VPN Tunnel Between Cisco 7200/SA-VAM and Contivity -- Troubles

mbadali · ‎09-06-2005

Pretty simple config Contivity <-> 7200.

Phase 1 completes with no issue, all contivity connections fail in the same fashion (see attachment).

Traffic Initiated by Contivity - no ACL matches - proper remote and local proxies identified --> end result is the error "IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address c.c.c.c" which looks like an ACL issue.

Traffic initiated by 7200 - ACL matches with no issue

***********config below*************

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 4

hash md5

authentication pre-share

group 2

crypto isakmp key xxxx address b.b.b.b

crypto isakmp invalid-spi-recovery

!

crypto ipsec transform-set encrypt-traffic-des esp-des esp-md5-hmac

crypto ipsec transform-set encrypt-traffic-3des esp-3des esp-md5-hmac

crypto ipsec transform-set encrypt-traffic-3des-sha esp-3des esp-sha-hmac

!

crypto map test local-address FastEthernet2/0

********multiple other sequence numbers for other connections***************

crypto map test 70 ipsec-isakmp

description ----------- test -----------

set peer b.b.b.b

set security-association lifetime seconds 28800 (set to match Contivity default of 8 hours)

set transform-set encrypt-traffic-3des-sha

match address test_acl

!

interface FastEthernet2/0

description Internet Facing Interface

ip address c.c.c.c 255.255.255.192

ip nat outside

ip virtual-reassembly

duplex full

crypto map test

!

ip route a.a.a.a 255.255.255.255 c.c.c.65

ip route b.b.b.b 255.255.255.255 c.c.c.65

!

ip nat inside source route-map nonat interface FastEthernet2/0 overload

!

ip access-list extended test_acl

permit icmp host d.d.d.d host a.a.a.a

!

access-list 150 remark identifies which traffic NOT to NAT

access-list 150 deny icmp host d.d.d.d host a.a.a.a

!

route-map nonat permit 10

match ip address 150

!

WHERE:

a.a.a.a = host address on far side of Contivity

b.b.b.b = Contivity IPSec Tunnel end point

c.c.c.c = 7200 IPsec Tunnel end point

d.d.d.d = host address on far side of 7200

Any suggestions/help would be greatly appreciated. Thank you.

spremkumar · ‎09-11-2005

hi

AFAIU from ur post ur going wrong in mentioning the interesting traffic using the ACL.

u have mentioned d.d.d.d as your remote side 7200 lan but in the named acl test_acl you are making it as source address.

can u revert whts your local lan address configured in this router ?

if u taken that as z.z.z.z then chang the ACL (test_acl) to permit icmp host z.z.z.z host d.d.d.d .

if u still need more info on this do revert...

regds

mbadali · ‎09-12-2005

spremkumar, thank you for your suggestion. I have actually figured out what the problem was. It was a rookie mistake, in one of the previous sequence numbers (with a different transform set) I unfortunately matched traffic on the ACL associated with it. As soon as it was removed things worked as they should.

Thank you for your response.

asafayan · ‎09-19-2005

Hi,

I have what appears to have been a similar problem as you did. I have an IOS based ISR router in a LAN to LAN tunnel with a Nortel Contivity switch. When I initiate traffic from a host on the private side of the IOS router, the tunnel comes up fine but when idle, the tunnel will not become active when a host on the private side of the Contivity switch generates ping traffic.

Notice that I have several VPN groups configured also and that the ACL mapped to the LAN to LAN tunnel is ACL 199.

TIA,

Amir

mbadali · ‎09-19-2005

I took a quick look at your config and I noticed you don't match icmp traffic in your ACLs. You indicate that the private side client generates ping traffic which does not bring up the tunnel. Try sending some IP traffic and watch the ACL counters.