Cisco 3825 (revision 1.2) with 487424K/36864K bytes of memory. Processor board ID FTX1422AH5E 2 Gigabit Ethernet interfaces 1 Virtual Private Network (VPN) Module DRAM configuration is 64 bits wide with parity enabled. 479K bytes of NVRAM. 500472K bytes of ATA System CompactFlash (Read/Write)
System image file is "flash:c3825-adventerprisek9-mz.151-4.M10.bin" show license Index 1 Feature: ios-ips-update On Tue, May 1, 2018 at 11:57 AM, Randy <randy_94...@yahoo.com> wrote: > outside-in access-lists allow proto 50, udp 500 and udp4500 if applicable? > > > > > ________________________________ > From: Emille Blanc <emi...@abccommunications.com> > To: Scott Miller <sc...@ip-routing.net> > Cc: cisco-nsp <cisco-nsp@puck.nether.net> > Sent: Tuesday, May 1, 2018 10:51 AM > Subject: Re: [c-nsp] VPN tunnel between two Cisco 3825's > > > > Forgive the obvious question; > Are your 3800's licensed for IPSEC, and or the grace period hasn't been > exhausted if not? > They require the SECK9 license. > > I'd maybe specify the local source-address in your crypto maps. Otherwise, > nothing stands out as erroneous to me. > > -----Original Message----- > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of > Scott Miller > Sent: Tuesday, May 01, 2018 10:28 AM > To: Alex K. > Cc: cisco-nsp > Subject: Re: [c-nsp] VPN tunnel between two Cisco 3825's > > Both sides show the same. > cpe-rpa-kal-gw-01#show cry isa sa > IPv4 Crypto ISAKMP SA > dst src state conn-id status > > IPv6 Crypto ISAKMP SA > > cpe-rpa-kal-gw-01# > > > wtc-mar-gw-01# show cry isa sa > IPv4 Crypto ISAKMP SA > dst src state conn-id status > > IPv6 Crypto ISAKMP SA > > wtc-mar-gw-01# > > > > Debug of RPA side shows this when crypto map VPNMAP removed and added back > to gi0/0: > > *May 1 17:05:57.559: IPSEC(rte_mgr): ID: 3 Event: Delete ident remove > routes from static map > *May 1 17:05:57.559: IPSEC(rte_mgr): Delete Route found ID 3 > *May 1 17:05:57.559: IPSEC(rte_mgr): VPN Route Refcount 1 > GigabitEthernet0/0 > *May 1 17:05:57.563: IPSEC(rte_mgr): ID: 3 Event: Delete ident remove > routes from static map > *May 1 17:05:57.563: IPSEC(rte_mgr): Delete Route found ID 3 > *May 1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 0 > GigabitEthernet0/0 > *May 1 17:05:57.563: IPSEC(rte_mgr): ID: 4 Event: Delete ident remove > routes from static map > *May 1 17:05:57.563: IPSEC(rte_mgr): Delete Route found ID 4 > *May 1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 1 > GigabitEthernet0/0 > *May 1 17:05:57.563: IPSEC(rte_mgr): ID: 4 Event: Delete ident remove > routes from static map > *May 1 17:05:57.563: IPSEC(rte_mgr): Delete Route found ID 4 > *May 1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 0 > GigabitEthernet0/0 > *May 1 17:05:57.567: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF > *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event - > create for 66.135.65.98 > *May 1 17:06:02.131: IPSEC(rte_mgr): Route add Peer 66.135.65.98 , > Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1 > *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 192.168.1.0 > 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1 > *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event - > create for 66.135.65.98 > *May 1 17:06:02.131: IPSEC(rte_mgr): Route add Peer 66.135.65.98 , > Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1 > *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 192.168.2.0 > 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1 > *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event - > create for 66.135.65.98 > *May 1 17:06:02.131: IPSEC(rte_mgr): Route add Peer 66.135.65.98 , > Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1 > *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on > GigabitEthernet0/0 > *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event - > create for 66.135.65.98 > *May 1 17:06:02.131: IPSEC(rte_mgr): Route add Peer 66.135.65.98 , > Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1 > *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on > GigabitEthernet0/0 > *May 1 17:06:02.135: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON > > > > > On Tue, May 1, 2018 at 10:45 AM, Alex K. <nsp.li...@gmail.com> wrote: > > > Hi Scott, > > > > What state "show cry isa sa" the VPN ends on? Anyhow, your configuration > > seems to be correct (I didn't went over the ACLs though, I hope they're > > exact mirror of each other), Anything suspicious shows up with "debug cry > > isakmp"? > > > > Not passing traffic might be related to your no-nat configuration, but in > > my humble opinion, you can safely put it aside, till VPN reached > so-called > > QM_IDLE state. > > > > Alex. > > > > > > בתאריך יום ג׳, 1 במאי 2018, 19:02, מאת Scott Miller < > sc...@ip-routing.net > > >: > > > >> I'm trying to create a VPN on two Cisco 3825's, on the same ISP in order > >> to > >> have access to eachother's network. > >> > >> On each side, I have them built as follows: > >> > >> Site WTC Inside network > >> 192.168.1.0/24 > >> 192.168.2.0/24 > >> > >> Site RPA Inside network > >> 192.168.3.0/24 > >> 192.168.4.0/24 > >> > >> WTC: > >> crypto isakmp policy 11 > >> encr 3des > >> hash md5 > >> authentication pre-share > >> group 2 > >> lifetime 28800 > >> crypto isakmp key <SECRETKEY-MATCHES> address 208.123.206.17 > >> crypto isakmp nat keepalive 30 > >> ! > >> ! > >> crypto ipsec transform-set MYSET esp-3des esp-md5-hmac > >> ! > >> crypto map VPNMAP 10 ipsec-isakmp > >> description Connection to WTC > >> set peer 208.123.206.17 > >> set transform-set MYSET > >> match address 110 > >> reverse-route static > >> > >> interface GigabitEthernet0/0 > >> crypto map VPNMAP > >> > >> ip route 192.168.4.0 255.255.255.0 GigabitEthernet0/0 > >> > >> access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 > >> access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255 > >> access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255 > >> access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255 > >> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 > >> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 > >> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255 > >> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 > >> > >> access-list 120 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255 > >> access-list 120 permit ip 192.168.2.0 0.0.0.255 any > >> > >> route-map nonat permit 10 > >> match ip address 120 > >> > >> > >> RPA: > >> crypto isakmp policy 11 > >> encr 3des > >> hash md5 > >> authentication pre-share > >> group 2 > >> lifetime 28800 > >> crypto isakmp key <SECRETKEY-MATCHES> address 66.135.65.98 > >> crypto isakmp nat keepalive 30 > >> ! > >> ! > >> crypto ipsec transform-set MYSET esp-3des esp-md5-hmac > >> ! > >> crypto map VPNMAP 10 ipsec-isakmp > >> description Connection to WTC > >> set peer 66.135.65.98 > >> set transform-set MYSET > >> match address 110 > >> reverse-route static > >> ! > >> ! > >> interface GigabitEthernet0/0 > >> crypto map VPNMAP > >> > >> ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/0 > >> ip route 192.168.2.0 255.255.255.0 GigabitEthernet0/0 > >> > >> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 > >> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 > >> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255 > >> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 > >> > >> access-list 120 deny ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 > >> access-list 120 permit ip 192.168.4.0 0.0.0.255 any > >> > >> route-map nonat permit 10 > >> match ip address 120 > >> > >> > >> The tunnel will not establish ... > >> Yesterday it did come up, but would not pass traffic. > >> Today, it's showing down on both sides: > >> > >> cpe-rpa-kal-gw-01#show crypto ses > >> Crypto session current status > >> > >> Interface: GigabitEthernet0/0 > >> Session status: DOWN > >> Peer: (gi0/0 of WTC) port 500 > >> IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 > >> 192.168.1.0/255.255.255.0 > >> Active SAs: 0, origin: crypto map > >> IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0 > >> 192.168.1.0/255.255.255.0 > >> Active SAs: 0, origin: crypto map > >> IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 > >> 192.168.2.0/255.255.255.0 > >> Active SAs: 0, origin: crypto map > >> IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0 > >> 192.168.2.0/255.255.255.0 > >> Active SAs: 0, origin: crypto map > >> > >> cpe-rpa-kal-gw-01# > >> > >> > >> Logs for RPA show when I remove 'crypto map VPNMAP' from gi0/0 and put > it > >> back: > >> > >> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event - > >> create for 66.135.65.98 > >> *May 1 15:20:28.427: IPSEC(rte_mgr): Route add Peer 66.135.65.98 , > >> Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1 > >> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Added 192.168.1.0 > >> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1 > >> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event - > >> create for 66.135.65.98 > >> *May 1 15:20:28.427: IPSEC(rte_mgr): Route add Peer 66.135.65.98 , > >> Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1 > >> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Added 192.168.2.0 > >> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1 > >> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event - > >> create for 66.135.65.98 > >> *May 1 15:20:28.427: IPSEC(rte_mgr): Route add Peer 66.135.65.98 , > >> Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1 > >> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 > on > >> GigabitEthernet0/0 > >> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event - > >> create for 66.135.65.98 > >> *May 1 15:20:28.427: IPSEC(rte_mgr): Route add Peer 66.135.65.98 , > >> Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1 > >> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 > on > >> GigabitEthernet0/0 > >> *May 1 15:20:28.431: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON > >> *May 1 15:20:34.539: No peer struct to get peer description > >> *May 1 15:20:34.539: No peer struct to get peer description > >> *May 1 15:20:34.539: No peer struct to get peer description > >> *May 1 15:20:34.539: No peer struct to get peer description > >> cpe-rpa-kal-gw-01# > >> > >> cpe-rpa-kal-gw-01#show cry ses > >> Crypto session current status > >> > >> Interface: GigabitEthernet0/0 > >> Session status: DOWN > >> Peer: 66.135.65.98 port 500 > >> IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 > >> 192.168.1.0/255.255.255.0 > >> Active SAs: 0, origin: crypto map > >> IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0 > >> 192.168.1.0/255.255.255.0 > >> Active SAs: 0, origin: crypto map > >> IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 > >> 192.168.2.0/255.255.255.0 > >> Active SAs: 0, origin: crypto map > >> IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0 > >> 192.168.2.0/255.255.255.0 > >> Active SAs: 0, origin: crypto map > >> > >> cpe-rpa-kal-gw-01# > >> > >> Anyone see what I might be doing wrong? > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp@puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > >> > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/