03-10-2016 02:28 AM
Hi,
Trying to sort out a configuration issue, but don't have boatloads of experience to sort it out.
The tunnel seems to come up, but I get "output crypto map check failed" when trying to ping a remote host.
Pretty simple site-to-site, here is a scrubbed configuration:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
enable password Password1
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip cef
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-565821720
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-565821720
revocation-check none
rsakeypair TP-self-signed-565541720
!
!
crypto pki certificate chain TP-self-signed-565541720
certificate self-signed 01
quit
!
!
class-map match-all SiteA-2_OUT
match access-group name SiteA-2_OUT
class-map match-all SiteA-2_IN
match access-group name SiteA-2_IN
!
!
crypto keyring SiteA-2
pre-shared-key address 123.123.123.123 key 9P5q9154&ES485Rrq9154&E
crypto logging session
!
crypto isakmp policy 40
encr 3des
authentication pre-share
group 2
crypto isakmp profile SiteA-2
keyring SiteA-2
match identity address 123.123.123.123 255.255.255.255
keepalive 10 retry 2
!
!
crypto ipsec transform-set SiteA-2 esp-aes 256 esp-sha-hmac
!
crypto map VPN 160 ipsec-isakmp
set peer 123.123.123.123
set security-association lifetime kilobytes 1280000
set security-association lifetime seconds 86400
set transform-set SiteA-2
set isakmp-profile SiteA-2
match address SiteA-2_ACCESSLIST
reverse-route static
!
!
!
interface FastEthernet0/0
description LAN_AMI_PLL
ip address 111.222.111.222 255.255.252.0
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description OUTSIDE_INTERNET1
ip address 222.222.222.222 255.255.255.240
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN
!
ip default-gateway 222.222.222.129
ip route 0.0.0.0 0.0.0.0 222.222.222.129
ip route 172.29.10.0 255.255.255.0 172.29.0.1
!
no ip http server
ip http secure-server
!
ip access-list extended SiteA-2_ACCESSLIST
permit ip any host 10.140.0.20
permit ip any host 10.140.0.21
ip access-list extended SiteA-2_IN
permit ip host 123.123.123.123 any
ip access-list extended SiteA-2_OUT
ip access-list extended VPN_IN
permit udp any any
permit ahp any any
permit esp any any
permit icmp any any
permit ip any any
ip access-list extended VPN_OUT
permit udp any any
permit ahp any any
permit esp any any
permit icmp any any
permit ip any any
!
access-list 1 permit 172.29.0.0 0.0.3.255
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password SiteA2
login
!
end
03-10-2016 02:42 AM
Hi,
The config looks fine.
Can you check the routing for the VPN
It seems a routing issue.
Regards,
Aditya
Please rate helpful posts.
03-10-2016 02:45 AM
Aditya,
Can you tell me what the "output crypto map check failed" refers to? I'm able to ping hosts on the internet, but not on the other side of the VPN link.
Thanks,
03-10-2016 03:09 AM
Hi,
That means the traffic is not able to hit the crypto engine and that can be due to the following reasons:
1. Route issue.
2. NAT issue.
Since I do not see any NAT then we do not need to worry about it.
Normally we need to deny the VPN traffic so that it does not get NATTed.
Regards,
Aditya
Please rate helpful posts.
03-10-2016 03:21 AM
Updated config as I believe we actually need to use NAT.
fa0/0 is our inside interface and fa0/1 is the outside interface. fa0/1 has a public IP.
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
enable password Password1
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip cef
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-565821720
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-565821720
revocation-check none
rsakeypair TP-self-signed-565541720
!
!
crypto pki certificate chain TP-self-signed-565541720
certificate self-signed 01
quit
!
!
class-map match-all SiteA-2_OUT
match access-group name SiteA-2_OUT
class-map match-all SiteA-2_IN
match access-group name SiteA-2_IN
!
!
crypto keyring SiteA-2
pre-shared-key address 123.123.123.123 key 9P5q9154&ES485Rrq9154&E
crypto logging session
!
crypto isakmp policy 40
encr 3des
authentication pre-share
group 2
crypto isakmp profile SiteA-2
keyring SiteA-2
match identity address 123.123.123.123 255.255.255.255
keepalive 10 retry 2
!
!
crypto ipsec transform-set SiteA-2 esp-aes 256 esp-sha-hmac
!
crypto map VPN 160 ipsec-isakmp
set peer 123.123.123.123
set security-association lifetime kilobytes 1280000
set security-association lifetime seconds 86400
set transform-set SiteA-2
set isakmp-profile SiteA-2
match address SiteA-2_ACCESSLIST
reverse-route static
!
!
!
interface FastEthernet0/0
description LAN_AMI_PLL
ip address 111.222.111.222 255.255.252.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description OUTSIDE_INTERNET1
ip address 222.222.222.222 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN
!
ip default-gateway 222.222.222.129
ip route 0.0.0.0 0.0.0.0 222.222.222.129
ip route 172.29.10.0 255.255.255.0 172.29.0.1
!
no ip http server
ip http secure-server
!
ip access-list extended SiteA-2_ACCESSLIST
permit ip any host 10.140.0.20
permit ip any host 10.140.0.21
ip access-list extended SiteA-2_IN
permit ip host 123.123.123.123 any
ip access-list extended SiteA-2_OUT
ip access-list extended VPN_IN
permit udp any any
permit ahp any any
permit esp any any
permit icmp any any
permit ip any any
ip access-list extended VPN_OUT
permit udp any any
permit ahp any any
permit esp any any
permit icmp any any
permit ip any any
!
access-list 1 permit 172.29.0.0 0.0.3.255
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password SiteA2
login
!
end
03-10-2016 03:26 AM
Hi,
Since we are using NAT statements you need to deny the VPN traffic so that it is exempted from NAT.
Sample config:
ip nat inside source route-map nonat interface FastEthernet0/0 overload
!
!--- Exclude the private network and VPN Client !--- traffic from the NAT process.
access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.100.0 0.0.0.255 any
access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.100.0 0.0.0.255 any
!--- Exclude the private network and VPN Client !--- traffic from the NAT process.
route-map
match
In your
access-list 110 deny
access-list 110 permit
For further info check this link:
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14132-ios-D.html
Regards,
Aditya
please rate helpful posts.
03-10-2016 03:55 AM
My new config is below. I have now lost access to Internet hosts.
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
enable password Password1
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip cef
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-565821720
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-565821720
revocation-check none
rsakeypair TP-self-signed-565541720
!
!
crypto pki certificate chain TP-self-signed-565541720
certificate self-signed 01
quit
!
!
class-map match-all SiteA-2_OUT
match access-group name SiteA-2_OUT
class-map match-all SiteA-2_IN
match access-group name SiteA-2_IN
!
!
crypto keyring SiteA-2
pre-shared-key address 123.123.123.123 key 9P5q9154&ES485Rrq9154&E
crypto logging session
!
crypto isakmp policy 40
encr 3des
authentication pre-share
group 2
crypto isakmp profile SiteA-2
keyring SiteA-2
match identity address 123.123.123.123 255.255.255.255
keepalive 10 retry 2
!
!
crypto ipsec transform-set SiteA-2 esp-aes 256 esp-sha-hmac
!
crypto map VPN 160 ipsec-isakmp
set peer 123.123.123.123
set security-association lifetime kilobytes 1280000
set security-association lifetime seconds 86400
set transform-set SiteA-2
set isakmp-profile SiteA-2
match address SiteA-2_ACCESSLIST
reverse-route static
!
!
!
interface FastEthernet0/0
description LAN_AMI_PLL
ip address 111.222.111.222 255.255.252.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description OUTSIDE_INTERNET1
ip address 222.222.222.222 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN
!
ip default-gateway 222.222.222.129
ip route 0.0.0.0 0.0.0.0 222.222.222.129
ip route 172.29.10.0 255.255.255.0 172.29.0.1
!
no ip http server
ip http secure-server
ip nat inside source route-map nonat interface FastEthernet0/0 overload
!
ip access-list extended SiteA-2_ACCESSLIST
permit ip any host 10.140.0.20
permit ip any host 10.140.0.21
ip access-list extended SiteA-2_IN
permit ip host 123.123.123.123 any
ip access-list extended SiteA-2_OUT
ip access-list extended VPN_IN
permit udp any any
permit ahp any any
permit esp any any
permit icmp any any
permit ip any any
ip access-list extended VPN_OUT
permit udp any any
permit ahp any any
permit esp any any
permit icmp any any
permit ip any any
!
access-list 1 permit 172.29.0.0 0.0.3.255
access-list 110 deny ip any host 10.140.0.21
access-list 110 permit ip any any
route-map nonat permit 10
match ip address 110
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password SiteA2
login
!
end
03-10-2016 04:12 AM
Hi,
Try changing it to the other interface:
Aditya
03-10-2016 04:20 AM
Can access the Internet now, but still get the "output crypto map check failed" errorr..
03-10-2016 04:28 AM
Hi,
I hope you are pinging only 10.140.0.21 as you are only denying this.
Regards,
Aditya
03-10-2016 04:31 AM
*Mar 10 12:57:38.049: IP: s=222.222.222.222 (local), d=10.140.0.20 (FastEthernet0/1), len 100, output crypto map check failed.
Same occurs with 10.140.0.21 which are the two hosts we need to access on the other side of the VPN tunnel.
03-10-2016 04:53 AM
Hi,
May I know how are you trying to ping the remote host ?
Regards,
Aditya
03-10-2016 06:32 AM
ping 10.140.0.20 source 172.29.0.51
and
ping 10.140.0.20
both give the "crypto map check failed"
I really appreciate your help!
03-18-2016 08:39 AM
Hi Aditya,
Was away for a few days vacation, but I am back at it. Still having issues and here is my running config:
Current configuration : 4154 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
enable password password
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip cef
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-565541111
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-565541111
revocation-check none
rsakeypair TP-self-signed-565541111
!
!
crypto pki certificate chain TP-self-signed-565541111
certificate self-signed 01
E00980BF 3247F4AF A781509F 7505A0A2 13E77897 7E84BE4D DBBA103C BB97ABDA
9A182196 67484930 EFBCC542 F69A6FC4 4360734D 62C38CBE 1610ABBE AD4843DB
02030100 01A36E30 6C300F06 03551D13 0101FF04 05300301 01FF3019 0603551D
11041230 10820E52 6F757465 72504C4C 53434332 2E301F06 03551D23 04183016
8014663F B9669CD4 1E6723A9 406BBAD4 70F616A4 D389301D 0603551D 0E041604
14663FB9 669CD41E 6723A940 6BBAD470 F616A4D3 89300D06 092A8648 86F70D01
01040500 03818100 A57572F9 F5C62C1C D8E78A9E 5FB92963 64426E9B FA22A36D
47AEAB14 4C9C5BA8 C1839A30 C7455CDF 96D1D5FD B82E0BEE BE2F1AC2 74DD0F4E
0D1B592C D37CC1FD A3DF8BE7 B1E3EA8D 5CA4808D EAB7FC92 607C4E5C 8EF1BC0D
BD6AB2AF 50A5D9D0 BEA9C764 1A15F4A7 984BE26D CE891970 F9185CC0 B09F1FD4
9724C043 3ECB9540 30820244 308201AD A0030201 02020101 300D0609 2A864886
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35363535 34313732 30301E17 0D313630 32313731 38323533
325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3536 35353431
37323030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
A8020C0D B94138CD 06273724 92128AD0 A1AD641D FAD51F62 89EC11F1 4334B0CB
CE167FDB 4FFC05E8 8A9C3618 BBA6B179 88349AD6 47459BF6 B1A55309 F2AFD879
F70D0101 04050030
quit
!
!
class-map match-all Site-1_OUT
match access-group name Site-1_OUT
class-map match-all Site-1_IN
match access-group name Site-1_IN
!
!
crypto keyring Site-1
pre-shared-key address 12.12.12.12 key 5S485Rr9Pq9154&E
crypto logging session
!
crypto isakmp policy 40
encr 3des
authentication pre-share
group 2
crypto isakmp profile Site-1
keyring Site-1
match identity address 12.12.12.12 255.255.255.255
keepalive 10 retry 2
!
!
crypto ipsec transform-set Site-1 esp-aes 256 esp-sha-hmac
!
crypto map VPN 160 ipsec-isakmp
set peer 12.12.12.12
set security-association lifetime kilobytes 1280000
set security-association lifetime seconds 86400
set transform-set Site-1
set isakmp-profile Site-1
match address Site-1_ACCESSLIST
reverse-route static
!
!
!
interface FastEthernet0/0
description LAN_PLL
ip address 13.13.13.13 255.255.252.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description OUTSIDE_INTERNET1
ip address 14.14.14.14 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN
!
ip default-gateway 14.14.14.129
ip route 0.0.0.0 0.0.0.0 14.14.14.129
ip route 13.13.13.0 255.255.255.0 13.13.13.1
!
no ip http server
ip http secure-server
ip nat inside source route-map nonat interface FastEthernet0/1 overload
!
ip access-list extended Site-1_ACCESSLIST
permit ip any host 10.140.0.20
permit ip any host 10.140.0.21
ip access-list extended Site-1_IN
permit ip host 12.12.12.12 any
ip access-list extended Site-1_OUT
ip access-list extended VPN_IN
permit udp any any
permit ahp any any
permit esp any any
permit icmp any any
permit ip any any
ip access-list extended VPN_OUT
permit udp any any
permit ahp any any
permit esp any any
permit icmp any any
permit ip any any
!
access-list 1 permit 13.13.0.0 0.0.3.255
access-list 110 deny ip any host 10.140.0.20
access-list 110 deny ip any host 10.140.0.21
access-list 110 permit ip any any
route-map nonat permit 10
match ip address 110
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password password
login
!
end
05-07-2016 02:37 AM
Hi,
do you still have this problem?
Can you send us the updated config from each of the routers?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide