Solved: Issues with P2P VPN with DHCP interface

j-guffain · ‎04-25-2013

I have successfully set up a P2P VPN with two Cisco 888 using static IP address. If I set one interface to DHCP and the unit is power cycled it will not request an IP until I issue "no crypto map <map name>" and bounce the interface.

Any thoughts on how I can leave the crypto map in place and have the interface get an IP?

Thanks in advance.

Marcin Latosiewicz · ‎05-03-2013

With config like this:

access-list 100 permit ip any any

You are expecting ALL traffic to be encrypted and expecting to need to decrypt all traffic. I.e. traffic which is recived on interface is going to be dropped unless it's encrypted.

View solution in original post

Marcin Latosiewicz · ‎04-25-2013

This seems an odd interaction, unless your VPN policy is making DHCP packets go into the IPsec tunnel this should not happen.

Try a newer software if you're not already at around 15.1(4)M or newer.

M.

j-guffain · ‎04-29-2013

They're running the latest version.

I suspect the same, the DHCP traffic is being routed through the tunnel (which isn't up). Though I do not know what is causing this. Here is a sample of the VPN config:

Again, if "int vlan 2" is brought up with "no crypto map", it recieves an IP. If a crypto map is set, it will not receive one.

crypto isakmp key 6 address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set INTVPN esp-aes 256 esp-sha-hmac

!

crypto map INT_VPN 100 ipsec-isakmp

set peer

set transform-set INTVPN

match address 100

!

interface Vlan2

ip address dhcp

crypto map INT_VPN

!

access-list 100 permit ip any any

j-guffain · ‎04-30-2013

bump.

j-guffain · ‎05-03-2013

Bump

Marcin Latosiewicz · ‎05-03-2013

With config like this:

access-list 100 permit ip any any

You are expecting ALL traffic to be encrypted and expecting to need to decrypt all traffic. I.e. traffic which is recived on interface is going to be dropped unless it's encrypted.

j-guffain · ‎05-03-2013

Thanks, I will make adjustments to the ACLs and test.