Both sides show the same. cpe-rpa-kal-gw-01#show cry isa sa IPv4 Crypto ISAKMP SA dst src state conn-id status
IPv6 Crypto ISAKMP SA cpe-rpa-kal-gw-01# wtc-mar-gw-01# show cry isa sa IPv4 Crypto ISAKMP SA dst src state conn-id status IPv6 Crypto ISAKMP SA wtc-mar-gw-01# Debug of RPA side shows this when crypto map VPNMAP removed and added back to gi0/0: *May 1 17:05:57.559: IPSEC(rte_mgr): ID: 3 Event: Delete ident remove routes from static map *May 1 17:05:57.559: IPSEC(rte_mgr): Delete Route found ID 3 *May 1 17:05:57.559: IPSEC(rte_mgr): VPN Route Refcount 1 GigabitEthernet0/0 *May 1 17:05:57.563: IPSEC(rte_mgr): ID: 3 Event: Delete ident remove routes from static map *May 1 17:05:57.563: IPSEC(rte_mgr): Delete Route found ID 3 *May 1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 0 GigabitEthernet0/0 *May 1 17:05:57.563: IPSEC(rte_mgr): ID: 4 Event: Delete ident remove routes from static map *May 1 17:05:57.563: IPSEC(rte_mgr): Delete Route found ID 4 *May 1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 1 GigabitEthernet0/0 *May 1 17:05:57.563: IPSEC(rte_mgr): ID: 4 Event: Delete ident remove routes from static map *May 1 17:05:57.563: IPSEC(rte_mgr): Delete Route found ID 4 *May 1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 0 GigabitEthernet0/0 *May 1 17:05:57.567: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event - create for 66.135.65.98 *May 1 17:06:02.131: IPSEC(rte_mgr): Route add Peer 66.135.65.98 , Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1 *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 192.168.1.0 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1 *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event - create for 66.135.65.98 *May 1 17:06:02.131: IPSEC(rte_mgr): Route add Peer 66.135.65.98 , Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1 *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 192.168.2.0 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1 *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event - create for 66.135.65.98 *May 1 17:06:02.131: IPSEC(rte_mgr): Route add Peer 66.135.65.98 , Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1 *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on GigabitEthernet0/0 *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event - create for 66.135.65.98 *May 1 17:06:02.131: IPSEC(rte_mgr): Route add Peer 66.135.65.98 , Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1 *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on GigabitEthernet0/0 *May 1 17:06:02.135: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON On Tue, May 1, 2018 at 10:45 AM, Alex K. <nsp.li...@gmail.com> wrote: > Hi Scott, > > What state "show cry isa sa" the VPN ends on? Anyhow, your configuration > seems to be correct (I didn't went over the ACLs though, I hope they're > exact mirror of each other), Anything suspicious shows up with "debug cry > isakmp"? > > Not passing traffic might be related to your no-nat configuration, but in > my humble opinion, you can safely put it aside, till VPN reached so-called > QM_IDLE state. > > Alex. > > > בתאריך יום ג׳, 1 במאי 2018, 19:02, מאת Scott Miller <sc...@ip-routing.net > >: > >> I'm trying to create a VPN on two Cisco 3825's, on the same ISP in order >> to >> have access to eachother's network. >> >> On each side, I have them built as follows: >> >> Site WTC Inside network >> 192.168.1.0/24 >> 192.168.2.0/24 >> >> Site RPA Inside network >> 192.168.3.0/24 >> 192.168.4.0/24 >> >> WTC: >> crypto isakmp policy 11 >> encr 3des >> hash md5 >> authentication pre-share >> group 2 >> lifetime 28800 >> crypto isakmp key <SECRETKEY-MATCHES> address 208.123.206.17 >> crypto isakmp nat keepalive 30 >> ! >> ! >> crypto ipsec transform-set MYSET esp-3des esp-md5-hmac >> ! >> crypto map VPNMAP 10 ipsec-isakmp >> description Connection to WTC >> set peer 208.123.206.17 >> set transform-set MYSET >> match address 110 >> reverse-route static >> >> interface GigabitEthernet0/0 >> crypto map VPNMAP >> >> ip route 192.168.4.0 255.255.255.0 GigabitEthernet0/0 >> >> access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 >> access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255 >> access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255 >> access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255 >> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 >> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 >> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255 >> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 >> >> access-list 120 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255 >> access-list 120 permit ip 192.168.2.0 0.0.0.255 any >> >> route-map nonat permit 10 >> match ip address 120 >> >> >> RPA: >> crypto isakmp policy 11 >> encr 3des >> hash md5 >> authentication pre-share >> group 2 >> lifetime 28800 >> crypto isakmp key <SECRETKEY-MATCHES> address 66.135.65.98 >> crypto isakmp nat keepalive 30 >> ! >> ! >> crypto ipsec transform-set MYSET esp-3des esp-md5-hmac >> ! >> crypto map VPNMAP 10 ipsec-isakmp >> description Connection to WTC >> set peer 66.135.65.98 >> set transform-set MYSET >> match address 110 >> reverse-route static >> ! >> ! >> interface GigabitEthernet0/0 >> crypto map VPNMAP >> >> ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/0 >> ip route 192.168.2.0 255.255.255.0 GigabitEthernet0/0 >> >> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 >> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 >> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255 >> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 >> >> access-list 120 deny ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 >> access-list 120 permit ip 192.168.4.0 0.0.0.255 any >> >> route-map nonat permit 10 >> match ip address 120 >> >> >> The tunnel will not establish ... >> Yesterday it did come up, but would not pass traffic. >> Today, it's showing down on both sides: >> >> cpe-rpa-kal-gw-01#show crypto ses >> Crypto session current status >> >> Interface: GigabitEthernet0/0 >> Session status: DOWN >> Peer: (gi0/0 of WTC) port 500 >> IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 >> 192.168.1.0/255.255.255.0 >> Active SAs: 0, origin: crypto map >> IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0 >> 192.168.1.0/255.255.255.0 >> Active SAs: 0, origin: crypto map >> IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 >> 192.168.2.0/255.255.255.0 >> Active SAs: 0, origin: crypto map >> IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0 >> 192.168.2.0/255.255.255.0 >> Active SAs: 0, origin: crypto map >> >> cpe-rpa-kal-gw-01# >> >> >> Logs for RPA show when I remove 'crypto map VPNMAP' from gi0/0 and put it >> back: >> >> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event - >> create for 66.135.65.98 >> *May 1 15:20:28.427: IPSEC(rte_mgr): Route add Peer 66.135.65.98 , >> Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1 >> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Added 192.168.1.0 >> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1 >> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event - >> create for 66.135.65.98 >> *May 1 15:20:28.427: IPSEC(rte_mgr): Route add Peer 66.135.65.98 , >> Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1 >> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Added 192.168.2.0 >> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1 >> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event - >> create for 66.135.65.98 >> *May 1 15:20:28.427: IPSEC(rte_mgr): Route add Peer 66.135.65.98 , >> Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1 >> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on >> GigabitEthernet0/0 >> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event - >> create for 66.135.65.98 >> *May 1 15:20:28.427: IPSEC(rte_mgr): Route add Peer 66.135.65.98 , >> Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1 >> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on >> GigabitEthernet0/0 >> *May 1 15:20:28.431: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON >> *May 1 15:20:34.539: No peer struct to get peer description >> *May 1 15:20:34.539: No peer struct to get peer description >> *May 1 15:20:34.539: No peer struct to get peer description >> *May 1 15:20:34.539: No peer struct to get peer description >> cpe-rpa-kal-gw-01# >> >> cpe-rpa-kal-gw-01#show cry ses >> Crypto session current status >> >> Interface: GigabitEthernet0/0 >> Session status: DOWN >> Peer: 66.135.65.98 port 500 >> IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 >> 192.168.1.0/255.255.255.0 >> Active SAs: 0, origin: crypto map >> IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0 >> 192.168.1.0/255.255.255.0 >> Active SAs: 0, origin: crypto map >> IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 >> 192.168.2.0/255.255.255.0 >> Active SAs: 0, origin: crypto map >> IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0 >> 192.168.2.0/255.255.255.0 >> Active SAs: 0, origin: crypto map >> >> cpe-rpa-kal-gw-01# >> >> Anyone see what I might be doing wrong? >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/