cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1100
Views
5
Helpful
4
Replies
Highlighted
Beginner

UP-IDLE Site to site VPN between Cisco Router (Static and Dynamic Public IP Adresses)

Hi everyone.

 

I made a site to site VPN between cisco routers. When I do sh crypto session I get an UP-IDLE status in both routers . Only headquarter is configured with Static Public IP address, the other router has a Dynamic Public IP address. In some point the sessions worked as UP-ACTIVE but traffic didn't pass.

 

Please find attached the sh crypto sessions, the debug crypto isakmp of the ping from the branch to headquarter and the running config of the routers.

Hope you can help me.

Thanks!

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advisor

Re: UP-IDLE Site to site VPN between Cisco Router (Static and Dynamic Public IP Adresses)

Hi,

Ok, so it's failing Phase 2 - looks like you have different transform sets. I suggest changing the branch from esp-md5 to esp-sha (md5 is weaker).

 

Branch

crypto ipsec transform-set TUN esp-3des esp-md5-hmac

HQ
crypto ipsec transform-set TS esp-3des esp-sha-hmac

 

HTH

 

 

View solution in original post

4 REPLIES 4
Highlighted
VIP Advisor

Re: UP-IDLE Site to site VPN between Cisco Router (Static and Dynamic Public IP Adresses)

Hi,

Your NAT ACL on the HQ router should deny the more specific networks before permitting the traffic to be natted.

 

E.g:-

ip access-list extended NAT_Outside

remark NAT Internet

 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

 deny ip 192.168.0.0 0.0.255.255 10.10.0.0 0.0.255.255

 permit ip 192.168.0.0 0.0.255.255 any

 

If that doesn't work please provide the output from the commands "show crypto ipsec sa" and "show crypto isakmp sa" from both routers.

 

HTH

Highlighted
Beginner

Re: UP-IDLE Site to site VPN between Cisco Router (Static and Dynamic Public IP Adresses)

Hi, thanks for your answer.

 

I did the specified changes but still UP-IDLE.

Please find attached the sh's.

 

There's nothing on ipsec sa on headquarter router.

 

I have a question.

There's an extra ip route that I need to configure?

 

 

Highlighted
VIP Advisor

Re: UP-IDLE Site to site VPN between Cisco Router (Static and Dynamic Public IP Adresses)

Hi,

Ok, so it's failing Phase 2 - looks like you have different transform sets. I suggest changing the branch from esp-md5 to esp-sha (md5 is weaker).

 

Branch

crypto ipsec transform-set TUN esp-3des esp-md5-hmac

HQ
crypto ipsec transform-set TS esp-3des esp-sha-hmac

 

HTH

 

 

View solution in original post

Highlighted
Beginner

Re: UP-IDLE Site to site VPN between Cisco Router (Static and Dynamic Public IP Adresses)

It works!

 

Just changed that value and the routers are already UP-ACTIVE and I have traffic.

 

Thank you!