08-19-2013 02:51 AM
Dear support team,
I'm using a 1861 Router with C1861-ADVENTERPRISEK9-M IOS version to connect VPN site-to-site with DC site that have 2 VPN link for redundancy. The router can connect successfully if using crypto map with each public IP of DC site. My problem is when I add 1 more peer in crypto map and shutdown the running peer on DC site, connection between 2 site is failed while show crypto session of new peer is showing UP-ACTIVE.
Here's log show crypto session detail of new peer:
Interface: Dialer1
Uptime: 00:00:54
Session status: UP-ACTIVE
Peer: y.y.y.y port 500 fvrf: (none) ivrf: (none)
Phase1_id: 10.0.35.5
Desc: (none)
IKE SA: local z.z.z.z/500 remote y.y.y.y/500 Active
Capabilities:(none) connid:2003 lifetime:00:04:05
IPSEC FLOW: permit ip 10.2.1.0/255.255.255.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 1869 drop 0 life (KB/Sec) 4408194/245
Outbound: #pkts enc'ed 3536 drop 158 life (KB/Sec) 4408171/245
IPSEC FLOW: permit ip 10.2.1.0/255.255.255.0 128.0.0.0/192.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4487324/272
Outbound: #pkts enc'ed 36 drop 46 life (KB/Sec) 4487320/272
Here's configuration:
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 300
crypto isakmp key vpnkey address x.x.x.x
crypto isakmp key vpnkey address y.y.y.y
!
!
crypto ipsec transform-set vpn esp-aes esp-sha-hmac
!
crypto map test 100 ipsec-isakmp
set peer x.x.x.x
set peer y.y.y.y
set security-association lifetime seconds 300
set transform-set vpn
match address vpn
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp pap sent-username password
crypto map test
Could you please help me find solution for this problem. Thank you so much.
08-19-2013 03:40 AM
check your routes.
Jawad
08-19-2013 04:08 AM
Thank Jawad.
My VPN topology is used for centralized Internet connection. Here's routing configuration:
ip route 0.0.0.0 0.0.0.0 Dialer1
I've just find an strange thing. After a long time (I think it takes more 1 hour) of failed connection for new peer, it turned successfully connection for that new peer. I had waited for about 1 hour before 2 days ago with continuous ping. I configured IKE renegotiation and SA lifetime are 5 minutes.
08-19-2013 06:35 AM
Hi,
Try this.
1. Modify the configuration of crypto map, use the "default" option for the primary link in DC.
crypto map test 100 ipsec-isakmp
set peer x.x.x.x default
set peer y.y.y.y
2. Enable DPD (Dead Peer Detection) on both routers.
crypto isakmp keepalive[retry-seconds] [periodic | on-demand]
Link: IPsec Dead Peer Detection
________________
Best regards,
MB
08-19-2013 07:38 AM
Thank czaja0000.
I tried 1 before but it didn't work.
With your option 2, I can not use it in my environment. At DC site, I use Checkpoint FW to establish VPN connection. My Checkpoint version does not support DPD.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide