Re: Multiple site VPN IPSec - Cisco Community

1818

Views

0

Helpful

13

Replies

i have a problem while configuring IPSEC VPN between one site and two others, i followed many example i found on the internet but i still have the same problem :

dst src state conn-id slot status

200.0.2.1 200.0.1.1 QM_IDLE 1019 0 ACTIVE

200.0.3.1 200.0.1.1 MM_NO_STATE 0 0 ACTIVE (deleted)

i don't know if that's relevant but the number of routers between these sites is not the same.

13 Replies 13

Please provide more information.

What type of VPN, policy or routed based VPN?

Provide your configuration of all devices

Provide the ike debugs of the VPN tunnel that is not working.

@Rob Ingram thank you for your time

Router 1:

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

crypto isakmp enable

crypto isakmp policy 1
encryption aes 256
authentication pre-share
group 5
exit

crypto isakmp key secretkey address 200.0.2.1
crypto isakmp key secretkey address 200.0.3.1

crypto ipsec transform-set VPN-ESP esp-aes 256 esp-sha-hmac

crypto map IPSEC-MAP 1 ipsec-isakmp
set peer 200.0.2.1
set transform-set VPN-ESP
match address 100
exit

crypto map IPSEC-MAP 2 ipsec-isakmp
set peer 200.0.3.1
set transform-set VPN-ESP
match address 101
exit

interface fa0/0
crypto map IPSEC-MAP

Router 2:

access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

crypto isakmp enable

crypto isakmp policy 1
encryption aes 256
authentication pre-share
group 5
exit

crypto isakmp key secretkey address 200.0.1.1

crypto ipsec transform-set VPN-ESP esp-aes 256 esp-sha-hmac

crypto map IPSEC-MAP 1 ipsec-isakmp
set peer 200.0.1.1
set transform-set VPN-ESP
match address 100
exit

interface fa0/0
crypto map IPSEC-MAP

Router 4

access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

crypto isakmp enable

crypto isakmp policy 1
encryption aes 256
authentication pre-share
group 5
exit

crypto isakmp key secretkey address 200.0.1.1

crypto ipsec transform-set VPN-ESP esp-aes 256 esp-sha-hmac

crypto map IPSEC-MAP11 1 ipsec-isakmp
set peer 200.0.1.1
set transform-set VPN-ESP
match address 100
exit

interface fa0/0
crypto map IPSEC-MAP11

Router#debug crypto ipsec

Crypto IPSEC debugging is on

IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 200.0.1.1, remote= 200.0.2.1,

local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-aes 256 esp-sha-hmac(Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 200.0.1.1, remote= 200.0.2.1,

local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-aes 256 esp-sha-hmac(Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 200.0.1.1, remote= 200.0.2.1,

local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-aes 256 esp-sha-hmac(Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 200.0.1.1, remote= 200.0.2.1,

local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-aes 256 esp-sha-hmac(Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 200.0.1.1, remote= 200.0.2.1,

local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-aes 256 esp-sha-hmac(Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Router#show crypto ipsec sa

interface: FastEthernet0/0

Crypto map tag: IPSEC-MAP, local addr 200.0.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

current_peer 200.0.2.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 0

#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 200.0.1.1, remote crypto endpt.:200.0.2.1

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x26137A10(638810640)

inbound esp sas:

spi: 0x13ED4A66(334318182)

transform: esp-aes 256 esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2000, flow_id: FPGA:1, crypto map: IPSEC-MAP

sa timing: remaining key lifetime (k/sec): (4525504/3101)

IV size: 16 bytes

replay detection support: N

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x26137A10(638810640)

transform: esp-aes 256 esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2001, flow_id: FPGA:1, crypto map: IPSEC-MAP

sa timing: remaining key lifetime (k/sec): (4525504/3101)

IV size: 16 bytes

replay detection support: N

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

current_peer 200.0.3.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 200.0.1.1, remote crypto endpt.:200.0.3.1

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

*** Also if i remove router 4 and configure the VPN on router 3 it would wotk perfectly **

here's my topology:

one idea here which is

in R1 please config one Password with address 0.0.0.0,

thy this way and see result.

the R1 will use password then it check the ip and see no match and refuse the IPSec, so we need to make it 0.0.0.0.

@MHM Cisco World still the same result!

i wanna add that if i remove router 4 and configure the VPN on router 3 it would wotk perfectly

just clear IPSec isakmp and session and see the result,

please notice I talk about R1,
R1 have one password for two different IP, just config one Password with one IP address which is 0.0.0.0, do clear iskamp & Session and see result.

@MHM Cisco World i can't find the command to clear isakmp & Session. what is the command and in which mode?

clear crypto ipsec sa

clear crypto isakmp sa

@MHM Cisco World

sorry see above edit comment.

@MHM Cisco World same problem, here are the only options:

OK, "this limit of PT"
just re config the R1 again from zero, and config two password one for each branch.

@MHM Cisco World

still the same problem!

i wanna add that if i ping PC0 then PC2 (from PC1) everything works just fine, i only have this problem if i ping PC2 first then PC0 second. i don't understand how the order of pings can cause such a problem

Same problem occurs for me and I really can't find the solution anywhere.

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community