Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1057
Views
0
Helpful
2
Replies

Problem with IPSec tunnel

Matteo Abrile
Level 2
Level 2

‎07-12-2015 03:10 AM - edited ‎02-21-2020 08:20 PM

Hello,

I have a router that I use to hub of dmvpn, this router has 1 default route that learning from eigrp and some static route to other internet connection (I use it only to vpn connectivity). Now I need setup normal tunnel ipsec site-to-site with Vodafone to keep traffic from internet key with dedicated apn.

I setup it, apply crypto map on interface where I point static route. Inside this tunnel I need go "private address" that my radius assign to internet key and packet to "vodafone client radius". Vodafone client radius has IPs public (not rfc1918), I create ACL that match all this traffic.

My problem is I can receive traffic from vodafone but my packet not match from vpn tunnel. Intact now vodafone try login from internet key, I can see your request on my radius but they see time out, because I send back packet but not goes in tunnel and so stop on my router.

If I see "sh crypto session" I see tunnel UP, if I see "sh crypto ipsec sa peer "peer ip" I see packet in "decap" but I can't see packet in "encap".

this is extract my config:

-----------

!
crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp key pskpassword address xxx.xxx.xxx.240  
crypto isakmp key pskpassword address xxx.xxx.xxx.241  
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto map VPN 10 ipsec-isakmp 
 set peer xxx.xxx.xxx.240
 set transform-set ESP-3DES-SHA 
 match address TO-VODAFONE-APN-240
!
crypto map VPN 20 ipsec-isakmp 
 set peer xxx.xxx.xxx.241
 set transform-set ESP-3DES-SHA 
 match address TO-VODAFONE-APN-241
!
ip access-list extended TO-VODAFONE-APN-240
 permit ip any 10.102.100.0 0.0.0.255
 permit ip host 192.168.217.12 xxx.xxx.xxx.80 0.0.0.7
ip access-list extended TO-VODAFONE-APN-241
 permit ip any 10.102.100.0 0.0.0.255
 permit ip host 192.168.217.12 xxx.xxx.xxx.56 0.0.0.7
!         
interface PortChannel 2
ip address xxx.xxx.xxx.108 255.255.255.248 
crypto map VPN
!

-----------

Thanks in advance for your help.

M.

Labels:
0 Helpful
2 Replies 2

Mohammed al Baqari
Level 15
Level 15

‎07-13-2015 03:52 AM

Share a trace route from your raduis back to Vodafone. Also, share your static route on your router

0 Helpful

Matteo Abrile
Level 2
Level 2
In response to Mohammed al Baqari

‎07-13-2015 02:50 PM

Hello,

about route I try in 2 way, first... I create 3 static route to null0... so eigrp announce route, second... I create static route in router between radius and vpn router, in this last way I have "TTL expire" in first way I have "no reply" about ping from radius.

Tracing route to XXX.XXX.XXX.81 over a maximum of 30 hops (this is radius vodafone ip)

  1   140 ms    55 ms     6 ms  192.168.217.254 (this is default gw for radius)
  2    <1 ms    <1 ms    <1 ms  192.168.222.11 (this is router do vpn with vodafone)
  3     *        *        *     Request timed out.

Thanks

M.

0 Helpful
Customers Also Viewed These Support Documents