06-13-2017 01:57 PM
I am having a terrible time with this. I have managed to get the VPN tunnel to initiate, but only from location 1. Traffic coming from X.X.X.254 does not start a tunnel. All routing appears to be correct; if I remove the Crypto map from both interfaces pings flow. However, once the tunnel is established pings do not work either direction.
{EDIT}
So VPN tunnel is not the problem. I have a routing issue... The setup has dual 4503 serving as routers, they have HSRP VLANs on them. The issues
Would a policy map help me prohibit L3 routing on SW2, I need all L2 VLAN 998 packets to be processed by L3 (SW1)?
The peculiar thing is that once the VPN tunnel is up, X.X.X.254 is still sending packets, but not via IPSEC.
%CRYPTO-4-RECVD_PKT_NOT_IPSEC:
LOCATION 1
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 15.1(4)M9, RELEASE SOFTWARE (fc3)
rtr-lab-oma#sh run | s cry
crypto
crypto keyring PSK-CTYOMA
pre-shared-key address X.X.X.193 key !*!*!*!*
pre-shared-key address X.X.X.194 key !*!*!*!*
pre-shared-key address X.X.X.195 key !*!*!*!*
crypto
hash md5
authentication pre-share
group 2
lifetime 28000
crypto
keyring PSK-CTYOMA
match identity address X.X.X.193 255.255.255.128
crypto
crypto map VPN-CTY-IPSEC 10
set peer X.X.X.195
set transform-set TSET-CTYOMA
set
match address VPN-TRAFFIC-CTYOMA
reverse-route
crypto map VPN-CTY-IPSEC
interface FastEthernet0/0
description OUTSIDE WORLD
duplex auto
speed auto
crypto map VPN-CTY-IPSEC
end
Extended IP access list VPN-TRAFFIC-CTYOMA
10 permit
20 permit
LOCATION 2
Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSALK9-M), Version 03.06.05.E RELEASE SOFTWARE (fc2)
Supervisor 7L-E (
sw-wdc-02#sh run | s cry
service password-encryption
crypto keyring PSK-CTYOMA
pre-shared-key address Y.Y.Y.170 key !*!*!*!*
crypto
hash md5
authentication pre-share
group 2
lifetime 28000
crypto
keyring PSK-CTYOMA
match identity address Y.Y.Y.170 255.255.255.255
local-address Vlan998
crypto
mode tunnel
crypto map VPN-CTY-IPSEC local-address Vlan998
crypto map VPN-CTY-IPSEC 10
set peer Y.Y.Y.170
set transform-set TSET-CTYOMA
set
match address VPN-TRAFFIC-CTYOMA
reverse-route
interface Vlan998
description CENTURYLINK not FW
standby 1
standby 1 priority 105
standby 1 preempt
standby 1 name V998HA
standby 1 track 1 decrement 10
crypto map VPN-CTY-IPSEC redundancy V998HA
end
Extended IP access list VPN-TRAFFIC-CTYOMA
10 permit
20 permit
sw-wdc-02#sh vrf V998:INTERNET
Name Default RD Protocols Interfaces
V998:INTERNET <not set> ipv4 Vl998
sw-wdc-02#sh ip route vrf V998:INTERNET
Routing Table: V998:INTERNET
[...]
Gateway of last resort is 65.120.78.245 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 65.120.78.245
63.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C X.X.X.192/26 is directly connected, Vlan998
L X.X.X.195/32 is directly connected, Vlan998
65.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C A.A.A.4/30 is directly connected, GigabitEthernet3/2
L A.A.A.6/32 is directly connected, GigabitEthernet3/2
VPN RESULTS
LOCATION 1
rtr-lab-oma#sh cry session
Crypto session current status
Interface: FastEthernet0/0
Profile: PROF-CTYOMA
Session status: UP-ACTIVE
Peer: X.X.X.195 port 500
IKEv1 SA: local Y.Y.Y.170/500 remote X.X.X.195/500 Active
IPSEC FLOW: permit
Active SAs: 2, origin: crypto map
rtr-lab-oma#sh cry route
VPN Routing Table: Shows RRI and VTI created routes
Codes: RRI - Reverse-Route, VTI- Virtual Tunnel Interface
S - Static Map ACLs
Routes created in table GLOBAL DEFAULT
X.X.X.254/255.255.255.255 [1/0] via X.X.X.195 tag 0
on FastEthernet0/0 RRI
LOCATION 2
sw-wdc-02#sh cry session
Crypto session current status
Interface: Vlan998
Profile: PROF-CTYOMA
Session status: UP-ACTIVE
Peer: Y.Y.Y.170 port 500
Session ID: 0
IKEv1 SA: local X.X.X.195/500 remote Y.Y.Y.170/500 Active
IPSEC FLOW: permit
Active SAs: 2, origin: crypto map
sw-wdc-02#sh cry route
VPN Routing Table: Shows RRI and VTI created routes
Codes: RRI - Reverse-Route, VTI- Virtual Tunnel Interface
S - Static Map ACLs
Routes created in table
Y.Y.Y.171/255.255.255.255 [1/0] via Y.Y.Y.170 tag 0 count 1
on Vlan998 RRI
06-14-2017 05:48 AM
I have never seen a Cisco 4500 used to terminate a crypto map. I do not believe this is a supported configuration. I am amazed you got it to work at all.
06-14-2017 06:14 AM
With Enterprise Lic, the switch basically is a dual purpose piece of equipment.
06-14-2017 06:16 AM
I did a search and didn't manage to find any documentation or examples of such a configuration.
06-14-2017 06:42 AM
Biscuits!!!! I have a feeling you may be correct, why of why is that the feature set they left out!
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/54sg/configuration/guide/config/intro.html?bookSearch=true#wp1023637
However, Why does the tunnel establish and debug shows it going through all the setup process, key negotiation and such if the feature set is not supported? Could you review my config and let me know if you see any glaring issues still?
This is my study for CCNA R&S and Security in production class. LOL
06-14-2017 07:25 AM
Alright according to the Cisco Feature Navigator:
http://cfn.cloudapps.cisco.com/ITDIT/CFN/jsp/by-feature-technology.jsp
IPSec Network Security is available on my release.
3.6E | 3.6.5E | MD | No | CAT4500E-SUP7E | UNIVERSAL CRYPTO (ENTERPRISE SERVICES) | 0 | 0 | No | cat4500e-universalk9.SPA.03.06.05.E.152-2.E5.tar |
That brings me back to configuration issues :(
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide