
authentication pre-share
group 2
lifetime 3600
exit
crypto isakmp key admin address 172.28.21.1
crypto ipsec transform-set VPN esp-aes 128 esp-sha-hmac
crypto map VPN 40 ipsec-isakmp
set peer 172.28.21.1
set transform-set VPN
match address 110
exit
int s0/2/1
encapsulation ppp
crypto map VPN
no sh
exit

------------------------------------------------------------------------------------------------------------

Central router config :

access-list 110 permit ip any any
crypto isakmp policy 10
encr aes 128
authentication pre-share
group 2
lifetime 3600
exit
crypto isakmp key admin address 172.28.21.2
crypto ipsec transform-set VPN esp-aes 128 esp-sha-hmac
crypto map VPN 40 ipsec-isakmp
set peer 172.28.21.2
set transform-set VPN
match address 110
exit
int s0/2/1
encapsulation ppp
crypto map VPN
no sh
exit

-----------------------------------------------------------------------------------------------------

note that i used the same config for the working tunnel, the only change is the use of the S0/2/0 port, another crypto map, and different addressing

thank you !!!

MHM Cisco World · ‎07-02-2023

Then do these steps

1-crypto map VPN1 30 ipsec-isakmp

set peer 172.28.11.2

match address 100

This map need set transform' dont forget add it

2- dony use access list permit ip any any

In central

Use for site a

access list permit lan-central lan-sitea

Use for site b

Access list permit lan-central lan-siteb

In sitea

Access list permit lan-sitea lan-central

In siteb

Access list lan-siteb lan-central

3- close the lab and then open it again

View solution in original post

Flavio Miranda · ‎07-02-2023

There are two things you are missing on the config.

You have no traffic to be encrypted as you have no local network. You should have a Lan interface with some network on it.

You can not staart the tunnel only with the wan config.

Second, the ACL must match the exactly traffic and not be any any

access-list 110 permit ip any any

access-list 100 permit ip any any

As it means anything. Replace those ACLs and use proper networks traffic.

View solution in original post

Aref Alsouqi · ‎07-02-2023

When the encryption domain ACL is not specifying the local and the remote subnets, the router wouldn't be able to establish another tunnel, because in your case the router would see it has already security associations created matching the ACL you configured which is ip any any. I agree with the guys, if you set the ACLs with the specific subnets that should fix the issue.

View solution in original post

Pavan Gundu · ‎07-02-2023

access-list 110 permit ip any any
access-list 100 permit ip any any

crypto map VPN 40 ipsec-isakmp
set peer 172.28.21.2
set transform-set VPN
match address 110
exit
crypto map VPN1 30 ipsec-isakmp
set peer 172.28.11.2
set transform-set VPN1
match address 100
exit

You should not have overlapping ACL for 2 different crypto maps. In your case it is permit ip any any, for both the crypto maps.

View solution in original post

Flavio Miranda · ‎07-02-2023

Hi @ilyasseelmengad

"In the show crypto isakmp sa output, the state must always be QM_IDLE. If the state is MM_KEY_EXCH, it means either the configured pre-shared key is not correct or the peer IP addresses are different.!

ilyasseelmengad · ‎07-02-2023

Hi @Flavio Miranda

Thank you for your efforts.

As you can see in the shared config, the pre-shared key is the same "admin" for both

i just wanna mention that i've tried to start with branch B instead of A, and it worked just fine, but the then the tunnel with A stopped at MM_KEY_EXCH.

MHM Cisco World · ‎07-02-2023

crypto isakmp key admin address 0.0.0.0 <<- only do this in Central router and check again

ilyasseelmengad · ‎07-02-2023

I changed the config the address to 0.0.0.0, it surpassed the MM_KEY_EXCH phase to QM_IDLE phase, but for some reason it stills shows that the session is deleted and the ping isn't working.

please check the screenshot, thank you for your help !!!

MHM Cisco World · ‎07-02-2023

dont worry, do this in all three sites
clear crypto isakmp sa
this also need
clear crypto sa
and check again,

ilyasseelmengad · ‎07-02-2023

sorry i didn't mention that i am using Packet Tracer and these commands just didn't work for me, unrecognized command

MHM Cisco World · ‎07-02-2023

Then do these steps

1-crypto map VPN1 30 ipsec-isakmp

set peer 172.28.11.2

match address 100

This map need set transform' dont forget add it

2- dony use access list permit ip any any

In central

Use for site a

access list permit lan-central lan-sitea

Use for site b

Access list permit lan-central lan-siteb

In sitea

Access list permit lan-sitea lan-central

In siteb

Access list lan-siteb lan-central

3- close the lab and then open it again

MHM Cisco World · ‎07-02-2023

Share result after these change

ilyasseelmengad · ‎07-02-2023

so basically the problem is with the ACLs ? i have to specify the LANs ?

MHM Cisco World · ‎07-03-2023

YES

ACL

missing trasform

Isakmp key 0.0.0.0

It was Many steps need to correct before make ipsec work.

We fix two still last one acl.

Correct it and check.

Flavio Miranda · ‎07-02-2023

Can you share the config from the 3 routers? the whole running-config?

In the central router you should have two config for crypto map

!

crypto isakmp key admin address site_A

crypto isakmp key admin address Site_B

!

And 2 transform-set

!

crypto ipsec transform-set ddress site_A esp-aes 256 esp-sha-hmac

crypto ipsec transform-set ddress site_B esp-aes 256 esp-sha-hmac

!

Then 2 crypto map

crypto map VPN10 ipsec-isakmp

set peer x.x.x.x (IP site A)

set pfs group5

set security-association lifetime seconds 900

set transform-set site_A

match address 101

!

crypto map VPN 11 ipsec-isakmp

set peer x.x.x.x (IP site B)

set pfs group5

set security-association lifetime seconds 900

set transform-set Site_B

match address 101

!

The ACL

access-list 101 permit ip "local" "remote"

nt s0/2/1
encapsulation ppp
crypto map VPN
no sh
exit

ilyasseelmengad · ‎07-02-2023

Here's the running config for the 3 routers, please note that i am trying to create tunnels on different interfaces in the central router, a tunnel on S0/2/0 with branch A and a tunnel on S0/2/1 on branch B

Central router

Router#sh running-config

Building configuration...

Current configuration : 1801 bytes

!

version 15.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

no ip cef

no ipv6 cef

!

crypto isakmp policy 10

encr aes 128

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp key admin address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set VPN esp-aes 128 esp-sha-hmac

!

crypto map VPN 40 ipsec-isakmp

set peer 172.28.21.2

set transform-set VPN

match address 110

!

crypto map VPN1 30 ipsec-isakmp

set peer 172.28.11.2

match address 100

!

spanning-tree mode pvst

!

interface Loopback0

ip address 8.8.8.1 255.255.255.255

!

interface GigabitEthernet0/0/0

media-type sfp

ip address 172.28.5.1 255.255.255.252

!

interface GigabitEthernet0/0/1

ip address 172.28.5.5 255.255.255.252

duplex auto

speed auto

!

interface GigabitEthernet0/0/2

no ip address

shutdown

!

interface GigabitEthernet0/1/0

switchport mode access

!

interface GigabitEthernet0/1/1

switchport mode access

!

interface GigabitEthernet0/1/2

switchport mode access

!

interface GigabitEthernet0/1/3

switchport mode access

!

interface Serial0/2/0

ip address 172.28.11.1 255.255.255.252

encapsulation ppp

clock rate 2000000

crypto map VPN1

!

interface Serial0/2/1

ip address 172.28.21.1 255.255.255.252

encapsulation ppp

crypto map VPN

!

interface Vlan1

no ip address

shutdown

!

router ospf 10

log-adjacency-changes

network 172.28.21.0 0.0.0.3 area 0

network 172.28.11.0 0.0.0.3 area 0

network 8.8.8.1 0.0.0.0 area 0

network 172.28.5.0 0.0.0.3 area 0

network 172.28.5.4 0.0.0.3 area 0

!

ip classless

!

ip flow-export version 9

!

access-list 110 permit ip any any

access-list 100 permit ip any any

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

--------------------------------------------------------------------------------------------------------

Branch A router

Router#sh running-config

Building configuration...

Current configuration : 1378 bytes

!

version 15.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

no ip cef

no ipv6 cef

!

crypto isakmp policy 10

encr aes 128

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp key admin address 172.28.11.1

!

crypto ipsec transform-set VPN esp-aes 128 esp-sha-hmac

!

crypto map VPN1 30 ipsec-isakmp

set peer 172.28.11.1

match address 100

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0/0

media-type sfp

no ip address

!

interface GigabitEthernet0/0/1

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/0/2

no ip address

shutdown

!

interface GigabitEthernet0/1/0

switchport mode access

!

interface GigabitEthernet0/1/1

switchport mode access

!

interface GigabitEthernet0/1/2

switchport mode access

!

interface GigabitEthernet0/1/3

switchport mode access

!

interface Serial0/2/0

ip address 172.28.11.2 255.255.255.252

encapsulation ppp

crypto map VPN1

!

interface Serial0/2/1

no ip address

clock rate 2000000

shutdown

!

interface Vlan1

no ip address

shutdown

!

router ospf 10

log-adjacency-changes

network 172.28.11.0 0.0.0.3 area 0

!

ip classless

!

ip flow-export version 9

!

access-list 100 permit ip any any

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

----------------------------------------------------------------------------------------------

Branch B Router

Router#sh running-config

Building configuration...

Current configuration : 1378 bytes

!

version 15.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

no ip cef

no ipv6 cef

!

crypto isakmp policy 10

encr aes 128

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp key admin address 172.28.11.1

!

crypto ipsec transform-set VPN esp-aes 128 esp-sha-hmac

!

crypto map VPN1 30 ipsec-isakmp

set peer 172.28.11.1

match address 100

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0/0

media-type sfp

no ip address

!

interface GigabitEthernet0/0/1

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/0/2

no ip address

shutdown

!

interface GigabitEthernet0/1/0

switchport mode access

!

interface GigabitEthernet0/1/1

switchport mode access

!

interface GigabitEthernet0/1/2

switchport mode access

!

interface GigabitEthernet0/1/3

switchport mode access

!

interface Serial0/2/0

ip address 172.28.11.2 255.255.255.252

encapsulation ppp

crypto map VPN1

!

interface Serial0/2/1

no ip address

clock rate 2000000

shutdown

!

interface Vlan1

no ip address

shutdown

!

router ospf 10

log-adjacency-changes

network 172.28.11.0 0.0.0.3 area 0

!

ip classless

!

ip flow-export version 9

!

access-list 100 permit ip any any

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

MHM Cisco World · ‎07-02-2023

crypto map VPN1 30 ipsec-isakmp

set peer 172.28.11.2

match address 100

This map need set transform' dont forget add it

ilyasseelmengad · ‎07-02-2023

yeah, i added it and the deleted session problem persists, they are both on QM_IDLE, but one is deleted

m gonna share the latest version of the config to give more insight

Note that Central router is connected to branch A router : S0/2/0 <===> S0/2/0

Central router is connected to branch B router : S0/2/1 <===> S0/2/1

Central router

access-list 110 permit ip any any
access-list 100 permit ip any any
crypto isakmp policy 10
encr aes 128
authentication pre-share
group 2
lifetime 3600
exit
crypto isakmp key admin address 0.0.0.0
crypto ipsec transform-set VPN esp-aes 128 esp-sha-hmac
crypto ipsec transform-set VPN1 esp-aes 128 esp-sha-hmac
crypto map VPN 40 ipsec-isakmp
set peer 172.28.21.2
set transform-set VPN
match address 110
exit
crypto map VPN1 30 ipsec-isakmp
set peer 172.28.11.2
set transform-set VPN1
match address 100
exit
int s0/2/1
encapsulation ppp
crypto map VPN
no sh
exit
int s0/2/0
encapsulation ppp
crypto map VPN1
no sh
exit

------------------------------------------------------------------------------------------------------------

Branch A router

access-list 100 permit ip any any
crypto isakmp policy 10
encr aes 128
authentication pre-share
group 2
lifetime 3600
exit
crypto isakmp key admin address 172.28.11.1
crypto ipsec transform-set VPN esp-aes 128 esp-sha-hmac
crypto map VPN1 30 ipsec-isakmp
set peer 172.28.11.1
set transform-set VPN1
match address 100
exit
int s0/2/0
encapsulation ppp
crypto map VPN1
no sh
exit

--------------------------------------------------------------------------------------------------

Branch B router

access-list 110 permit ip any any
crypto isakmp policy 10
encr aes 128
authentication pre-share
group 2
lifetime 3600
exit
crypto isakmp key admin address 172.28.21.1
crypto ipsec transform-set VPN esp-aes 128 esp-sha-hmac
crypto map VPN 40 ipsec-isakmp
set peer 172.28.21.1
set transform-set VPN
match address 110
exit
int s0/2/1
encapsulation ppp
crypto map VPN
no sh
exit