cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2596
Views
0
Helpful
7
Replies

Two IPSec VPN on one interface not working

lafourchette
Level 1
Level 1

Hello,


I'm actualy trying to bring two IPSec VPN on only one interface. I've successfully created a tunnel between Par and Barcelone and between Par and Mad. But I can't create it between Barcelone et Mad.

We have a cisco ISR1921 in Mad and Barcelone, and a Netgear in Par.

Barcelone config:


crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key PAR_KEY address PAR_IP no-xauth

crypto isakmp key MAD_KEY address MAD_IP no-xauth

!

!

crypto ipsec transform-set ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP_3DES_SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP_3DES esp-3des

!

crypto map outside_map 10 ipsec-isakmp

set peer MAD_IP

set transform-set ESP_3DES_SHA1

set pfs group2

match address 120

crypto map outside_map 20 ipsec-isakmp

set peer PAR_IP

set transform-set ESP_3DES_SHA1 ESP_3DES_MD5 ESP_3DES

set pfs group2

match address 110

access-list 110 permit ip 10.40.42.0 0.0.1.255 10.20.42.0 0.0.1.255

access-list 120 permit ip 10.40.42.0 0.0.1.255 10.60.42.0 0.0.1.255

Mad conf:

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key PAR_KEY address PAR_IP no-xauth

crypto isakmp key BARCELONE_KEY address BARCELONE_IP no-xauth

!

!

crypto ipsec transform-set ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP_3DES_SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP_3DES esp-3des

!

crypto map outside_map 20 ipsec-isakmp

set peer PAR_IP

set transform-set ESP_3DES_SHA1 ESP_3DES_MD5 ESP_3DES

set pfs group2

match address 110

crypto map outside_map 30 ipsec-isakmp

set peer BARCELONE_IP

set transform-set ESP_3DES_SHA1

set pfs group2

match address 120

access-list 110 permit ip 10.60.42.0 0.0.1.255 10.20.42.0 0.0.1.255

access-list 120 permit ip 10.60.42.0 0.0.1.255 10.40.42.0 0.0.1.255

Now the strange part:

I have absolutly NO LOG AT ALL. I do have them when the tunnel with Par is negotiated but I have absolutely nothing for Mad-Barcelone. Not even an error message or anything.

The negociation between Mad and Barcelone doesn't appear anywhere.

Does anyone have any idea what's going on?

1 Accepted Solution

Accepted Solutions

I am trying to think what might cause it to not start the tunnel and to not generate any logs:

- are you seeing any hits in the access list used by the crypto map?

- is there any possibility that there is a connectivity problem between sites?

- is there any NAT (or PAT) that might affect either set of addresses?

- is there any possibility that routing to one of the sites is not going through the interface that has the crypto map?

Perhaps if you post the output of show crypto map there might be some clue about the issue?

HTH

Rick

HTH

Rick

View solution in original post

7 Replies 7

Richard Burts
Hall of Fame
Hall of Fame

It you provide some details about what you have done and specifics of what is not working then we might be able to provide better answers.

Since you have told us nothing about what platform, what version of code, and nothing of what you have configured all I can say is that in general 2 IPSec VPN connections on one interface works. The general approach is that you have only a single crypto map. In the crypto map you have one instance (one sequence number) for the first connection and a second instance (another sequence number) for the second connection.

HTH

Rick

HTH

Rick

Sorry about that. Seems that I can't write "B a r c e l o n a" in a post T.T

The information that now appears in your post is helpful.

My first suggestion would be to verify that the addresses specified for the peers is correct and that the key value specified for the peers is correct.

My second suggestion would be to check the access lists to see if there are any hits for matches in the access list.

My third suggestion would be to run debug crypto isakmp and see if it produces any output when you attempt to bring up the VPN.

HTH

Rick

HTH

Rick

I already did all that. Thing is I don't have ANY LOGS. He really don't tell me anything, on one router or the other, with debug crypto ipsec and debug crypto isakmp for that tunnel. For the other one, they DO tell me something.

If I had debug logs, i would be easier

I am trying to think what might cause it to not start the tunnel and to not generate any logs:

- are you seeing any hits in the access list used by the crypto map?

- is there any possibility that there is a connectivity problem between sites?

- is there any NAT (or PAT) that might affect either set of addresses?

- is there any possibility that routing to one of the sites is not going through the interface that has the crypto map?

Perhaps if you post the output of show crypto map there might be some clue about the issue?

HTH

Rick

HTH

Rick

There was indeed no match on the access list. But it was good.

I corrected the NAT ACL so it exclude the other LAN and the tunnel was up and running!

Does the routers match the nat BEFORE the crypto map?

2 things do not work tought...

I can't ssh from one side to another and my router can't ping each other. But I can ping from one lan to the other.

But this is less a problem for now

Thanks!

I am glad that you got the problem resolved and that my suggestions did help point toward the solution. Thank you for using the rating system to mark this question as answered (and thanks for the points). It makes the forum more useful when people can read about a problem and can know that a solution was found. Your marking has contributed to this process.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: