Solved: IPSEC VPN : failed to etablish a connection on 2nd WAN interface - Page 2

ilyasseelmengad · ‎07-02-2023

hey There !!

i Am using three cisco routers ISR 4331, 1 central router and 2 branch routers, each branch router is connected on a serial interface with the central router

my goal is to enable IPSecs between the branch routers and the central router, so normally i should create 2 tunnels

when i configure the first tunnel and i apply the crypto map on the ports it works just fine

when i try to configure the second tunnel it says that the procedure stopped MM_KEY_EXCHANGE and that the session is the deleted

------------------------------------------------------------------------------------------------

Branch Router B config

access-list 110 permit ip any any
crypto isakmp policy 10
encr aes 128
authentication pre-share
group 2
lifetime 3600
exit
crypto isakmp key admin address 172.28.21.1
crypto ipsec transform-set VPN esp-aes 128 esp-sha-hmac
crypto map VPN 40 ipsec-isakmp
set peer 172.28.21.1
set transform-set VPN
match address 110
exit
int s0/2/1
encapsulation ppp
crypto map VPN
no sh
exit

------------------------------------------------------------------------------------------------------------

Central router config :

access-list 110 permit ip any any
crypto isakmp policy 10
encr aes 128
authentication pre-share
group 2
lifetime 3600
exit
crypto isakmp key admin address 172.28.21.2
crypto ipsec transform-set VPN esp-aes 128 esp-sha-hmac
crypto map VPN 40 ipsec-isakmp
set peer 172.28.21.2
set transform-set VPN
match address 110
exit
int s0/2/1
encapsulation ppp
crypto map VPN
no sh
exit

-----------------------------------------------------------------------------------------------------

note that i used the same config for the working tunnel, the only change is the use of the S0/2/0 port, another crypto map, and different addressing

thank you !!!

MHM Cisco World · ‎07-02-2023

Check three steps I share above

Flavio Miranda · ‎07-02-2023

There are two things you are missing on the config.

You have no traffic to be encrypted as you have no local network. You should have a Lan interface with some network on it.

You can not staart the tunnel only with the wan config.

Second, the ACL must match the exactly traffic and not be any any

access-list 110 permit ip any any

access-list 100 permit ip any any

As it means anything. Replace those ACLs and use proper networks traffic.

ilyasseelmengad · ‎07-02-2023

Yeah, i should proprely configure the ACLs, but what's actually bothering me, is the fact that always ONE TUNNEL works while the other one doesn't, i find it quite odd

thank you for your support, i am going to try the config you just mentioned and get back to you

Flavio Miranda · ‎07-02-2023

We need traffic to force the tunnel come up. Do this please, add local network, put the ACL mathing the exactly addressing and then try to ping from one side to another. If you dont succeed, send the following command

show crypto ipsec sa

show crypto isamak sa

By the way, I have this scenario working in a lab with PacketTracer and works like a sharm.

MHM Cisco World · ‎07-02-2023

What point trigger router to start ipsec ?

Acl is trigger'

When you config any any acl in central you make central use only one tunnel.

That why

MHM Cisco World · ‎07-02-2023

If you not success to ping from site to site'please

Show crypto ipsec sa

When before ping and after ping

ilyasseelmengad · ‎07-02-2023

here's crypto ipsec output on the central router

Router#sh crypto ipsec sa

interface: Serial0/2/0

Crypto map tag: VPN1, local addr 172.28.11.1

protected vrf: (none)

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer 172.28.11.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 172.28.11.1, remote crypto endpt.:172.28.11.2

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/2/0

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

interface: Serial0/2/1

Crypto map tag: VPN, local addr 172.28.21.1

protected vrf: (none)

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer 172.28.21.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 98, #pkts encrypt: 98, #pkts digest: 0

#pkts decaps: 101, #pkts decrypt: 101, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 172.28.21.1, remote crypto endpt.:172.28.21.2

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/2/1

current outbound spi: xxx

inbound esp sas:

spi: xxx

transform: esp-aes 128 esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2007, flow_id: FPGA:1, crypto map: VPN

sa timing: remaining key lifetime (k/sec): (4525504/2844)

IV size: 16 bytes

replay detection support: N

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: xxx

transform: esp-aes 128 esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2008, flow_id: FPGA:1, crypto map: VPN

sa timing: remaining key lifetime (k/sec): (4525504/2844)

IV size: 16 bytes

replay detection support: N

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

MHM Cisco World · ‎07-02-2023

This before you do three points I share before or after ?

ilyasseelmengad · ‎07-02-2023

it's after i pinged the three locations, apparently the central router can only ping one branch, the other one is unavailable

MHM Cisco World · ‎07-02-2023

Share last config

ilyasseelmengad · ‎07-02-2023

okay, here's the latest config :

Central router

access-list 110 permit ip any any
access-list 100 permit ip any any
crypto isakmp policy 10
encr aes 128
authentication pre-share
group 2
lifetime 3600
exit
crypto isakmp key admin address 0.0.0.0
crypto ipsec transform-set VPN esp-aes 128 esp-sha-hmac
crypto ipsec transform-set VPN1 esp-aes 128 esp-sha-hmac
crypto map VPN 40 ipsec-isakmp
set peer 172.28.21.2
set transform-set VPN
match address 110
exit
crypto map VPN1 30 ipsec-isakmp
set peer 172.28.11.2
set transform-set VPN1
match address 100
exit
int s0/2/1
encapsulation ppp
crypto map VPN
no sh
exit
int s0/2/0
encapsulation ppp
crypto map VPN1
no sh
exit

------------------------------------------------------------------------------------

Branch A router

access-list 100 permit ip any any
crypto isakmp policy 10
encr aes 128
authentication pre-share
group 2
lifetime 3600
exit
crypto isakmp key admin address 172.28.11.1
crypto ipsec transform-set VPN esp-aes 128 esp-sha-hmac
crypto map VPN1 30 ipsec-isakmp
set peer 172.28.11.1
set transform-set VPN1
match address 100
exit
int s0/2/0
encapsulation ppp
crypto map VPN1
no sh
exit

--------------------------------------------------------------

Branch B router

access-list 110 permit ip any any
crypto isakmp policy 10
encr aes 128
authentication pre-share
group 2
lifetime 3600
exit
crypto isakmp key admin address 172.28.21.1
crypto ipsec transform-set VPN esp-aes 128 esp-sha-hmac
crypto map VPN 40 ipsec-isakmp
set peer 172.28.21.1
set transform-set VPN
match address 110
exit
int s0/2/1
encapsulation ppp
crypto map VPN
no sh
exit

MHM Cisco World · ‎07-02-2023

But I mention in my three points you need to change acl from permit any any to lan.

Make review again to me three points I send above

Aref Alsouqi · ‎07-02-2023

When the encryption domain ACL is not specifying the local and the remote subnets, the router wouldn't be able to establish another tunnel, because in your case the router would see it has already security associations created matching the ACL you configured which is ip any any. I agree with the guys, if you set the ACLs with the specific subnets that should fix the issue.

Pavan Gundu · ‎07-02-2023

access-list 110 permit ip any any
access-list 100 permit ip any any

crypto map VPN 40 ipsec-isakmp
set peer 172.28.21.2
set transform-set VPN
match address 110
exit
crypto map VPN1 30 ipsec-isakmp
set peer 172.28.11.2
set transform-set VPN1
match address 100
exit

You should not have overlapping ACL for 2 different crypto maps. In your case it is permit ip any any, for both the crypto maps.

Pavan Gundu · ‎07-02-2023

Cisco docs for your topology

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/7912-ios-hub-spoke2.html

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14133-ios-hub-spoke.html

These are for IOS routers, but it would be almost the same on the ISR routers as well