L2L VPN IPSEC only comming up only initated by 1 side

danjor · ‎02-21-2012

Hi,

I do have 2 routers that I want to connecte by L2L Tunnels.

My config works from site B to site A, I can bring the tunnel up and both site communicate in both way.
But the site A can't bring the tunnel UP. It seams that, as long as the IPSEC part stays to up, the router A can bring ISAKMP up but after IPSEC disapears, site A has no way to bring the tunnel up. It has to be again initiated by site B.

When router A has to initate the tunnel, the ACLs in nonat (ACL199) and trafic selection (ACL130) counts right the pakets but the debug gives no output on router A. For the test, site A has 192.168.1.x and site B has 10.1.2.x internal IP.

Site A:
Router 2611XM IOS c2600-advsecurityk9-mz.124-15.T14.bin

crypto keyring spokes
pre-shared-key address yy.yy.yy.yy key abcdef
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 101
hash md5
authentication pre-share
crypto isakmp keepalive 10
crypto isakmp xauth timeout 90
!

****************

here are some easy VPN configuration

***************

crypto isakmp profile L2L
   description LAN-to-LAN for spoke router(s) connection
   keyring spokes
   match identity address yy.yy.yy.yy 255.255.255.255
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set myset2 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 3
set transform-set myset
set isakmp-profile VPNclient2
crypto dynamic-map dynmap 4
set transform-set myset
set isakmp-profile VPNclient3
crypto dynamic-map dynmap 5
set transform-set myset
set isakmp-profile VPNclient
crypto dynamic-map dynmap 10
set transform-set myset2
set isakmp-profile L2L
match address 130
!
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address xx.xx.xx.xx 255.255.255.192
ip access-group 101 in
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
!

interface FastEthernet0/1
ip address 192.168.1.50 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto

crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
ip nat inside source route-map nonat interface FastEthernet0/0 overload

access-list 130 permit ip 192.168.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 130 permit ip 192.168.1.0 0.0.0.255 10.1.3.0 0.0.0.255

access-list 199 deny   ip 192.168.1.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 199 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 199 deny   ip 192.168.1.0 0.0.0.255 172.16.100.0 0.0.0.255
access-list 199 deny   ip 192.168.1.0 0.0.0.255 172.16.101.0 0.0.0.255
access-list 199 deny   ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 199 permit ip 192.168.1.0 0.0.0.255 any

**************************************************************************

Site B:

Router ISR 2821 IOS c2800nm-advipservicesk9-mz.150-1.M3.bin

crypto isakmp policy 5
hash md5
authentication pre-share
!
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key abcdef address xx.xx.xx.xx no-xauth
crypto isakmp keepalive 10
crypto isakmp xauth timeout 90

!
****************
Some EASYVPN client
****************
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
crypto map clientmap 20 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set myset
match address 130
!
! The virtual interface is mandatory from ISP to have a fix IP adress
! This fix IP adress correspond to the designated IP yy.yy.yy.yy in router A

interface Virtual-PPP1
ip address negotiated
ip access-group 101 in
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ppp pap sent-username 12345 password 12345
ppp ipcp dns request accept
pseudowire 195.132.16.228 2 pw-class ISP
crypto map clientmap
!

interface GigabitEthernet0/0.2
encapsulation dot1Q 2
ip address 10.1.2.4 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0.3
encapsulation dot1Q 3
ip address 10.1.3.4 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly

ip nat inside source list 102 interface Virtual-PPP1 overload

access-list 102 deny ip any 192.168.0.0 0.0.255.255
access-list 102 deny ip any 10.0.0.0 0.255.255.255
access-list 102 permit ip any any

access-list 130 permit ip 10.1.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 130 permit ip 10.1.3.0 0.0.0.255 192.168.1.0 0.0.0.255

So the result of a ping after clear counters from ACL gives:

comcomrt1#ping 10.1.2.4 source 192.168.1.50

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.4, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.50
.....
Success rate is 0 percent (0/5)
comcomrt1#sh ip access-li 130
Extended IP access list 130
    10 permit ip 192.168.1.0 0.0.0.255 10.1.2.0 0.0.0.255 (5 matches)
    20 permit ip 192.168.1.0 0.0.0.255 10.1.3.0 0.0.0.255
comcomrt1#sh ip access-li 199
Extended IP access list 199
    10 deny ip 192.168.1.0 0.0.0.255 10.1.0.0 0.0.255.255 (5 matches)
    20 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    30 deny ip 192.168.1.0 0.0.0.255 172.16.100.0 0.0.0.255
    40 deny ip 192.168.1.0 0.0.0.255 172.16.101.0 0.0.0.255
    50 deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
    60 permit ip 192.168.1.0 0.0.0.255 any (2842 matches)
comcomrt1#

And debug cry isa + debug cry ipsec gives no output during the ping

Any idea why I do not have the initiation from tunnel?

Thanks for helping
Daniel