01-17-2019 05:43 AM
SO we are setting up a connection to a DR cloud location and to connect to this cloud the cloud provider has given us an IP to connect to and a pre shared key. we need to create a vpn connection with just that information.
so far this is what i added but the connection is not working. this is a Cisco 4331router running version 16.6.3
crypto keyring Navisite
pre-shared-key address "DR IP address" key "this key"
crypto isakmp policy 2
authentication pre-share
group 2
!
crypto isakmp profile Navisite
keyring Navisite
match identity address "DR IP address" 255.255.255.255
local-address GigabitEthernet0/0/0
!
crypto ipsec transform-set Navisite esp-3des esp-sha-hmac
mode tunnel
!
crypto map Navisite 1 ipsec-isakmp
set peer "DR IP address"
set transform-set Navisite
match address NAVISITE
!
ip access-list extended NAVISITE
permit ip "internal subnet1" "DR remote subnet"
permit ip "internal subnet2" "DR remote subnet"
!
interface GigabitEthernet0/0/0
crypto map Navisite
Solved! Go to Solution.
01-18-2019 11:35 AM
Updated ACL:
R-BAY-TW#sh ip access-lists 199
Extended IP access list 199
5 deny ip 10.101.1.0 0.0.0.255 any
6 deny ip 10.107.1.0 0.0.0.255 any
10 permit ip 10.0.0.0 0.255.255.255 any
20 permit ip 10.200.3.0 0.0.0.255 any
And we seem to be getting activity now on the vpn
R-BAY-TW#sh crypto ipsec sa peer 209.235.70.147
interface: GigabitEthernet0/0/0
Crypto map tag: Navisite, local addr 74.87.123.90
protected vrf: (none)
local ident (addr/mask/prot/port): (10.101.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
current_peer 209.235.70.147 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 74.87.123.90, remote crypto endpt.: 209.235.70.147
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0x3FE29ACC(1071815372)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0x6E3EB725(1849603877)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4409, flow_id: ESG:2409, sibling_flags FFFFFFFF80000048, crypto map: Navisite
sa timing: remaining key lifetime (k/sec): (4608000/748)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3FE29ACC(1071815372)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4410, flow_id: ESG:2410, sibling_flags FFFFFFFF80000048, crypto map: Navisite
sa timing: remaining key lifetime (k/sec): (4607999/748)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.107.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
current_peer 209.235.70.147 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 74.87.123.90, remote crypto endpt.: 209.235.70.147
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0xA2A76027(2728878119)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0xE98F894B(3918498123)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4487, flow_id: ESG:2487, sibling_flags FFFFFFFF80000048, crypto map: Navisite
sa timing: remaining key lifetime (k/sec): (4608000/2398)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA2A76027(2728878119)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4488, flow_id: ESG:2488, sibling_flags FFFFFFFF80000048, crypto map: Navisite
sa timing: remaining key lifetime (k/sec): (4608000/2398)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
01-18-2019 11:41 AM
01-18-2019 11:47 AM
i will check with the provider, since i'm sure you already could see we are not able to ping even though we are sending traffic out.
01-18-2019 11:58 AM
from what you can tell there would be no reason that the ZBFW would be blocking incoming? i would not think so considering the number of working DMVPN tunnels i have on this router already.
01-18-2019 12:11 PM
Never mind i think we are good, i can now ping one (most likely tho only one so far) address at the remote side
interface: GigabitEthernet0/0/0
Crypto map tag: Navisite, local addr 74.87.123.90
protected vrf: (none)
local ident (addr/mask/prot/port): (10.101.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
current_peer 209.235.70.147 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 576, #pkts encrypt: 576, #pkts digest: 576
#pkts decaps: 168, #pkts decrypt: 168, #pkts verify: 168
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
01-18-2019 12:23 PM
good to hear you made some progress i was closely watch your post. I suggest you if you check your ACL and the remote ACL to make sure they mirror each other.
01-18-2019 12:41 PM
01-18-2019 09:58 AM
kinldy please provide the config in order to fix this issue. would be great if you can give us the information (remote) side too.
01-18-2019 11:22 AM
i added it to another reply you can check it out there.
01-18-2019 08:38 AM
what does these command show you
show crypto isakmp sa
show crypto ipsec sa
show crypto session
01-17-2019 06:10 AM
Mike,
Your cloud provider didn't give you enough information. You need to know the parameters for IKE phase 1 and IKE phase 2 negotiation, like encryption algorithms, hashing, Diffie Hellman group, use of PFS. Without it you are going to guess hundreds of possible combinations. You need to request more information from the service provider to be able to configure your VPN.
01-17-2019 06:28 AM
Sorry i did get the encryption as 3des that's why i used it. but there was little beyond that. the person that i talked to, to initially set this up this showed me his setup but that was a meraki router so GUI does not translate well to command line.
01-17-2019 07:11 AM
Mike,
Usually such info is supplied in emails. Some service providers send you a spreadsheet to fill in with the desired connection details or they dictate their own standards. But either way they need to tell you all of the info for you to be able to configure your end of the link.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide