Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
958
Views
0
Helpful
0
Replies

IPSEC with HSRP no attempt to start phase 1....order of operation issue possibly

Wan_Whisperer
Level 1
Level 1

‎01-21-2020 09:31 AM - edited ‎02-21-2020 09:50 PM

All,

 

I have have redesigned my network and now have my Core router(s) using HSRP.  I currently have a IPSec VPN up and running on the physical IP address (crypo map kfc).  I am trying to bring up a new VPN using the VIP virtual  IP address.  In my lab I have a single VPN up using the virtual IP and it works fine.

 

The new VPN using he VIP is not attempting to start phase 1.   I created an ACL named "test" to look for traffic to or from the endpoint and noting hits it.  I also issue a debug crypto ipsec and I do not see anything.  If I issue a traceroute from 193.50.80.6 to 152.188.40.40 it hits 193.50.80.57 (the physical interface IP of interface GigabitEthernet0/0/0.80) just like it should.  This is the point where it should hit "crypto map kfc-test redundancy Vlan80"

 

The working VPN is "crypto map kfc" this map is located on the exit interface of the Core router but I am sourcing the endpoint to interface with this command....crypto map kfc local-address GigabitEthernet0/0/0.80

 

 

please be mindful the working VPN uses a crypo map named "kfc" and the non working map is named "kfc-test" 

 

 

Below you will find the results of the command show crypto map: (I have excluded the working Crypo map"

 

Crypto Map IPv4 "kfc-test" 9 ipsec-isakmp
Description: kfc-A50
Peer = 152.188.40.68
Extended IP access list 128
access-list 128 permit ip host 193.50.80.6 152.188.40.32 0.0.0.31
Current peer: 152.188.40.68
Security association lifetime: 4608000 kilobytes/86400 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group2
Mixed-mode : Disabled
Transform sets={
ipcom: { esp-3des esp-md5-hmac } ,
}

Crypto Map IPv4 "kfc-test" 10 ipsec-isakmp
Description: kfc-RTO
Peer = 152.188.41.68
Extended IP access list 129
access-list 129 permit ip host 193.50.80.6 152.188.41.32 0.0.0.31
Current peer: 152.188.41.68
Security association lifetime: 4608000 kilobytes/86400 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group2
Mixed-mode : Disabled
Transform sets={
ipcom: { esp-3des esp-md5-hmac } ,
}

Crypto Map IPv4 "kfc-test" 11 ipsec-isakmp
Description: kfc-RVG
Peer = 152.188.40.196
Extended IP access list 130
access-list 130 permit ip host 193.50.80.6 152.188.40.160 0.0.0.31
Current peer: 152.188.40.196
Security association lifetime: 4608000 kilobytes/86400 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group2
Mixed-mode : Disabled
Transform sets={
ipcom: { esp-3des esp-md5-hmac } ,
}
Interfaces using crypto map kfc-test:
GigabitEthernet0/0/0.80

Redundancy Status:
Group: Vlan80, Type: Stateless HA, VIP: 193.50.80.1
Replay-interval: inbound:1000 outbound:100000

 

Below you will find some of my configs"

 


!
crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!

crypto isakmp key fingerlickinggood address 63.110.103.238
crypto isakmp key fingerlickinggood address 65.211.121.238
crypto isakmp key fingerlickinggood address 63.77.77.238
crypto isakmp key fingerlickinggood address 65.243.173.238
crypto isakmp key fingerlickinggood address 65.217.41.238
crypto isakmp key fingerlickinggood address 152.188.27.68
crypto isakmp key fingerlickinggood address 152.188.27.196
crypto isakmp key fingerlickinggood address 152.188.28.68
crypto isakmp key fingerlickinggood address 96.79.128.73
crypto isakmp key fingerlickinggood address 152.188.40.68
crypto isakmp key fingerlickinggood address 152.188.41.68
crypto isakmp key fingerlickinggood address 152.188.40.196
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ipcom esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set IKE2 esp-aes 256 esp-md5-hmac
mode tunnel
!
!
!
crypto map kfc local-address GigabitEthernet0/0/0.80
crypto map kfc 1 ipsec-isakmp
description kfc-RTO
set peer 63.110.103.238
set transform-set ipcom
set pfs group2
match address 120
reverse-route
crypto map kfc 2 ipsec-isakmp
description kfc-ELB
set peer 65.211.121.238
set transform-set ipcom
set pfs group2
match address 121
reverse-route
crypto map kfc 3 ipsec-isakmp
description kfc-DNG
set peer 63.77.77.238
set transform-set ipcom
set pfs group2
match address 122
reverse-route
crypto map kfc 4 ipsec-isakmp
description kfc-HSJ
set peer 65.243.173.238
set transform-set ipcom
set pfs group2
match address 123
reverse-route
crypto map kfc 5 ipsec-isakmp
description kfc-CPZ
set peer 65.217.41.238
set transform-set ipcom
set pfs group2
match address 124
reverse-route
crypto map kfc 6 ipsec-isakmp
description kfc-DNJ
set peer 152.188.27.68
set transform-set ipcom
set pfs group2
match address 125
reverse-route
crypto map kfc 7 ipsec-isakmp
description kfc-CHT
set peer 152.188.27.196
set transform-set ipcom
set pfs group2
match address 126
reverse-route
crypto map kfc 8 ipsec-isakmp
description kfc-CF3
set peer 152.188.28.68
set transform-set ipcom
set pfs group2
match address 127
reverse-route
!
crypto map kfc-test 9 ipsec-isakmp
description kfc-A50
set peer 152.188.40.68
set transform-set ipcom
set pfs group2
match address 128
crypto map kfc-test 10 ipsec-isakmp
description kfc-RTO
set peer 152.188.41.68
set transform-set ipcom
set pfs group2
match address 129
crypto map kfc-test 11 ipsec-isakmp
description kfc-RVG
set peer 152.188.40.196
set transform-set ipcom
set pfs group2
match address 130
!
!
!
!
interface GigabitEthernet0/0/0.80
description ACS-Public
encapsulation dot1Q 80
ip address 193.50.80.57 255.255.255.0
standby 80 ip 193.50.80.1
standby 80 timers msec 200 msec 650
standby 80 priority 150
standby 80 preempt delay reload 99
standby 80 name Vlan80
standby 80 track 1 decrement 60
cdp enable
crypto map kfc-test redundancy Vlan80

!
interface GigabitEthernet0/0/1
description To-ACS-1-E_G0/0/1
ip address 195.51.112.2 255.255.255.248
ip nat outside
standby 99 ip 195.51.112.1
standby 99 timers msec 200 msec 650
standby 99 priority 150
standby 99 preempt delay reload 99
standby 99 name 99
standby 99 track 1 decrement 60
no negotiation auto
cdp enable
crypto map kfc
!
ip nat pool Pool1 193.50.80.10 193.50.80.10 netmask 255.255.255.0
ip nat inside source static 192.168.1.125 193.50.80.49 route-map Static_Nat_RM redundancy 1 mapping-id 6
ip nat inside source static 192.168.1.110 193.50.80.50 route-map Static_Nat_RM redundancy 1 mapping-id 5
ip nat inside source static 192.168.1.111 193.50.80.51 route-map Static_Nat_RM redundancy 1 mapping-id 25
ip nat inside source static 192.168.1.150 193.50.80.52 route-map Static_Nat_RM redundancy 1 mapping-id 7
ip nat inside source static 192.168.1.151 193.50.80.53 route-map Static_Nat_RM redundancy 1 mapping-id 8
ip nat inside source static 192.168.1.232 193.50.80.54 route-map Static_Nat_RM redundancy 1 mapping-id 23
ip nat inside source static 192.168.1.82 193.50.80.66 route-map Static_Nat_RM redundancy 1 mapping-id 2
ip nat inside source static 192.168.1.166 193.50.80.68 route-map Static_Nat_RM redundancy 1 mapping-id 10
ip nat inside source static 192.168.1.155 193.50.80.69 route-map Static_Nat_RM redundancy 1 mapping-id 9
ip nat inside source static 192.168.1.191 193.50.80.81 route-map Static_Nat_RM redundancy 1 mapping-id 16
ip nat inside source static 192.168.1.192 193.50.80.82 route-map Static_Nat_RM redundancy 1 mapping-id 17
ip nat inside source static 192.168.1.193 193.50.80.83 route-map Static_Nat_RM redundancy 1 mapping-id 18
ip nat inside source static 192.168.1.194 193.50.80.84 route-map Static_Nat_RM redundancy 1 mapping-id 19
ip nat inside source static 192.168.1.182 193.50.80.85 route-map Static_Nat_RM redundancy 1 mapping-id 11
ip nat inside source static 192.168.1.186 193.50.80.86 route-map Static_Nat_RM redundancy 1 mapping-id 12
ip nat inside source static 192.168.1.187 193.50.80.87 route-map Static_Nat_RM redundancy 1 mapping-id 13
ip nat inside source static 192.168.1.188 193.50.80.88 route-map Static_Nat_RM redundancy 1 mapping-id 14
ip nat inside source static 192.168.1.198 193.50.80.89 route-map Static_Nat_RM redundancy 1 mapping-id 20
ip nat inside source static 192.168.1.90 193.50.80.90 route-map Static_Nat_RM redundancy 1 mapping-id 4
ip nat inside source static 192.168.1.199 193.50.80.91 route-map Static_Nat_RM redundancy 1 mapping-id 21
ip nat inside source static 192.168.1.231 193.50.80.92 route-map Static_Nat_RM redundancy 1 mapping-id 22
ip nat inside source static 192.168.1.190 193.50.80.93 route-map Static_Nat_RM redundancy 1 mapping-id 15
ip nat inside source list NATSource pool Pool1 redundancy 1 mapping-id 1 overload

ip access-list extended NATSource
deny ip host 192.168.1.125 any
deny ip host 192.168.1.110 any
deny ip host 192.168.1.150 any
deny ip host 192.168.1.151 any
deny ip host 192.168.1.232 any
deny ip host 192.168.1.82 any
deny ip host 192.168.1.111 any
deny ip host 192.168.1.166 any
deny ip host 192.168.1.155 any
deny ip host 192.168.1.191 any
deny ip host 192.168.1.192 any
deny ip host 192.168.1.193 any
deny ip host 192.168.1.194 any
deny ip host 192.168.1.182 any
deny ip host 192.168.1.186 any
deny ip host 192.168.1.187 any
deny ip host 192.168.1.188 any
deny ip host 192.168.1.198 any
deny ip host 192.168.1.90 any
deny ip host 192.168.1.199 any
deny ip host 192.168.1.231 any
deny ip host 192.168.1.190 any
deny ip host 192.168.1.52 any
deny ip host 192.168.1.49 any
deny ip host 192.168.1.50 any
deny ip host 192.168.1.51 any
deny ip 192.168.0.0 0.0.1.255 104.37.252.0 0.0.3.255
deny ip 192.168.0.0 0.0.1.255 192.168.2.0 0.0.0.255
deny ip 192.168.0.0 0.0.1.255 10.2.10.0 0.0.0.255
deny ip 192.168.0.0 0.0.1.255 10.4.4.0 0.0.0.255
deny ip 192.168.0.0 0.0.1.255 10.5.5.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 192.168.51.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.51.0 0.0.0.255
deny ip 172.16.0.0 0.0.0.255 10.4.4.0 0.0.0.255
deny ip 172.16.1.0 0.0.0.255 10.4.4.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 195.51.118.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 195.51.118.0 0.0.0.255
permit ip 192.168.0.0 0.0.1.255 any
ip access-list extended NoKo_VPN_Traffic
permit ip 192.168.0.0 0.0.1.255 10.4.4.0 0.0.0.255
ip access-list extended NoPo_VPN_Traffic
permit ip 192.168.0.0 0.0.1.255 10.2.10.0 0.0.0.255
permit ip 192.168.2.0 0.0.1.255 10.2.10.0 0.0.0.255
ip access-list extended Static_Nat_ACL
deny ip 192.168.0.0 0.0.1.255 104.37.252.0 0.0.3.255
deny ip 192.168.0.0 0.0.1.255 192.168.2.0 0.0.0.255
deny ip 192.168.0.0 0.0.1.255 10.4.4.0 0.0.0.255
deny ip 192.168.0.0 0.0.1.255 10.2.10.0 0.0.0.255
permit ip host 192.168.1.125 any
permit ip host 192.168.1.110 any
permit ip host 192.168.1.150 any
permit ip host 192.168.1.151 any
permit ip host 192.168.1.232 any
permit ip host 192.168.1.82 any
permit ip host 192.168.1.166 any
permit ip host 192.168.1.155 any
permit ip host 192.168.1.191 any
permit ip host 192.168.1.192 any
permit ip host 192.168.1.193 any
permit ip host 192.168.1.194 any
permit ip host 192.168.1.182 any
permit ip host 192.168.1.186 any
permit ip host 192.168.1.187 any
permit ip host 192.168.1.188 any
permit ip host 192.168.1.198 any
permit ip host 192.168.1.90 any
permit ip host 192.168.1.199 any
permit ip host 192.168.1.231 any
permit ip host 192.168.1.190 any
permit ip host 192.168.1.111 any
ip access-list extended test
permit ip host 152.188.40.68 any log
permit ip host 152.188.41.68 any log
permit ip host 152.188.40.196 any log
permit ip 152.188.40.32 0.0.0.31 any log
permit ip 152.188.41.32 0.0.0.31 any log
permit ip 152.188.40.160 0.0.0.31 any log
permit ip any host 152.188.40.68 log
permit ip any host 152.188.41.68 log
permit ip any host 152.188.40.196 log
permit ip any any
!

access-list 101 deny ip host 192.168.1.150 10.4.4.0 0.0.0.255
access-list 101 permit ip host 192.168.1.150 any
access-list 120 permit ip 193.50.80.56 0.0.0.7 63.110.102.224 0.0.0.31
access-list 120 permit ip 193.50.80.16 0.0.0.7 63.110.102.224 0.0.0.31
access-list 121 permit ip 193.50.80.56 0.0.0.7 65.211.120.224 0.0.0.31
access-list 121 permit ip 193.50.80.16 0.0.0.7 65.211.120.224 0.0.0.31
access-list 122 permit ip 193.50.80.56 0.0.0.7 63.77.76.224 0.0.0.31
access-list 122 permit ip 193.50.80.16 0.0.0.7 63.77.76.224 0.0.0.31
access-list 123 permit ip 193.50.80.56 0.0.0.7 65.243.172.224 0.0.0.31
access-list 123 permit ip 193.50.80.16 0.0.0.7 65.243.172.224 0.0.0.31
access-list 124 permit ip 193.50.80.56 0.0.0.7 65.217.40.192 0.0.0.31
access-list 124 permit ip 193.50.80.16 0.0.0.7 65.217.40.192 0.0.0.31
access-list 125 permit ip 193.50.80.56 0.0.0.7 host 152.188.27.7
access-list 125 permit ip 193.50.80.16 0.0.0.7 host 152.188.27.7
access-list 126 permit ip 193.50.80.56 0.0.0.7 host 152.188.27.135
access-list 126 permit ip 193.50.80.16 0.0.0.7 host 152.188.27.135
access-list 127 permit ip 193.50.80.56 0.0.0.7 host 152.188.28.7
access-list 127 permit ip 193.50.80.16 0.0.0.7 host 152.188.28.7
access-list 128 permit ip host 193.50.80.6 152.188.40.32 0.0.0.31
access-list 129 permit ip host 193.50.80.6 152.188.41.32 0.0.0.31
access-list 130 permit ip host 193.50.80.6 152.188.40.160 0.0.0.31
!
route-map Static_Nat_RM permit 10
match ip address Static_Nat_ACL

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents