Solved: Re: site to site vpn

chike2much · ‎01-12-2023

Hi Guys,

I have 2 routers running ospf point to point LAN--> HQ-TX <---> NV-Branch <-- LAN which is running site2site VPN and works perfectly. Now for fail overs i added an INTERNET router with new design LAN--> HQ-TX <--> INTERNET ROUTER <--> NV-Branch<-- LAN. I established connections using default static routes . After setting up new isakmp key to interface ip addr, i used the same crypto and transform set name with a different seq number. I got a phrase 1 connection complete but i don't think IPsec tunnel formed and my connection timed out. This is kicking me left and right ... Please what can i do any ideas ... Thanks

~Chike

Rob Ingram · ‎01-12-2023

@chike2much well if your primary link goes down, traffic would be routed via the secondary link (using the static route), match the same crypto map sequence #10 (because it matches the crypto ACL) and use the secondary peer IP, as the primary peer does not respond.

View solution in original post

Rob Ingram · ‎01-12-2023

@chike2much Confirm IKE SA have been established by running "show crypto isakmp sa". Run "show crypto ipsec sa" to determine whether the IPSec SA have been established, if they have been established checked the encaps|decaps counters are increasing. Provide the output of these commands so we can see the result.

Provide your configuration so we have a better understanding of what you've configured.

chike2much · ‎01-12-2023

--- HQ TX

Current configuration : 1652 bytes

!

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

no ip cef

no ipv6 cef

!

license udi pid CISCO2911/K9 sn FTX1524QTLI-

license boot module c2900 technology-package securityk9

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

lifetime 3600

!

crypto isakmp key sitevpn address 80.80.85.2

crypto isakmp key sitevpn2 address 80.80.86.10

!

crypto ipsec transform-set projectvpn esp-aes esp-sha-hmac

!

crypto map vpnsite 10 ipsec-isakmp

set peer 80.80.85.2

set transform-set projectvpn

match address 120

!

crypto map vpnsite 20 ipsec-isakmp

set peer 80.80.86.10

set transform-set projectvpn

match address 120

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0

ip address 10.10.1.1 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/2

no ip address

duplex auto

speed auto

shutdown

!

interface Serial0/0/0

ip address 80.80.85.1 255.255.255.252

clock rate 2000000

shutdown

crypto map vpnsite

!

interface Serial0/0/1

ip address 80.80.86.1 255.255.255.248

crypto map vpnsite

!

interface Vlan1

no ip address

shutdown

!

router ospf 8

router-id 2.2.2.2

log-adjacency-changes

network 10.10.1.0 0.0.0.255 area 0

network 80.80.85.0 0.0.0.3 area 0

!

ip classless

ip route 0.0.0.0 0.0.0.0 80.80.86.2

!

ip flow-export version 9

!

access-list 120 permit ip 10.10.0.0 0.0.255.255 10.10.0.0 0.0.255.255

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

-- INTERNET ROUTER--

Current configuration : 1049 bytes

!

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

no ip cef

no ipv6 cef

!

license udi pid CISCO2911/K9 sn FTX1524Q2TF-

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/2

no ip address

duplex auto

speed auto

shutdown

!

interface Serial0/0/0

ip address 80.80.86.2 255.255.255.248

clock rate 64000

!

interface Serial0/0/1

ip address 80.80.86.9 255.255.255.252

!

interface Serial0/1/0

no ip address

clock rate 2000000

shutdown

!

interface Serial0/1/1

no ip address

clock rate 2000000

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

ip route 0.0.0.0 0.0.0.0 80.80.86.1

ip route 0.0.0.0 0.0.0.0 80.80.86.10

!

ip flow-export version 9

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

--Nevada Branch Router--

Building configuration...

Current configuration : 1690 bytes

!

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

no ip cef

no ipv6 cef

!

license udi pid CISCO2911/K9 sn FTX1524KTPR-

license boot module c2900 technology-package securityk9

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

lifetime 3600

!

crypto isakmp key sitevpn address 80.80.85.1

crypto isakmp key sitevpn2 address 80.80.86.1

!

crypto ipsec transform-set projectvpn esp-aes esp-sha-hmac

!

crypto map vpnsite 10 ipsec-isakmp

set peer 80.80.85.1

set transform-set projectvpn

match address 120

!

crypto map vpnsite 20 ipsec-isakmp

set peer 80.80.86.1

set transform-set projectvpn

match address 120

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0

ip address 10.10.6.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/2

no ip address

duplex auto

speed auto

shutdown

!

interface Serial0/0/0

ip address 80.80.85.2 255.255.255.252

clock rate 2000000

crypto map vpnsite

!

interface Serial0/0/1

ip address 80.80.86.10 255.255.255.252

ip nat outside

clock rate 64000

crypto map vpnsite

!

interface Vlan1

no ip address

shutdown

!

router ospf 8

router-id 1.1.1.1

log-adjacency-changes

network 10.10.6.0 0.0.0.255 area 0

network 80.80.85.0 0.0.0.3 area 0

!

ip classless

ip route 0.0.0.0 0.0.0.0 80.80.86.9

!

ip flow-export version 9

!

access-list 120 permit ip 10.10.0.0 0.0.255.255 10.10.0.0 0.0.255.255

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

Thank you Rob

Rob Ingram · ‎01-12-2023

@chike2muchwhat about the output for "show crypto isakmp sa" and "show crypto ipsec sa"?

I wasn't expecting 3 routers, without a topology diagram its going to make it harder to troubleshoot.

I do note that Nevada router has NAT configured on the Ser0/0/1 interface but the Ser0/0/0 does not, so the VPN traffic may unintentially be translated over Ser0/0/1. You'd need to ensure traffic over routed over VPN is excluded from being encrypted.

For testing remove "ip nat outside" from Ser0/0/1 and "ip nat inside" from Gi0/0 and try again.

chike2much · ‎01-12-2023

--HQ - TX

interface: Serial0/0/1

Crypto map tag: vpnsite, local addr 80.80.86.1

protected vrf: (none)

local ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)

current_peer 80.80.86.10 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 80.80.86.1, remote crypto endpt.:80.80.85.2

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)

current_peer 80.80.86.10 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 80.80.86.1, remote crypto endpt.:80.80.86.10

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

--- show isakmp sa--

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

Dst- 80.80.85.2 Src - 80.80.86.1 MM_NO_STATE 0 0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

-- Neveda Branch --

local ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)

current_peer 80.80.86.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 80.80.86.10, remote crypto endpt.:80.80.86.1

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

-- show isakmp sa --

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

IPv6 Crypto ISAKMP SA

Rob Ingram · ‎01-12-2023

@chike2much HQ is attempting to establish the VPN to the wrong destination peer IP- 80.80.85.2

--- show isakmp sa--
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
Dst- 80.80.85.2 Src - 80.80.86.1 MM_NO_STATE 0 0 ACTIVE (deleted)

Change the VPN configuration to specify a backup peer, if the first peer does not respond (shut the interface down in the lab) then it will attempt to use the second peer.

crypto map vpnsite 10 ipsec-isakmp
set peer 80.80.85.2 80.80.86.10

no crypto map vpnsite 20 ipsec-isakmp

chike2much · ‎01-12-2023

Hi Rob,

Great I understand that ... but crypto map 10 is configured my primary point to point serial link 80.80.85.0 network which already has site2site Vpn configured and works as expected. Now i'm trying to create a back up route via the internet router from HQ-TX to NV Branch which has 80.80.86.0 network assigned.... just incase our primary link (80.80.85.0) goes down and we still have data encrypted on interested traffic going tru the Internet_router which is my floating and default static route. This is what i'm trying to achieve rob. I know it is a tough ask but please let me know your thoughts.

Many thank for your help.

~Chike

Rob Ingram · ‎01-12-2023

@chike2much well if your primary link goes down, traffic would be routed via the secondary link (using the static route), match the same crypto map sequence #10 (because it matches the crypto ACL) and use the secondary peer IP, as the primary peer does not respond.

chike2much · ‎01-12-2023

Worked like a charm..:)

I never knew i could set more than one peer ip address under the same crypto map name and sequence #. Thank you for taking your time to help point this out to me. You are the Real Gem and don't stop doing the good work. Result below ! Now i can drink some coffee.

interface: Serial0/0/0

Crypto map tag: vpnsite, local addr 80.80.85.2

protected vrf: (none)

local ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)

current_peer 80.80.85.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 80.80.85.2, remote crypto endpt.:80.80.85.1

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

local crypto endpt.: 80.80.85.2, remote crypto endpt.:80.80.86.1

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0

current outbound spi: 0x7E1CB3DB(2115810267)

inbound esp sas:

spi: 0x815F5EC1(2170511041)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2001, flow_id: FPGA:1, crypto map: vpnsite

sa timing: remaining key lifetime (k/sec): (4525504/3424)

IV size: 16 bytes

replay detection support: N

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x7E1CB3DB(2115810267)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2002, flow_id: FPGA:1, crypto map: vpnsite

sa timing: remaining key lifetime (k/sec): (4525504/3424)

IV size: 16 bytes

replay detection support: N

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

interface: Serial0/0/1

Crypto map tag: vpnsite, local addr 80.80.86.10

protected vrf: (none)

local ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)

current_peer 80.80.86.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 0 ************

#pkts decaps: 11, #pkts decrypt: 11, #pkts verify: 0 *************

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 80.80.86.10, remote crypto endpt.:80.80.85.1

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

local crypto endpt.: 80.80.86.10, remote crypto endpt.:80.80.86.1

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1

current outbound spi: 0x7E1CB3DB(2115810267)

inbound esp sas:

spi: 0x815F5EC1(2170511041)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2001, flow_id: FPGA:1, crypto map: vpnsite

sa timing: remaining key lifetime (k/sec): (4525504/3424)

IV size: 16 bytes

replay detection support: N

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x7E1CB3DB(2115810267)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2002, flow_id: FPGA:1, crypto map: vpnsite

sa timing: remaining key lifetime (k/sec): (4525504/3424)

IV size: 16 bytes

replay detection support: N

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

chike2much · ‎01-12-2023

Hi Rob i took off all the nat commands still no connectivity ... Still times out.

~Chike