03-11-2019 12:20 PM
Hi everyone.
I made a site to site VPN between cisco routers. When I do sh crypto session I get an UP-IDLE status in both routers . Only headquarter is configured with Static Public IP address, the other router has a Dynamic Public IP address. In some point the sessions worked as UP-ACTIVE but traffic didn't pass.
Please find attached the sh crypto sessions, the debug crypto isakmp of the ping from the branch to headquarter and the running config of the routers.
Hope you can help me.
Thanks!
Solved! Go to Solution.
03-11-2019 03:24 PM
Hi,
Ok, so it's failing Phase 2 - looks like you have different transform sets. I suggest changing the branch from esp-md5 to esp-sha (md5 is weaker).
Branch
crypto ipsec transform-set TUN esp-3des esp-md5-hmac
HQ
crypto ipsec transform-set TS esp-3des esp-sha-hmac
HTH
03-11-2019 01:15 PM
Hi,
Your NAT ACL on the HQ router should deny the more specific networks before permitting the traffic to be natted.
E.g:-
ip access-list extended NAT_Outside
remark NAT Internet
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
deny ip 192.168.0.0 0.0.255.255 10.10.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 any
If that doesn't work please provide the output from the commands "show crypto ipsec sa" and "show crypto isakmp sa" from both routers.
HTH
03-11-2019 03:17 PM
03-11-2019 03:24 PM
Hi,
Ok, so it's failing Phase 2 - looks like you have different transform sets. I suggest changing the branch from esp-md5 to esp-sha (md5 is weaker).
Branch
crypto ipsec transform-set TUN esp-3des esp-md5-hmac
HQ
crypto ipsec transform-set TS esp-3des esp-sha-hmac
HTH
03-11-2019 05:38 PM
It works!
Just changed that value and the routers are already UP-ACTIVE and I have traffic.
Thank you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide