Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14572
Views
0
Helpful
4
Replies

Site to Site VPN in UP-IDLE and no traffic...

Go to solution
c.console
Level 1
Level 1

‎09-14-2015 08:20 AM

Hi,

I have two office (main and brach) each with a cisco 887 router 15.3 with sec+ k9 ios

I have configured client vpn (working with no problems at all) and a site to site VPN.

The tunnel between main and branch site is up (according to sh cry session and sh crypto isakamp sa) but i can't send traffic from site to site and the tunnel status is always "UP-IDLE"

 

(ip address removed)

 

MAIN SITE

Interface: Dialer0
Session status: UP-IDLE
Peer: BRANCH IP port 500 
  Session ID: 0  
  IKEv1 SA: local  Active 
  IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0 192.168.1.0/255.255.255.0 
        Active SAs: 0, origin: crypto map

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
     QM_IDLE           2009 ACTIVE

interface: Dialer0
    Crypto map tag: clientmap, local addr 

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer  port 500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 458, #recv errors 0

     local crypto endpt.: , remote crypto endpt.: 
     plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

 

BRANCH


Interface: Dialer0
Session status: UP-IDLE
Peer: MAIN IP port 500 
  Session ID: 0  
  IKEv1 SA: local Active 
  IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 10.0.0.0/255.255.255.0 
        Active SAs: 0, origin: crypto map

sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
     QM_IDLE           2012 ACTIVE

 

sh crypto ipsec sa

interface: Dialer0
    Crypto map tag: clientmap, local addr 

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
   current_peer 79.0.238.28 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 30, #recv errors 0

     local crypto endpt.: , remote crypto endpt.: 
     plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

 

 

In attach both the sh run conf.
I don't see any problem with both peer and ACL configuration for nat and traffic 

Thanks for any help.

 

 

1 person had this problem
Labels:
Preview file
7 KB
Preview file
6 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Josh Sprang
Level 1
Level 1

‎09-14-2015 12:19 PM

I am not for certain without seeing a debug cry IPsec but I think you may be matching your dynamic map first with a seq of 10.  I would try removing that and setting it to 100 or something on both sides.  clear the sessions and try again.

no crypto map clientmap 10 ipsec-isakmp dynamic dynmap

crypto map clientmap 100 ipsec-isakmp dynamic dynmap

clear cry sa

clear cry IPsec sa

<these will bounce all client and l2l tunnels >

 

hth

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Josh Sprang
Level 1
Level 1

‎09-14-2015 12:19 PM

I am not for certain without seeing a debug cry IPsec but I think you may be matching your dynamic map first with a seq of 10.  I would try removing that and setting it to 100 or something on both sides.  clear the sessions and try again.

no crypto map clientmap 10 ipsec-isakmp dynamic dynmap

crypto map clientmap 100 ipsec-isakmp dynamic dynmap

clear cry sa

clear cry IPsec sa

<these will bounce all client and l2l tunnels >

 

hth

0 Helpful

Go to solution
c.console
Level 1
Level 1
In response to Josh Sprang

‎09-14-2015 09:27 PM

Thanks now i can send traffic trough the tunnel.

Just a little problem...

If i connect with the vpn client to one of the 2 routers i can reach only the subnet directly connected but i can't reach the other side of the ipsec tunnel.

For example if i connect to the MAIN router i can't reach the BRANCH subnet and vice-versa

Is possible to fix that ?

Thanks again

0 Helpful

Go to solution
Josh Sprang
Level 1
Level 1
In response to c.console

‎09-15-2015 09:02 AM

It sounds like what you are trying to do is called VPN hairpinning..  This is very common on an ASA and there are tons of examples.  Having trouble finding a configuration for this on a router though.   Still looking...

0 Helpful

Go to solution
Praveen Vincent Vas
Level 1
Level 1

‎07-26-2016 06:09 AM

What an answer. One shot. Thank You so much

0 Helpful
Customers Also Viewed These Support Documents