On 14/01/2013 14:59, false wrote: > I initially had HDQ working fine with the 871W (Branch-1) but when I > configured branch2 (2801), they both broke.
Can you ping the endpoints of each tunnel? Nick The tunnels appear to be up > but traffic is not routing across them. The two 2801 routers run 12.4 > (c2800nm-adventerprisek9-mz.124-24.T2.bin). These are gre over ipsec > tunnels. Currently traffic flows over an exsting MPLS network that we > are getting away from due to cost. As soon as I change the routes to > point to the Tunnels, it breaks. Traffic doesn't appear to pass through > the tunnel. BTW, the tunnels do appear up and sessions established. I > have attached my sanitized configs. Any assistance would be VERY, VERY > much appreciated. > > > HDQ#sh crypto sess > Crypto session current status > > Interface: FastEthernet0/1 > Session status: UP-ACTIVE > Peer: 205.205.205.21 port 500 > IKE SA: local 204.204.204.66/500 remote 205.205.205.21/500 Active > IPSEC FLOW: permit 47 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 > Active SAs: 4, origin: crypto map > IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.2.0/255.255.255.0 > Active SAs: 0, origin: crypto map > IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.41.0/255.255.255.0 > Active SAs: 0, origin: crypto map > > Interface: FastEthernet0/1 > Session status: UP-IDLE > Peer: 206.206.206.1 port 500 > IKE SA: local 204.204.204.66/500 remote 206.206.206.1/500 Active > IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.3.0/255.255.255.0 > Active SAs: 0, origin: crypto map > > HDQ# > > HDQ#sh cry isa sa > IPv4 Crypto ISAKMP SA > dst src state conn-id status > 204.204.204.66 206.206.206..1 QM_IDLE 1003 ACTIVE > 205.205.205.21 204.204.204.66 QM_IDLE 1002 ACTIVE > > IPv6 Crypto ISAKMP SA > > sh ip int br: > Tunnel31 172.16.31.33 YES NVRAM up > up > Tunnel41 172.16.31.41 YES NVRAM up > up > > Configs: > HDQ > aaa new-model > ! > ! > aaa authentication ppp default local > aaa authorization network vpnauth local > ! > ! > > ! > ! > username admin privilege 15 view root pass > ! > crypto isakmp policy 10 > encr 3des > hash md5 > authentication pre-share > group 2 > crypto isakmp key secret address 205.205.205.21 > crypto isakmp key secret address 206.206.206.1 > crypto isakmp keepalive 10 5 periodic > ! > crypto ipsec security-association lifetime seconds 86400 > ! > crypto ipsec transform-set vpn_set esp-3des esp-md5-hmac > ! > crypto map vpnmap 10 ipsec-isakmp > set peer 205.205.205.21 > set transform-set vpn_set > match address 141 > crypto map vpnmap 31 ipsec-isakmp > set peer 206.206.206.1 > set transform-set vpn_set > match address 131 > ! > ! > ! > interface Tunnel31 > ip address 172.16.31.33 255.255.255.252 > ip mtu 1400 > ip tcp adjust-mss 1360 > tunnel source 204.204.204.66 > tunnel destination 206.206.206.1 > ! > interface Tunnel41 > ip address 172.16.31.41 255.255.255.252 > ip mtu 1400 > ip tcp adjust-mss 1360 > tunnel source 204.204.204.66 > tunnel destination 205.205.205.21 > ! > ! > interface FastEthernet0/1 > ip address 204.204.204.66 255.255.255.0 > ip access-group 101 in > no ip unreachables > ip flow ingress > ip flow egress > ip nat outside > ip inspect ISP2-cbac out > ip virtual-reassembly > duplex auto > speed auto > crypto map vpnmap > ! > interface FastEthernet1/0 > description ***To MPLS*** > switchport access vlan 10 > switchport voice vlan 1 > mls qos trust dscp > auto qos voip trust > auto discovery qos > spanning-tree portfast > ! > > ! > interface Virtual-Template1 > ip unnumbered Vlan1 > ip virtual-reassembly > no peer default ip address > ppp encrypt mppe auto passive > ppp authentication pap chap ms-chap > ! > ! > interface Vlan10 > ip address 192.168.1.30 255.255.255.0 > ip nat inside > ip virtual-reassembly > ! > ip forward-protocol nd > ip route 0.0.0.0 0.0.0.0 204.204.204.254 > ip route 10.255.1.0 255.255.255.0 192.168.1.254 > ip route 172.18.2.0 255.255.255.0 192.168.1.254 > ip route 172.18.3.0 255.255.255.0 192.168.1.254 > ip route 192.168.1.0 255.255.255.0 192.168.3.254 > ip route 192.168.1.0 255.255.255.0 192.168.1.254 > ip route 192.168.1.2 255.255.255.255 Service-Engine0/0 > ip route 192.168.3.0 255.255.255.0 192.168.1.254 > ip route 192.168.10.0 255.255.255.0 192.168.1.157 > ip route 192.168.41.0 255.255.255.0 Tunnel41 > ! > ip nat inside source route-map nonat interface FastEthernet0/1 overload > ip nat inside source static 192.168.1.157 204.204.204.27 > ip nat inside source static 192.168.1.31 204.204.204.67 > ! > logging 192.168.2.53 > logging 192.168.2.28 > access-list 20 permit 192.168.0.0 0.0.255.255 > access-list 20 permit 172.18.0.0 0.0.255.255 > access-list 101 permit udp host 205.205.205.21 any eq isakmp > access-list 101 permit udp host 205.205.205.21 eq isakmp any > access-list 101 permit esp host 205.205.205.21 any > access-list 101 permit udp host 205.205.205.22 any eq isakmp > access-list 101 permit udp host 205.205.205.22 eq isakmp any > access-list 101 permit esp host 205.205.205.22 any > access-list 101 permit tcp any host 204.204.204.27 eq 443 > access-list 101 permit udp host 206.206.206.1 any eq isakmp > access-list 101 permit udp host 206.206.206.1 eq isakmp any > access-list 101 permit esp host 206.206.206.1 any > access-list 121 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 > access-list 131 permit gre any any > access-list 131 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 > access-list 141 permit gre any any > access-list 141 permit ip 192.168.1.0 0.0.0.255 192.168.41.0 0.0.0.255 > access-list 141 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 > access-list 175 deny ip 192.168.1.0 0.0.0.255 192.168.41.0 0.0.0.255 > access-list 175 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 > access-list 175 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 > access-list 175 deny ip 192.168.1.0 0.0.0.255 192.168.60.0 0.0.0.255 > access-list 175 permit ip 192.168.1.0 0.0.0.255 any > ! > ! > ! > ! > route-map nonat permit 41 > match ip address 175 > ! > ! > > Branch-1 > > Current configuration : 5625 bytes > ! > version 12.3 > > ! > username cisco privilege 15 > aaa new-model > ! > ! > aaa authentication login default local > aaa authorization exec default local > aaa session-id common > ip subnet-zero > ip cef > ! > crypto isakmp policy 10 > encr 3des > hash md5 > authentication pre-share > group 2 > crypto isakmp key M1bius77 address 204.204.204.66 > crypto isakmp keepalive 10 5 periodic > ! > crypto ipsec security-association lifetime seconds 86400 > ! > crypto ipsec transform-set vpn_set esp-3des esp-md5-hmac > ! > crypto map xxx_To_yyy 41 ipsec-isakmp > set peer 204.204.204.66 > set transform-set vpn_set > match address 141 > ! > bridge irb > ! > ! > interface Tunnel41 > ip address 172.16.31.42 255.255.255.252 > ip mtu 1400 > ip tcp adjust-mss 1360 > tunnel source 205.205.205.21 > tunnel destination 204.204.204.66 > ! > interface FastEthernet0 > no ip address > no cdp enable > spanning-tree portfast > ! > interface FastEthernet1 > no ip address > no cdp enable > spanning-tree portfast > ! > interface FastEthernet2 > no ip address > spanning-tree portfast > ! > interface FastEthernet3 > no ip address > no cdp enable > spanning-tree portfast > ! > interface FastEthernet4 > ip address dhcp client-id FastEthernet4 > ip nat outside > ip virtual-reassembly > ip tcp adjust-mss 1452 > duplex auto > speed auto > crypto map xxx_To_yyy > ! > ! > interface Vlan1 > description Internal NetHome Network > no ip address > ip nat inside > ip virtual-reassembly > bridge-group 1 > bridge-group 1 spanning-disabled > ! > interface BVI1 > description Bridge to Internal Home Network > ip address 192.168.41.1 255.255.255.0 > ip nat inside > ip virtual-reassembly > ! > ip classless > ip route 192.168.1.0 255.255.255.0 Tunnel41 > ! > ip nat inside source route-map nonat interface FastEthernet4 overload > ip nat inside source static tcp 192.168.41.51 3074 interface FastEthernet4 > 3074 > ip nat inside source static udp 192.168.41.51 88 interface FastEthernet4 88 > ip nat inside source static udp 192.168.41.51 3074 interface FastEthernet4 > 3074 > ! > logging trap debugging > logging 192.168.41.22 > access-list 1 permit 192.168.41.0 0.0.0.255 > access-list 1 permit 192.168.1.0 0.0.0.255 > access-list 101 permit udp host 204.204.204.66 any eq isakmp > access-list 101 permit udp host 204.204.204.66 eq isakmp any > access-list 101 permit esp host 204.204.204.66 any > access-list 101 permit icmp any any > access-list 101 permit udp any any eq bootpc > access-list 129 deny ip 192.168.41.0 0.0.0.255 192.168.1.0 0.0.0.255 > access-list 129 permit ip 192.168.41.0 0.0.0.255 any > access-list 141 permit gre any any > access-list 141 permit ip 192.168.41.0 0.0.0.255 192.168.1.0 0.0.0.255 > access-list 175 deny ip 192.168.41.0 0.0.0.255 192.168.1.0 0.0.0.255 > access-list 175 permit ip 192.168.41.0 0.0.0.255 any > > Branch-2 > > aaa new-model > ! > ! > aaa authentication login default local > aaa authorization exec default local > ! > ! > > username admin privilege 15 view root pass > ! > crypto isakmp policy 10 > encr 3des > hash md5 > authentication pre-share > group 2 > crypto isakmp key secret address 204.204.204.66 > crypto isakmp keepalive 10 5 periodic > ! > crypto ipsec security-association lifetime seconds 86400 > ! > crypto ipsec transform-set vpn_set esp-3des esp-md5-hmac > ! > crypto map vpnmap 31 ipsec-isakmp > set peer 204.204.204.66 > set transform-set vpn_set > match address 131 > ! > interface Tunnel31 > ip address 172.16.31.34 255.255.255.252 > ip mtu 1400 > ip tcp adjust-mss 1360 > tunnel source 5206.206.206.1 > tunnel destination 204.204.204.66 > ! > interface FastEthernet0/1 > ip address 206.206.206.1 255.255.255.248 > ip access-group 101 in > ip nat outside > ip inspect ISP2-cbac out > ip virtual-reassembly > duplex auto > speed auto > crypto map vpnmap > ! > ! > interface Vlan10 > ip address 192.168.3.1 255.255.255.0 > ip nat inside > ip virtual-reassembly > ! > ip forward-protocol nd > ip route 0.0.0.0 0.0.0.0 50.79.142.6 > ip route 172.18.1.0 255.255.255.0 192.168.3.254 > ip route 172.18.2.0 255.255.255.0 192.168.3.254 > ip route 172.18.3.2 255.255.255.255 Service-Engine0/0 > ip route 192.168.1.0 255.255.255.0 192.168.3.254 > ip route 192.168.2.0 255.255.255.0 192.168.3.254 > ip route 192.168.10.0 255.255.255.0 192.168.3.254 > ! > ip nat inside source route-map nonat interface FastEthernet0/1 overload > ip nat inside source static tcp 192.168.3.10 5899 206.206.206.5 5899 > extendable > ! > access-list 20 permit x.x.x.x > access-list 20 permit 192.168.0.0 0.0.255.255 > access-list 20 permit 172.18.0.0 0.0.255.255 > access-list 101 permit udp any host 206.206.206.1 eq 5060 > access-list 101 permit udp host 204.204.204.66 any eq isakmp > access-list 101 permit udp host 204.204.204.66 eq isakmp any > access-list 101 permit esp host 204.204.204.66 any > access-list 102 remark NAT ACL > access-list 102 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 > access-list 102 deny ip 192.168.0.0 0.0.255.255 172.18.0.0 0.0.255.255 > access-list 102 deny ip 172.18.0.0 0.0.255.255 172.18.0.0 0.0.255.255 > access-list 102 deny ip 172.18.0.0 0.0.255.255 192.168.0.0 0.0.255.255 > access-list 102 permit ip 192.168.3.0 0.0.0.255 any > access-list 102 permit ip 172.18.3.0 0.0.0.255 any > access-list 131 permit gre any any > access-list 131 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 > ! > ! > ! > ! > route-map nonat permit 41 > match ip address 175 > ! > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
