Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
362
Views
0
Helpful
1
Replies

VPN from Router to Firewall not working

cybrsage
Level 1
Level 1

‎11-10-2016 09:04 AM

The basic layout is Internet - Firewall - two switches (connected to each other and running HSRP) - VPN Router.  One Gig port from the router goes to one switch, a second Gig port from the router goes to the other switch.  I have two subinterfaces on each port and am using BVIs to allow one subinterface on each port to be in the same network as a subinterface on the other port.  This is to provide failover protection, so losing one swtich will not cause a loss of the VPN capability.

I am running crypto debugs and have tried pings to bring up the tunnel - the tunnel does not even attempt to come up and the access list does not show any hits on it.  Please take a look and let me know what I am doing wrong.

version 15.0
no ipv6 cef
no ip source-route
ip cef
!
!
ip vrf VRF_NAME
 rd 10.35.41.13:24
!
!
!
ip domain name DOMAIN.lcl
ip name-server vrf VRF_NAME 4.4.4.4
ip name-server vrf VRF_NAME 4.4.4.5
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-xxxxxxxx
!
license udi pid STUFF
!
!
object-group network VPNNetworks
 1.1.1.1 255.255.255.192
!
object-group service VPNPorts
 description TCP and UDP Ports for VPN
 udp eq isakmp
 udp eq non500-isakmp
 tcp eq ftp
 tcp eq 22
 tcp eq 443
!
redundancy
!
!
controller T1 0/0/0
 cablelength long 0db
 channel-group 0 timeslots 1-24
!
controller T1 0/0/1
 cablelength long 0db
 channel-group 0 timeslots 1-24
!
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key MYKEY address 2.2.2.2
!
!
crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac
!
crypto map ToVPN 1 ipsec-isakmp
 set peer 2.2.2.2
 set transform-set VPN
 match address VPNList
!
bridge irb
!
interface Loopback0
 description Used for Management
 ip vrf forwarding VRF_NAME
 ip address 7.7.7.7 255.255.255.255
 !
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
 !
!
interface GigabitEthernet0/0.24
 description Unencrypted Data Out on VRF_NAME
 encapsulation dot1Q 24
 ip vrf forwarding VRF_NAME
 bridge-group 1
 bridge-group 1 priority 8
!
interface GigabitEthernet0/0.420
 description Encrypted Data In on VRF_NAME
 encapsulation dot1Q 420 native
 ip vrf forwarding VRF_NAME
 crypto map ToVPN
 bridge-group 2
 bridge-group 2 priority 8
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 !
!
interface GigabitEthernet0/1.24
 description Unencrypted Data Out on VRF_NAME
 encapsulation dot1Q 24
 ip vrf forwarding VRF_NAME
 bridge-group 1
 bridge-group 1 priority 240
!
interface GigabitEthernet0/1.420
 description Encrypted Data In on VRF_NAME
 encapsulation dot1Q 420 native
 ip vrf forwarding VRF_NAME
 crypto map ToVPN
 bridge-group 2
 bridge-group 2 priority 240
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
 !
!
interface Serial0/0/0:0
 no ip address
 !
!
interface Serial0/0/1:0
 no ip address
 !
!
interface BVI1
 ip vrf forwarding VRF_NAME
 ip address 5.5.5.5 255.255.255.0
 carrier-delay 1
 !
!
interface BVI2
 ip vrf forwarding VRF_NAME
 ip address 6.6.6.6 255.255.255.0
 !
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns view vrf VRF_NAME default
ip route vrf VRF_NAME 0.0.0.0 0.0.0.0 6.6.6.1
ip route vrf VRF_NAME 5.5.0.0 255.255.0.0 5.5.5.1
!
ip access-list extended VPNList
 remark Encrypted Traffic to VPN
 permit object-group VPNPorts 5.5.0.0 0.0.255.255 object-group VPNNetworks
 permit object-group VPNPorts object-group VPNNetworks 5.5.0.0 0.0.255.255
 permit icmp any object-group VPNNetworks
 permit icmp object-group VPNNetworks any
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
!

Labels:
0 Helpful
1 Reply 1

cybrsage
Level 1
Level 1

‎11-10-2016 09:09 AM

So, for example, when I run:

ping vrf VRF_NAME 1.1.1.5 source BVI1

It fails at 100% failure and the access list shows no hits at all.  The routing table for the VRF shows route 0.0.0.0 going to 6.6.6.1 (as expected since it is statically assigned) and it shows 6.6.6.1 as directly connected to BVI2.

0 Helpful
Customers Also Viewed These Support Documents