11-10-2016 09:04 AM
The basic layout is Internet - Firewall - two switches (connected to each other and running HSRP) - VPN Router. One Gig port from the router goes to one switch, a second Gig port from the router goes to the other switch. I have two subinterfaces on each port and am using BVIs to allow one subinterface on each port to be in the same network as a subinterface on the other port. This is to provide failover protection, so losing one swtich will not cause a loss of the VPN capability.
I am running crypto debugs and have tried pings to bring up the tunnel - the tunnel does not even attempt to come up and the access list does not show any hits on it. Please take a look and let me know what I am doing wrong.
version 15.0
no ipv6 cef
no ip source-route
ip cef
!
!
ip vrf VRF_NAME
rd 10.35.41.13:24
!
!
!
ip domain name DOMAIN.lcl
ip name-server vrf VRF_NAME 4.4.4.4
ip name-server vrf VRF_NAME 4.4.4.5
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-xxxxxxxx
!
license udi pid STUFF
!
!
object-group network VPNNetworks
1.1.1.1 255.255.255.192
!
object-group service VPNPorts
description TCP and UDP Ports for VPN
udp eq isakmp
udp eq non500-isakmp
tcp eq ftp
tcp eq 22
tcp eq 443
!
redundancy
!
!
controller T1 0/0/0
cablelength long 0db
channel-group 0 timeslots 1-24
!
controller T1 0/0/1
cablelength long 0db
channel-group 0 timeslots 1-24
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key MYKEY address 2.2.2.2
!
!
crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac
!
crypto map ToVPN 1 ipsec-isakmp
set peer 2.2.2.2
set transform-set VPN
match address VPNList
!
bridge irb
!
interface Loopback0
description Used for Management
ip vrf forwarding VRF_NAME
ip address 7.7.7.7 255.255.255.255
!
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
!
interface GigabitEthernet0/0.24
description Unencrypted Data Out on VRF_NAME
encapsulation dot1Q 24
ip vrf forwarding VRF_NAME
bridge-group 1
bridge-group 1 priority 8
!
interface GigabitEthernet0/0.420
description Encrypted Data In on VRF_NAME
encapsulation dot1Q 420 native
ip vrf forwarding VRF_NAME
crypto map ToVPN
bridge-group 2
bridge-group 2 priority 8
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
!
interface GigabitEthernet0/1.24
description Unencrypted Data Out on VRF_NAME
encapsulation dot1Q 24
ip vrf forwarding VRF_NAME
bridge-group 1
bridge-group 1 priority 240
!
interface GigabitEthernet0/1.420
description Encrypted Data In on VRF_NAME
encapsulation dot1Q 420 native
ip vrf forwarding VRF_NAME
crypto map ToVPN
bridge-group 2
bridge-group 2 priority 240
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
!
interface Serial0/0/0:0
no ip address
!
!
interface Serial0/0/1:0
no ip address
!
!
interface BVI1
ip vrf forwarding VRF_NAME
ip address 5.5.5.5 255.255.255.0
carrier-delay 1
!
!
interface BVI2
ip vrf forwarding VRF_NAME
ip address 6.6.6.6 255.255.255.0
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns view vrf VRF_NAME default
ip route vrf VRF_NAME 0.0.0.0 0.0.0.0 6.6.6.1
ip route vrf VRF_NAME 5.5.0.0 255.255.0.0 5.5.5.1
!
ip access-list extended VPNList
remark Encrypted Traffic to VPN
permit object-group VPNPorts 5.5.0.0 0.0.255.255 object-group VPNNetworks
permit object-group VPNPorts object-group VPNNetworks 5.5.0.0 0.0.255.255
permit icmp any object-group VPNNetworks
permit icmp object-group VPNNetworks any
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
!
11-10-2016 09:09 AM
So, for example, when I run:
ping vrf VRF_NAME 1.1.1.5 source BVI1
It fails at 100% failure and the access list shows no hits at all. The routing table for the VRF shows route 0.0.0.0 going to 6.6.6.1 (as expected since it is statically assigned) and it shows 6.6.6.1 as directly connected to BVI2.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide