Update. More data. If I remove the crypto map for Branch-2 (vpnmap 31) then the tunnel for Branch-1 (crypto map 10) comes back up. It apears that having both crypto maps like below causes int fa0/1 to not be aware of what traffic to send down what tunnel. See example of problematic config below.
Problem: crypto map vpnmap 10 ipsec-isakmp set peer 205.205.205.21 set transform-set vpn_set match address 141 crypto map vpnmap 31 ipsec-isakmp set peer 206.206.206.1 set transform-set vpn_set match address 131 I'm pretty sure I remember doing it this way several years ago. What changes need to be made to allow these multiple crypto maps and using just one crypto map tag on fa0/1 (isp interface)? Thank you, --- On Mon, 1/14/13, false <[email protected]> wrote: > From: false <[email protected]> > Subject: Re: [c-nsp] unable to route traffic over ipsec/gre tunnels - HELP! > To: [email protected], "Nick Hilliard" <[email protected]> > Date: Monday, January 14, 2013, 11:32 AM > Nick, > > Are you referring to the real public ip addresses? Or the > Tunnel 172.16.x.x addresses? > > Originally, the real public ip addresses could all ping each > other but right now I cannot ping the public peers. I can't > even ping anything on the internet from the 871W (Branch-1) > and it doesn't even have an access-list applied or CBAC > applied. The 2800s have the "ip inspect name ISP2-cbac icmp" > command and I added an entry on the 101 acl (permit icmp any > any). I am using CBAC for outbound traffic and the 101 acl > for inbound. Users can browse the Internet but the router > doesn't seem to be able to ping anything. Ping did work > before all the vpn work. > > Branch-1 (871W) > interface FastEthernet4 > ip address dhcp client-id FastEthernet4 > ip nat outside > ip virtual-reassembly > ip tcp adjust-mss 1452 > duplex auto > speed auto > crypto map xxx_To_yyy > end > > ip nat inside source route-map nonat interface FastEthernet4 > overload > ip nat inside source static tcp 192.168.41.51 3074 interface > FastEthernet4 3074 > ip nat inside source static udp 192.168.41.51 88 interface > FastEthernet4 88 > ip nat inside source static udp 192.168.41.51 3074 interface > FastEthernet4 3074 > > > > --- On Mon, 1/14/13, Nick Hilliard <[email protected]> > wrote: > > > From: Nick Hilliard <[email protected]> > > Subject: Re: [c-nsp] unable to route traffic over > ipsec/gre tunnels - HELP! > > To: [email protected] > > Date: Monday, January 14, 2013, 9:16 AM > > On 14/01/2013 14:59, false wrote: > > > I initially had HDQ working fine with the 871W > > (Branch-1) but when I > > > configured branch2 (2801), they both broke. > > > > Can you ping the endpoints of each tunnel? > > > > Nick > > > > > > The tunnels appear to be up > > > but traffic is not routing across them. The two > 2801 > > routers run 12.4 > > > (c2800nm-adventerprisek9-mz.124-24.T2.bin). These > are > > gre over ipsec > > > tunnels. Currently traffic flows over an exsting > MPLS > > network that we > > > are getting away from due to cost. As soon as I > change > > the routes to > > > point to the Tunnels, it breaks. Traffic doesn't > appear > > to pass through > > > the tunnel. BTW, the tunnels do appear up and > sessions > > established. I > > > have attached my sanitized configs. Any > assistance > > would be VERY, VERY > > > much appreciated. > > > > > > > > > > > > > HDQ#sh crypto sess > > > Crypto session current status > > > > > > Interface: FastEthernet0/1 > > > Session status: UP-ACTIVE > > > Peer: 205.205.205.21 port 500 > > > IKE SA: local 204.204.204.66/500 > > remote 205.205.205.21/500 Active > > > IPSEC FLOW: permit 47 0.0.0.0/0.0.0.0 > > 0.0.0.0/0.0.0.0 > > > Active SAs: 4, > > origin: crypto map > > > IPSEC FLOW: permit ip > > 192.168.1.0/255.255.255.0 192.168.2.0/255.255.255.0 > > > Active SAs: 0, > > origin: crypto map > > > IPSEC FLOW: permit ip > > 192.168.1.0/255.255.255.0 192.168.41.0/255.255.255.0 > > > Active SAs: 0, > > origin: crypto map > > > > > > Interface: FastEthernet0/1 > > > Session status: UP-IDLE > > > Peer: 206.206.206.1 port 500 > > > IKE SA: local 204.204.204.66/500 > > remote 206.206.206.1/500 Active > > > IPSEC FLOW: permit ip > > 192.168.1.0/255.255.255.0 192.168.3.0/255.255.255.0 > > > Active SAs: 0, > > origin: crypto map > > > > > > HDQ# > > > > > > HDQ#sh cry isa sa > > > IPv4 Crypto ISAKMP SA > > > dst > > src > > state > > conn-id status > > > > > 204.204.204.66 206.206.206..1 QM_IDLE > > 1003 ACTIVE > > > > > 205.205.205.21 204.204.204.66 QM_IDLE > > 1002 ACTIVE > > > > > > IPv6 Crypto ISAKMP SA > > > > > > sh ip int br: > > > Tunnel31 > > 172.16.31.33 > > YES NVRAM up > > up > > > Tunnel41 > > 172.16.31.41 > > YES NVRAM up > > up > > > > > > Configs: > > > HDQ > > > aaa new-model > > > ! > > > ! > > > aaa authentication ppp default local > > > aaa authorization network vpnauth local > > > ! > > > ! > > > > > > ! > > > ! > > > username admin privilege 15 view root pass > > > ! > > > crypto isakmp policy 10 > > > encr 3des > > > hash md5 > > > authentication pre-share > > > group 2 > > > crypto isakmp key secret address 205.205.205.21 > > > crypto isakmp key secret address 206.206.206.1 > > > crypto isakmp keepalive 10 5 periodic > > > ! > > > crypto ipsec security-association lifetime > seconds > > 86400 > > > ! > > > crypto ipsec transform-set vpn_set esp-3des > > esp-md5-hmac > > > ! > > > crypto map vpnmap 10 ipsec-isakmp > > > set peer 205.205.205.21 > > > set transform-set vpn_set > > > match address 141 > > > crypto map vpnmap 31 ipsec-isakmp > > > set peer 206.206.206.1 > > > set transform-set vpn_set > > > match address 131 > > > ! > > > ! > > > ! > > > interface Tunnel31 > > > ip address 172.16.31.33 255.255.255.252 > > > ip mtu 1400 > > > ip tcp adjust-mss 1360 > > > tunnel source 204.204.204.66 > > > tunnel destination 206.206.206.1 > > > ! > > > interface Tunnel41 > > > ip address 172.16.31.41 255.255.255.252 > > > ip mtu 1400 > > > ip tcp adjust-mss 1360 > > > tunnel source 204.204.204.66 > > > tunnel destination 205.205.205.21 > > > ! > > > ! > > > interface FastEthernet0/1 > > > ip address 204.204.204.66 255.255.255.0 > > > ip access-group 101 in > > > no ip unreachables > > > ip flow ingress > > > ip flow egress > > > ip nat outside > > > ip inspect ISP2-cbac out > > > ip virtual-reassembly > > > duplex auto > > > speed auto > > > crypto map vpnmap > > > ! > > > interface FastEthernet1/0 > > > description ***To MPLS*** > > > switchport access vlan 10 > > > switchport voice vlan 1 > > > mls qos trust dscp > > > auto qos voip trust > > > auto discovery qos > > > spanning-tree portfast > > > ! > > > > > > ! > > > interface Virtual-Template1 > > > ip unnumbered Vlan1 > > > ip virtual-reassembly > > > no peer default ip address > > > ppp encrypt mppe auto passive > > > ppp authentication pap chap ms-chap > > > ! > > > ! > > > interface Vlan10 > > > ip address 192.168.1.30 255.255.255.0 > > > ip nat inside > > > ip virtual-reassembly > > > ! > > > ip forward-protocol nd > > > ip route 0.0.0.0 0.0.0.0 204.204.204.254 > > > ip route 10.255.1.0 255.255.255.0 192.168.1.254 > > > ip route 172.18.2.0 255.255.255.0 192.168.1.254 > > > ip route 172.18.3.0 255.255.255.0 192.168.1.254 > > > ip route 192.168.1.0 255.255.255.0 192.168.3.254 > > > ip route 192.168.1.0 255.255.255.0 192.168.1.254 > > > ip route 192.168.1.2 255.255.255.255 > Service-Engine0/0 > > > ip route 192.168.3.0 255.255.255.0 192.168.1.254 > > > ip route 192.168.10.0 255.255.255.0 192.168.1.157 > > > ip route 192.168.41.0 255.255.255.0 Tunnel41 > > > ! > > > ip nat inside source route-map nonat interface > > FastEthernet0/1 overload > > > ip nat inside source static 192.168.1.157 > > 204.204.204.27 > > > ip nat inside source static 192.168.1.31 > > 204.204.204.67 > > > ! > > > logging 192.168.2.53 > > > logging 192.168.2.28 > > > access-list 20 permit 192.168.0.0 0.0.255.255 > > > access-list 20 permit 172.18.0.0 0.0.255.255 > > > access-list 101 permit udp host 205.205.205.21 any > eq > > isakmp > > > access-list 101 permit udp host 205.205.205.21 eq > > isakmp any > > > access-list 101 permit esp host 205.205.205.21 > any > > > access-list 101 permit udp host 205.205.205.22 any > eq > > isakmp > > > access-list 101 permit udp host 205.205.205.22 eq > > isakmp any > > > access-list 101 permit esp host 205.205.205.22 > any > > > access-list 101 permit tcp any host 204.204.204.27 > eq > > 443 > > > access-list 101 permit udp host 206.206.206.1 any > eq > > isakmp > > > access-list 101 permit udp host 206.206.206.1 eq > isakmp > > any > > > access-list 101 permit esp host 206.206.206.1 any > > > access-list 121 permit ip 192.168.1.0 0.0.0.255 > > 192.168.2.0 0.0.0.255 > > > access-list 131 permit gre any any > > > access-list 131 permit ip 192.168.1.0 0.0.0.255 > > 192.168.3.0 0.0.0.255 > > > access-list 141 permit gre any any > > > access-list 141 permit ip 192.168.1.0 0.0.0.255 > > 192.168.41.0 0.0.0.255 > > > access-list 141 permit ip 192.168.1.0 0.0.0.255 > > 192.168.2.0 0.0.0.255 > > > access-list 175 deny ip 192.168.1.0 > > 0.0.0.255 192.168.41.0 0.0.0.255 > > > access-list 175 deny ip 192.168.1.0 > > 0.0.0.255 192.168.2.0 0.0.0.255 > > > access-list 175 deny ip 192.168.1.0 > > 0.0.0.255 192.168.3.0 0.0.0.255 > > > access-list 175 deny ip 192.168.1.0 > > 0.0.0.255 192.168.60.0 0.0.0.255 > > > access-list 175 permit ip 192.168.1.0 0.0.0.255 > any > > > ! > > > ! > > > ! > > > ! > > > route-map nonat permit 41 > > > match ip address 175 > > > ! > > > ! > > > > > > Branch-1 > > > > > > Current configuration : 5625 bytes > > > ! > > > version 12.3 > > > > > > ! > > > username cisco privilege 15 > > > aaa new-model > > > ! > > > ! > > > aaa authentication login default local > > > aaa authorization exec default local > > > aaa session-id common > > > ip subnet-zero > > > ip cef > > > ! > > > crypto isakmp policy 10 > > > encr 3des > > > hash md5 > > > authentication pre-share > > > group 2 > > > crypto isakmp key M1bius77 address 204.204.204.66 > > > crypto isakmp keepalive 10 5 periodic > > > ! > > > crypto ipsec security-association lifetime > seconds > > 86400 > > > ! > > > crypto ipsec transform-set vpn_set esp-3des > > esp-md5-hmac > > > ! > > > crypto map xxx_To_yyy 41 ipsec-isakmp > > > set peer 204.204.204.66 > > > set transform-set vpn_set > > > match address 141 > > > ! > > > bridge irb > > > ! > > > ! > > > interface Tunnel41 > > > ip address 172.16.31.42 255.255.255.252 > > > ip mtu 1400 > > > ip tcp adjust-mss 1360 > > > tunnel source 205.205.205.21 > > > tunnel destination 204.204.204.66 > > > ! > > > interface FastEthernet0 > > > no ip address > > > no cdp enable > > > spanning-tree portfast > > > ! > > > interface FastEthernet1 > > > no ip address > > > no cdp enable > > > spanning-tree portfast > > > ! > > > interface FastEthernet2 > > > no ip address > > > spanning-tree portfast > > > ! > > > interface FastEthernet3 > > > no ip address > > > no cdp enable > > > spanning-tree portfast > > > ! > > > interface FastEthernet4 > > > ip address dhcp client-id FastEthernet4 > > > ip nat outside > > > ip virtual-reassembly > > > ip tcp adjust-mss 1452 > > > duplex auto > > > speed auto > > > crypto map xxx_To_yyy > > > ! > > > ! > > > interface Vlan1 > > > description Internal NetHome Network > > > no ip address > > > ip nat inside > > > ip virtual-reassembly > > > bridge-group 1 > > > bridge-group 1 spanning-disabled > > > ! > > > interface BVI1 > > > description Bridge to Internal Home Network > > > ip address 192.168.41.1 255.255.255.0 > > > ip nat inside > > > ip virtual-reassembly > > > ! > > > ip classless > > > ip route 192.168.1.0 255.255.255.0 Tunnel41 > > > ! > > > ip nat inside source route-map nonat interface > > FastEthernet4 overload > > > ip nat inside source static tcp 192.168.41.51 > 3074 > > interface FastEthernet4 3074 > > > ip nat inside source static udp 192.168.41.51 88 > > interface FastEthernet4 88 > > > ip nat inside source static udp 192.168.41.51 > 3074 > > interface FastEthernet4 3074 > > > ! > > > logging trap debugging > > > logging 192.168.41.22 > > > access-list 1 permit 192.168.41.0 0.0.0.255 > > > access-list 1 permit 192.168.1.0 0.0.0.255 > > > access-list 101 permit udp host 204.204.204.66 any > eq > > isakmp > > > access-list 101 permit udp host 204.204.204.66 eq > > isakmp any > > > access-list 101 permit esp host 204.204.204.66 > any > > > access-list 101 permit icmp any any > > > access-list 101 permit udp any any eq bootpc > > > access-list 129 deny ip 192.168.41.0 > > 0.0.0.255 192.168.1.0 0.0.0.255 > > > access-list 129 permit ip 192.168.41.0 0.0.0.255 > any > > > access-list 141 permit gre any any > > > access-list 141 permit ip 192.168.41.0 0.0.0.255 > > 192.168.1.0 0.0.0.255 > > > access-list 175 deny ip 192.168.41.0 > > 0.0.0.255 192.168.1.0 0.0.0.255 > > > access-list 175 permit ip 192.168.41.0 0.0.0.255 > any > > > > > > Branch-2 > > > > > > aaa new-model > > > ! > > > ! > > > aaa authentication login default local > > > aaa authorization exec default local > > > ! > > > ! > > > > > > username admin privilege 15 view root pass > > > ! > > > crypto isakmp policy 10 > > > encr 3des > > > hash md5 > > > authentication pre-share > > > group 2 > > > crypto isakmp key secret address 204.204.204.66 > > > crypto isakmp keepalive 10 5 periodic > > > ! > > > crypto ipsec security-association lifetime > seconds > > 86400 > > > ! > > > crypto ipsec transform-set vpn_set esp-3des > > esp-md5-hmac > > > ! > > > crypto map vpnmap 31 ipsec-isakmp > > > set peer 204.204.204.66 > > > set transform-set vpn_set > > > match address 131 > > > ! > > > interface Tunnel31 > > > ip address 172.16.31.34 255.255.255.252 > > > ip mtu 1400 > > > ip tcp adjust-mss 1360 > > > tunnel source 5206.206.206.1 > > > tunnel destination 204.204.204.66 > > > ! > > > interface FastEthernet0/1 > > > ip address 206.206.206.1 255.255.255.248 > > > ip access-group 101 in > > > ip nat outside > > > ip inspect ISP2-cbac out > > > ip virtual-reassembly > > > duplex auto > > > speed auto > > > crypto map vpnmap > > > ! > > > ! > > > interface Vlan10 > > > ip address 192.168.3.1 255.255.255.0 > > > ip nat inside > > > ip virtual-reassembly > > > ! > > > ip forward-protocol nd > > > ip route 0.0.0.0 0.0.0.0 50.79.142.6 > > > ip route 172.18.1.0 255.255.255.0 192.168.3.254 > > > ip route 172.18.2.0 255.255.255.0 192.168.3.254 > > > ip route 172.18.3.2 255.255.255.255 > Service-Engine0/0 > > > ip route 192.168.1.0 255.255.255.0 192.168.3.254 > > > ip route 192.168.2.0 255.255.255.0 192.168.3.254 > > > ip route 192.168.10.0 255.255.255.0 192.168.3.254 > > > ! > > > ip nat inside source route-map nonat interface > > FastEthernet0/1 overload > > > ip nat inside source static tcp 192.168.3.10 5899 > > 206.206.206.5 5899 extendable > > > ! > > > access-list 20 permit x.x.x.x > > > access-list 20 permit 192.168.0.0 0.0.255.255 > > > access-list 20 permit 172.18.0.0 0.0.255.255 > > > access-list 101 permit udp any host 206.206.206.1 > eq > > 5060 > > > access-list 101 permit udp host 204.204.204.66 any > eq > > isakmp > > > access-list 101 permit udp host 204.204.204.66 eq > > isakmp any > > > access-list 101 permit esp host 204.204.204.66 > any > > > access-list 102 remark NAT ACL > > > access-list 102 deny ip 192.168.0.0 > > 0.0.255.255 192.168.0.0 0.0.255.255 > > > access-list 102 deny ip 192.168.0.0 > > 0.0.255.255 172.18.0.0 0.0.255.255 > > > access-list 102 deny ip 172.18.0.0 > > 0.0.255.255 172.18.0.0 0.0.255.255 > > > access-list 102 deny ip 172.18.0.0 > > 0.0.255.255 192.168.0.0 0.0.255.255 > > > access-list 102 permit ip 192.168.3.0 0.0.0.255 > any > > > access-list 102 permit ip 172.18.3.0 0.0.0.255 > any > > > access-list 131 permit gre any any > > > access-list 131 permit ip 192.168.3.0 0.0.0.255 > > 192.168.1.0 0.0.0.255 > > > ! > > > ! > > > ! > > > ! > > > route-map nonat permit 41 > > > match ip address 175 > > > ! > > > _______________________________________________ > > > cisco-nsp mailing list [email protected] > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > > _______________________________________________ > > cisco-nsp mailing list [email protected] > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
