L2L VPN IPSEC only comming up only initated by 1 side
I do have 2 routers that I want to connecte by L2L Tunnels.
My config works from site B to site A, I can bring the tunnel up and both site communicate in both way. But the site A can't bring the tunnel UP. It seams that, as long as the IPSEC part stays to up, the router A can bring ISAKMP up but after IPSEC disapears, site A has no way to bring the tunnel up. It has to be again initiated by site B.
When router A has to initate the tunnel, the ACLs in nonat (ACL199) and trafic selection (ACL130) counts right the pakets but the debug gives no output on router A. For the test, site A has 192.168.1.x and site B has 10.1.2.x internal IP.
Site A: Router 2611XM IOS c2600-advsecurityk9-mz.124-15.T14.bin
! **************** Some EASYVPN client **************** ! crypto ipsec transform-set myset esp-3des esp-md5-hmac ! crypto dynamic-map dynmap 10 set transform-set myset reverse-route ! ! crypto map clientmap client authentication list userauthen crypto map clientmap isakmp authorization list groupauthor crypto map clientmap client configuration address respond crypto map clientmap 10 ipsec-isakmp dynamic dynmap crypto map clientmap 20 ipsec-isakmp set peer xx.xx.xx.xx set transform-set myset match address 130 ! ! The virtual interface is mandatory from ISP to have a fix IP adress ! This fix IP adress correspond to the designated IP yy.yy.yy.yy in router A
interface Virtual-PPP1 ip address negotiated ip access-group 101 in ip nat outside ip inspect DEFAULT100 out ip virtual-reassembly ppp pap sent-username 12345 password 12345 ppp ipcp dns request accept pseudowire 18.104.22.168 2 pw-class ISP crypto map clientmap !
interface GigabitEthernet0/0.2 encapsulation dot1Q 2 ip address 10.1.2.4 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat inside ip virtual-reassembly ! interface GigabitEthernet0/0.3 encapsulation dot1Q 3 ip address 10.1.3.4 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip virtual-reassembly
ip nat inside source list 102 interface Virtual-PPP1 overload
access-list 102 deny ip any 192.168.0.0 0.0.255.255 access-list 102 deny ip any 10.0.0.0 0.255.255.255 access-list 102 permit ip any any
access-list 130 permit ip 10.1.2.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 130 permit ip 10.1.3.0 0.0.0.255 192.168.1.0 0.0.0.255
So the result of a ping after clear counters from ACL gives:
comcomrt1#ping 10.1.2.4 source 192.168.1.50
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.2.4, timeout is 2 seconds: Packet sent with a source address of 192.168.1.50 ..... Success rate is 0 percent (0/5) comcomrt1#sh ip access-li 130 Extended IP access list 130 10 permit ip 192.168.1.0 0.0.0.255 10.1.2.0 0.0.0.255 (5 matches) 20 permit ip 192.168.1.0 0.0.0.255 10.1.3.0 0.0.0.255 comcomrt1#sh ip access-li 199 Extended IP access list 199 10 deny ip 192.168.1.0 0.0.0.255 10.1.0.0 0.0.255.255 (5 matches) 20 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 30 deny ip 192.168.1.0 0.0.0.255 172.16.100.0 0.0.0.255 40 deny ip 192.168.1.0 0.0.0.255 172.16.101.0 0.0.0.255 50 deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255 60 permit ip 192.168.1.0 0.0.0.255 any (2842 matches) comcomrt1#
And debug cry isa + debug cry ipsec gives no output during the ping
Any idea why I do not have the initiation from tunnel?
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 22.214.171.124Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 126.96.36.199R1(config-ikev2-keyring-pee...
This document shows how to use the Port Radius NAS PORT Id Attribute in a compound condition to control access with 802.1X.A user jdoe is allowed to access the network only through the physical port FastEthernet 0/1 of the switch and the user jwhite is al...
This document provides a configuration example of Security Assertion Markup Language (SAML) Authentication on FTD managed over FDM. The configuration allows Anyconnect users to establish a VPN session authenticating with a SAML Identity Serv...
DMVPN Dual Hub Dual Cloud Pros and ConsProsNo single point of failureQuick failover if routing protocols are tunedLoad balancing is easyTraffic engineering is easyEasy to work with multiple ISPsConsNeed 2 tunnels per spokeConfiguration is more complicated...