05-23-2011 06:43 PM
I have a very simple topo set up and wanted to similate a vpn with one site on dhcp address.
R1----R2=======R3-----R4.
R2 with static IP and R3 is supposed to be with DHCP. The underlying routing works fine. But when i apply the crypto to the routers, it stops working.
when i ping from R4 to R1, I can see R2 is decrypting, but when I ping from R1 to R4, R2 is not encrypting.
thanks.
===============
R2's runi
!
R2#sh run
hostname R2
!!
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set myset esp-aes esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
match address 150
!
!
crypto map statmap 65000 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
ip address 1.1.12.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 1.1.23.2 255.255.255.0
duplex auto
speed auto
crypto map statmap
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.23.3
!
!
access-list 150 permit icmp host 1.1.12.1 host 1.1.34.4
access-list 150 permit ip host 1.1.12.1 host 1.1.34.4
!
===============
R3's running
R3#sh run
!
hostname R3
!
!
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 1.1.23.2 no-xauth
!
!
crypto ipsec transform-set myset esp-aes esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 1.1.23.2
set transform-set myset
match address 150
!
!
!
!
interface FastEthernet0/0
ip address 1.1.23.3 255.255.255.0
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet1/0
ip address 1.1.34.3 255.255.255.0
duplex auto
speed auto
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.23.2
!
!
access-list 150 permit ip host 1.1.34.4 host 1.1.12.1
access-list 150 permit icmp host 1.1.34.4 host 1.1.12.1
!
end
Solved! Go to Solution.
05-23-2011 06:51 PM
For dynamic to static IPSec site-to-site VPN, you can only originate the VPN tunnel from the dynamic end.
From your topology, you can only initiate the VPN from R4 towards R1, and once the VPN tunnel is established you will be able to pass traffic in both direction, ie: R4 to R1 and R1 to R4.
The reason why you can't initiate the VPN tunnel from R1 to R4 is because the static end will not know what IP Address to connect the VPN too since it's DHCP.
If however, you mean that even after initiating the VPN tunnel from R4 to R1, you still can't ping from R1 to R4, then it's probably a config issue.
Please kindly share the full config from all 4 routers, as well as the output of "show cry isa sa" and "show cry ipsec sa" from R2 and R3 after the test.
05-23-2011 06:51 PM
For dynamic to static IPSec site-to-site VPN, you can only originate the VPN tunnel from the dynamic end.
From your topology, you can only initiate the VPN from R4 towards R1, and once the VPN tunnel is established you will be able to pass traffic in both direction, ie: R4 to R1 and R1 to R4.
The reason why you can't initiate the VPN tunnel from R1 to R4 is because the static end will not know what IP Address to connect the VPN too since it's DHCP.
If however, you mean that even after initiating the VPN tunnel from R4 to R1, you still can't ping from R1 to R4, then it's probably a config issue.
Please kindly share the full config from all 4 routers, as well as the output of "show cry isa sa" and "show cry ipsec sa" from R2 and R3 after the test.
05-23-2011 07:21 PM
Jen,
I did a ping
R4#ping 1.1.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.12.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4#
======
the on R2
R2# show cry isa sa
dst src state conn-id slot
1.1.23.2 1.1.23.3 QM_IDLE 1 0
R2#sh cry ips sa
R2#sh cry ips sa
interface: FastEthernet1/0
Crypto map tag: statmap, local addr. 1.1.23.2
protected vrf:
local ident (addr/mask/prot/port): (1.1.12.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (1.1.34.4/255.255.255.255/0/0)
current_peer: 1.1.23.3:500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 14
local crypto endpt.: 1.1.23.2, remote crypto endpt.: 1.1.23.3
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: FEAA47EE
inbound esp sas:
spi: 0x9834C93A(2553596218)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2002, flow_id: 3, crypto map: statmap
sa timing: remaining key lifetime (k/sec): (4556905/2551)
IV size: 16 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xFEAA47EE(4272572398)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2003, flow_id: 4, crypto map: statmap
sa timing: remaining key lifetime (k/sec): (4556906/2550)
IV size: 16 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
R2#
================
on R3
R3#show cry isa sa
dst src state conn-id slot
1.1.23.2 1.1.23.3 QM_IDLE 1 0
R3#sh cry ips sa
interface: FastEthernet0/0
Crypto map tag: mymap, local addr. 1.1.23.3
protected vrf:
local ident (addr/mask/prot/port): (1.1.34.4/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (1.1.12.1/255.255.255.255/0/0)
current_peer: 1.1.23.2:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest 14
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 1.1.23.3, remote crypto endpt.: 1.1.23.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 9834C93A
inbound esp sas:
spi: 0xFEAA47EE(4272572398)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2002, flow_id: 3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4530769/2462)
IV size: 16 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x9834C93A(2553596218)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2003, flow_id: 4, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4530768/2461)
IV size: 16 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
protected vrf:
local ident (addr/mask/prot/port): (1.1.34.4/255.255.255.255/1/0)
remote ident (addr/mask/prot/port): (1.1.12.1/255.255.255.255/1/0)
current_peer: 1.1.23.2:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.23.3, remote crypto endpt.: 1.1.23.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
R3#
======
thanks,
Han
05-23-2011 07:26 PM
Yup, that's what I understand that to be, but you send traffic from LAN typically to initiate the tunnel, and since you have R1 and R4, I assume that you use those routers to send the interesting traffic to establish the VPN between R2 and R3.
05-23-2011 07:29 PM
yes, you were right, i just input the output above,
thanks,
05-23-2011 07:37 PM
Please kindly ensure that R1 knows how to route back towards R4, ie: it should have default route pointing towards 1.1.12.2, and R1 interface is configured with the correct IP Address (1.1.12.1) and netmask (255.255.255.0).
To test the VPN, you can increase the crypto ACL to a whole class C subnet instead of just 1 host. That way, you can also test to ping the router internal interface, eg: ping 1.1.12.2 from R4 to see if that works.
05-23-2011 07:49 PM
routing part works fine, i can even ping the ip on the same subnet.
R1#sh ip route
Gateway of last resort is 1.1.12.2 to network 0.0.0.0
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.12.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 1.1.12.2
R1#
R1#
R1#
R4#ping 1.1.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/34/68 ms
R4#
05-23-2011 08:19 PM
You will definitely be able to ping the directly connected subnet.
Try traceroute and see where it's failing.
05-23-2011 08:35 PM
it is pinging from R4 to the link between R1 and R2.
one end works, one doesnt.
Ping to 1.1.12.2 works. ping to 1.1.12.1, which means it will be encrypted, doest work.
it apperantly fails at encryption part.
05-23-2011 09:02 PM
Don't think it's a VPN issue.
It's more routing issue to me.
Can you please change the IP and see if it makes any difference?
Also in the crypto ACL, please just permit ip, remove the permit icmp, and clear the tunnels from both ends.
05-23-2011 09:18 PM
If I take off the crypto map command on the interface on both R2 and R3, the ping works. So, it is DEFINITELY a VPN issue.
R2(config-if)#do sh run int fa1/0
Building configuration...
Current configuration : 113 bytes
!
interface FastEthernet1/0
ip address 1.1.23.2 255.255.255.0
duplex auto
speed auto
crypto map statmap
end
R2(config-if)#no crypto map statmap
R3(config-if)#do sh run int fa0/0
Building configuration...
Current configuration : 111 bytes
!
interface FastEthernet0/0
ip address 1.1.23.3 255.255.255.0
duplex auto
speed auto
crypto map mymap
end
R3(config-if)#no crypto map mymap
R4#ping 1.1.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/41/76 ms
R4#
05-23-2011 09:25 PM
Can you please change the crypto ACL on both side to the following:
R2:
access-list 150 permit ip 1.1.12.0 0.0.0.255 1.1.34.0 0.0.0.255
R3:
access-list 150 permit ip 1.1.34.0 0.0.0.255 1.1.12.0 0.0.0.255
Also, try to remove ACL 150 from R2 to see if that makes any difference:
crypto dynamic-map dynmap 10
no match address 150
05-24-2011 01:24 PM
Jen,
Today, I rebuilt the scenario instead of troubleshooting it. with the same configuration, it worked. Bizard, isnt it.
thanks,
Han
05-24-2011 06:32 PM
yeah, sometimes that is the case.
Thanks for the update.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide