Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6473
Views
5
Helpful
4
Replies

UP-IDLE Site to site VPN between Cisco Router (Static and Dynamic Public IP Adresses)

Go to solution
tresdeasada
Level 1
Level 1

‎03-11-2019 12:20 PM

Hi everyone.

 

I made a site to site VPN between cisco routers. When I do sh crypto session I get an UP-IDLE status in both routers . Only headquarter is configured with Static Public IP address, the other router has a Dynamic Public IP address. In some point the sessions worked as UP-ACTIVE but traffic didn't pass.

 

Please find attached the sh crypto sessions, the debug crypto isakmp of the ping from the branch to headquarter and the running config of the routers.

Hope you can help me.

Thanks!

Labels:
Preview file
9 KB
Preview file
2 KB
Preview file
3 KB
Preview file
1 KB
Preview file
1 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to tresdeasada

‎03-11-2019 03:24 PM

Hi,

Ok, so it's failing Phase 2 - looks like you have different transform sets. I suggest changing the branch from esp-md5 to esp-sha (md5 is weaker).

 

Branch

crypto ipsec transform-set TUN esp-3des esp-md5-hmac

HQ
crypto ipsec transform-set TS esp-3des esp-sha-hmac

 

HTH

 

 

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎03-11-2019 01:15 PM

Hi,

Your NAT ACL on the HQ router should deny the more specific networks before permitting the traffic to be natted.

 

E.g:-

ip access-list extended NAT_Outside

remark NAT Internet

 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

 deny ip 192.168.0.0 0.0.255.255 10.10.0.0 0.0.255.255

 permit ip 192.168.0.0 0.0.255.255 any

 

If that doesn't work please provide the output from the commands "show crypto ipsec sa" and "show crypto isakmp sa" from both routers.

 

HTH

0 Helpful

Go to solution
tresdeasada
Level 1
Level 1
In response to Rob Ingram

‎03-11-2019 03:17 PM

Hi, thanks for your answer.

 

I did the specified changes but still UP-IDLE.

Please find attached the sh's.

 

There's nothing on ipsec sa on headquarter router.

 

I have a question.

There's an extra ip route that I need to configure?

 

 

Preview file
1 KB
Preview file
1 KB
Preview file
1 KB
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to tresdeasada

‎03-11-2019 03:24 PM

Hi,

Ok, so it's failing Phase 2 - looks like you have different transform sets. I suggest changing the branch from esp-md5 to esp-sha (md5 is weaker).

 

Branch

crypto ipsec transform-set TUN esp-3des esp-md5-hmac

HQ
crypto ipsec transform-set TS esp-3des esp-sha-hmac

 

HTH

 

 

Go to solution
tresdeasada
Level 1
Level 1
In response to Rob Ingram

‎03-11-2019 05:38 PM

It works!

 

Just changed that value and the routers are already UP-ACTIVE and I have traffic.

 

Thank you!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents