Solved: vpn with one site on dhcp

hanwucisco · ‎05-23-2011

I have a very simple topo set up and wanted to similate a vpn with one site on dhcp address.

R1----R2=======R3-----R4.

R2 with static IP and R3 is supposed to be with DHCP. The underlying routing works fine. But when i apply the crypto to the routers, it stops working.

when i ping from R4 to R1, I can see R2 is decrypting, but when I ping from R1 to R4, R2 is not encrypting.

thanks.

===============

R2's runi

!

R2#sh run
hostname R2
!!
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set myset esp-aes esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
match address 150
!
!
crypto map statmap 65000 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
ip address 1.1.12.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 1.1.23.2 255.255.255.0
duplex auto
speed auto
crypto map statmap
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.23.3
!
!
access-list 150 permit icmp host 1.1.12.1 host 1.1.34.4
access-list 150 permit ip host 1.1.12.1 host 1.1.34.4
!
===============

R3's running

R3#sh run
!
hostname R3
!
!
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 1.1.23.2 no-xauth
!
!
crypto ipsec transform-set myset esp-aes esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 1.1.23.2
set transform-set myset
match address 150
!
!
!
!
interface FastEthernet0/0
ip address 1.1.23.3 255.255.255.0
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet1/0
ip address 1.1.34.3 255.255.255.0
duplex auto
speed auto
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.23.2
!
!
access-list 150 permit ip host 1.1.34.4 host 1.1.12.1
access-list 150 permit icmp host 1.1.34.4 host 1.1.12.1
!
end

Jennifer Halim · ‎05-23-2011

For dynamic to static IPSec site-to-site VPN, you can only originate the VPN tunnel from the dynamic end.

From your topology, you can only initiate the VPN from R4 towards R1, and once the VPN tunnel is established you will be able to pass traffic in both direction, ie: R4 to R1 and R1 to R4.

The reason why you can't initiate the VPN tunnel from R1 to R4 is because the static end will not know what IP Address to connect the VPN too since it's DHCP.

If however, you mean that even after initiating the VPN tunnel from R4 to R1, you still can't ping from R1 to R4, then it's probably a config issue.

Please kindly share the full config from all 4 routers, as well as the output of "show cry isa sa" and "show cry ipsec sa" from R2 and R3 after the test.

View solution in original post

Jennifer Halim · ‎05-23-2011

For dynamic to static IPSec site-to-site VPN, you can only originate the VPN tunnel from the dynamic end.

From your topology, you can only initiate the VPN from R4 towards R1, and once the VPN tunnel is established you will be able to pass traffic in both direction, ie: R4 to R1 and R1 to R4.

The reason why you can't initiate the VPN tunnel from R1 to R4 is because the static end will not know what IP Address to connect the VPN too since it's DHCP.

If however, you mean that even after initiating the VPN tunnel from R4 to R1, you still can't ping from R1 to R4, then it's probably a config issue.

Please kindly share the full config from all 4 routers, as well as the output of "show cry isa sa" and "show cry ipsec sa" from R2 and R3 after the test.

hanwucisco · ‎05-23-2011

Jen,

I did a ping

R4#ping 1.1.12.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.12.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4#
======

the on R2

R2# show cry isa sa
dst src state conn-id slot
1.1.23.2 1.1.23.3 QM_IDLE 1 0

R2#sh cry ips sa

interface: FastEthernet1/0
Crypto map tag: statmap, local addr. 1.1.23.2

   protected vrf:
   local ident (addr/mask/prot/port): (1.1.12.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (1.1.34.4/255.255.255.255/0/0)
   current_peer: 1.1.23.3:500
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 14, #pkts decrypt: 14, #pkts verify 14
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 14

     local crypto endpt.: 1.1.23.2, remote crypto endpt.: 1.1.23.3
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
     current outbound spi: FEAA47EE

     inbound esp sas:
      spi: 0x9834C93A(2553596218)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2002, flow_id: 3, crypto map: statmap
        sa timing: remaining key lifetime (k/sec): (4556905/2551)
        IV size: 16 bytes
        replay detection support: Y

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0xFEAA47EE(4272572398)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2003, flow_id: 4, crypto map: statmap
        sa timing: remaining key lifetime (k/sec): (4556906/2550)
        IV size: 16 bytes
        replay detection support: Y

outbound ah sas:

outbound pcp sas:
R2#
================

on R3

R3#show cry isa sa
dst src state conn-id slot
1.1.23.2 1.1.23.3 QM_IDLE 1 0

R3#sh cry ips sa

interface: FastEthernet0/0
Crypto map tag: mymap, local addr. 1.1.23.3

   protected vrf:
   local ident (addr/mask/prot/port): (1.1.34.4/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (1.1.12.1/255.255.255.255/0/0)
   current_peer: 1.1.23.2:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 14, #pkts encrypt: 14, #pkts digest 14
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 1.1.23.3, remote crypto endpt.: 1.1.23.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 9834C93A

     inbound esp sas:
      spi: 0xFEAA47EE(4272572398)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2002, flow_id: 3, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4530769/2462)
        IV size: 16 bytes
        replay detection support: Y

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0x9834C93A(2553596218)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2003, flow_id: 4, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4530768/2461)
        IV size: 16 bytes
        replay detection support: Y

outbound ah sas:

outbound pcp sas:

   protected vrf:
   local ident (addr/mask/prot/port): (1.1.34.4/255.255.255.255/1/0)
   remote ident (addr/mask/prot/port): (1.1.12.1/255.255.255.255/1/0)
   current_peer: 1.1.23.2:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 1.1.23.3, remote crypto endpt.: 1.1.23.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:
R3#
======

thanks,

Han

Jennifer Halim · ‎05-23-2011

Yup, that's what I understand that to be, but you send traffic from LAN typically to initiate the tunnel, and since you have R1 and R4, I assume that you use those routers to send the interesting traffic to establish the VPN between R2 and R3.

hanwucisco · ‎05-23-2011

yes, you were right, i just input the output above,

thanks,

Jennifer Halim · ‎05-23-2011

Please kindly ensure that R1 knows how to route back towards R4, ie: it should have default route pointing towards 1.1.12.2, and R1 interface is configured with the correct IP Address (1.1.12.1) and netmask (255.255.255.0).

To test the VPN, you can increase the crypto ACL to a whole class C subnet instead of just 1 host. That way, you can also test to ping the router internal interface, eg: ping 1.1.12.2 from R4 to see if that works.

hanwucisco · ‎05-23-2011

routing part works fine, i can even ping the ip on the same subnet.

R1#sh ip route
Gateway of last resort is 1.1.12.2 to network 0.0.0.0

     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.12.0 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 [1/0] via 1.1.12.2
R1#
R1#
R1#

R4#ping 1.1.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/34/68 ms
R4#

Jennifer Halim · ‎05-23-2011

You will definitely be able to ping the directly connected subnet.

Try traceroute and see where it's failing.

hanwucisco · ‎05-23-2011

it is pinging from R4 to the link between R1 and R2.

one end works, one doesnt.

Ping to 1.1.12.2 works. ping to 1.1.12.1, which means it will be encrypted, doest work.

it apperantly fails at encryption part.

Jennifer Halim · ‎05-23-2011

Don't think it's a VPN issue.

It's more routing issue to me.

Can you please change the IP and see if it makes any difference?

Also in the crypto ACL, please just permit ip, remove the permit icmp, and clear the tunnels from both ends.

hanwucisco · ‎05-23-2011

If I take off the crypto map command on the interface on both R2 and R3, the ping works. So, it is DEFINITELY a VPN issue.

R2(config-if)#do sh run int fa1/0
Building configuration...

Current configuration : 113 bytes
!
interface FastEthernet1/0
ip address 1.1.23.2 255.255.255.0
duplex auto
speed auto
crypto map statmap
end
R2(config-if)#no crypto map statmap

R3(config-if)#do sh run int fa0/0
Building configuration...

Current configuration : 111 bytes
!
interface FastEthernet0/0
ip address 1.1.23.3 255.255.255.0
duplex auto
speed auto
crypto map mymap
end

R3(config-if)#no crypto map mymap

R4#ping 1.1.12.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/41/76 ms
R4#

Jennifer Halim · ‎05-23-2011

Can you please change the crypto ACL on both side to the following:

R2:

access-list 150 permit ip 1.1.12.0 0.0.0.255 1.1.34.0 0.0.0.255

R3:

access-list 150 permit ip 1.1.34.0 0.0.0.255 1.1.12.0 0.0.0.255

Also, try to remove ACL 150 from R2 to see if that makes any difference:

crypto dynamic-map dynmap 10
no match address 150

hanwucisco · ‎05-24-2011

Jen,

Today, I rebuilt the scenario instead of troubleshooting it. with the same configuration, it worked. Bizard, isnt it.

thanks,

Han

Jennifer Halim · ‎05-24-2011

yeah, sometimes that is the case.

Thanks for the update.