01-17-2019 05:43 AM
SO we are setting up a connection to a DR cloud location and to connect to this cloud the cloud provider has given us an IP to connect to and a pre shared key. we need to create a vpn connection with just that information.
so far this is what i added but the connection is not working. this is a Cisco 4331router running version 16.6.3
crypto keyring Navisite
pre-shared-key address "DR IP address" key "this key"
crypto isakmp policy 2
authentication pre-share
group 2
!
crypto isakmp profile Navisite
keyring Navisite
match identity address "DR IP address" 255.255.255.255
local-address GigabitEthernet0/0/0
!
crypto ipsec transform-set Navisite esp-3des esp-sha-hmac
mode tunnel
!
crypto map Navisite 1 ipsec-isakmp
set peer "DR IP address"
set transform-set Navisite
match address NAVISITE
!
ip access-list extended NAVISITE
permit ip "internal subnet1" "DR remote subnet"
permit ip "internal subnet2" "DR remote subnet"
!
interface GigabitEthernet0/0/0
crypto map Navisite
Solved! Go to Solution.
01-18-2019 07:45 AM
01-18-2019 08:07 AM - edited 01-18-2019 08:09 AM
No i do not see any increase on the encrypt and decrypt But i have a question Normally with this type of connection we have a tunnel interface on either end and i would then add a route on the router pointing to that remote interface for the subnet we are trying to get to. but since we do not have any tunnels how would i route from the router to the remote subnet?
01-18-2019 08:14 AM - edited 01-18-2019 08:16 AM
You are using a crypto map, this is enabled on the interface Gi0/0/0. The traffic would need to be routed out of that interface (normally it's the default route), if the src/dst matches the ACL applied to that interface it would be transmitted via the VPN. Obviously a route on your core switch needs route the destination network via your VPN router.
You could of course, change the VPN to an sVTI (tunnel interface) and this would be similar to what you currently have.
If there is an IPSec SA, then communication has been attempted which established the tunnel (either you or the provider initiated the connection, which brought up the tunnel. Can you provide the output of the "show crypto ipsec sa peer x.x.x.x" command?
01-18-2019 08:23 AM
Here is the output:
R-BAY-TW#sh crypto ipsec sa peer "Remote IP"
interface: GigabitEthernet0/0/0
Crypto map tag: Navisite, local addr "Router IP"
protected vrf: (none)
local ident (addr/mask/prot/port): ("Internal sub1"/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): ("Remote Sub"/255.255.255.0/0/0)
current_peer "Remote IP" port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: "Router IP", remote crypto endpt.: "Remote IP"
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0xE74FCF2(242547954)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0x31910073(831586419)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3961, flow_id: ESG:1961, sibling_flags FFFFFFFF80000048, crypto map: Navisite
sa timing: remaining key lifetime (k/sec): (4608000/849)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x7B5FB3DE(2069869534)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4077, flow_id: ESG:2077, sibling_flags FFFFFFFF80000048, crypto map: Navisite
sa timing: remaining key lifetime (k/sec): (4608000/3587)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD0DEC78B(3504261003)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3962, flow_id: ESG:1962, sibling_flags FFFFFFFF80000048, crypto map: Navisite
sa timing: remaining key lifetime (k/sec): (4608000/849)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xE74FCF2(242547954)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4078, flow_id: ESG:2078, sibling_flags FFFFFFFF80000048, crypto map: Navisite
sa timing: remaining key lifetime (k/sec): (4608000/3587)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): ("internal sub2"/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): ("Remote Sub"/255.255.255.0/0/0)
current_peer "Remote IP" port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: "Router IP", remote crypto endpt.: "Remote IP"
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0x6CD58210(1825931792)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0xF4665758(4100347736)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3959, flow_id: ESG:1959, sibling_flags FFFFFFFF80000048, crypto map: Navisite
sa timing: remaining key lifetime (k/sec): (4608000/849)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xA7C9FDB3(2815032755)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4071, flow_id: ESG:2071, sibling_flags FFFFFFFF80000048, crypto map: Navisite
sa timing: remaining key lifetime (k/sec): (4608000/3506)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x46754C69(1182092393)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3960, flow_id: ESG:1960, sibling_flags FFFFFFFF80000048, crypto map: Navisite
sa timing: remaining key lifetime (k/sec): (4608000/849)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x6CD58210(1825931792)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4072, flow_id: ESG:2072, sibling_flags FFFFFFFF80000048, crypto map: Navisite
sa timing: remaining key lifetime (k/sec): (4608000/3506)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
01-18-2019 08:27 AM
01-18-2019 08:33 AM
actually i do have nat on the interface, but the IP on the interface is externally route-able IP. So that interface is not behind nat itself.
interface GigabitEthernet0/0/0
ip address "Router IP" "IP Subnet mask"
ip nat outside
zone-member security outside
media-type rj45
negotiation auto
crypto map Navisite
!
01-18-2019 08:37 AM
01-18-2019 08:57 AM - edited 01-18-2019 08:58 AM
with regard to nat we have a /8 for the acl to cover all the internal IP subnets we have.
as for the ZBFW could we not eliminate that as an issue since we have now 61 DMVPN's tunnels running just fine through it?
01-18-2019 08:59 AM
01-18-2019 09:44 AM
i did check the nat translations. there was nothing from the subnets we would like to get routed over the vpn even listed. overall we should not since general internet access does not go through this router, this specified router is just backup for general internet access in case our ASA fails. However its the main for all our other vpn tunnels.
Would i need the route on the router for remote subnet?
like "ip route "Remote subnet and mask" Gig0/0/0"
01-18-2019 09:47 AM
01-18-2019 11:00 AM
This is what i have for routing and nat on the router. overall pretty simple setup.
core switch:
ip route "Remote subnet" 255.255.255.0 "Internal Router IP"
Router:
ip nat inside source list 199 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 "Default gateway"
ip route "Remote subnet" 255.255.255.0 GigabitEthernet0/0/0
///a number of routes pointing to tunnel interfaces/////////
access-list 199 permit ip 10.0.0.0 0.255.255.255 any
access-list 199 permit ip 10.200.3.0 0.0.0.255 any <------not really needed
01-18-2019 11:05 AM
01-18-2019 11:21 AM
01-18-2019 11:27 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide