This license should be fine the SEC-K9 was a requirement for 29xx, 39xx and 4xxx - but 28xx and 38xx just needed the right IOS.
As other have said - you should debug, while sourcing pings from the interesting source traffic. Maybe open IP on the ACL to the peer address while you are troubleshooting this to make sure it is an Ipsec issue, not an ACL issue. -----Original Message----- From: cisco-nsp <[email protected]> On Behalf Of Scott Miller Sent: Tuesday, May 1, 2018 2:40 PM To: Randy <[email protected]> Cc: cisco-nsp <[email protected]> Subject: Re: [c-nsp] VPN tunnel between two Cisco 3825's This message originates from outside of your organisation. Cisco 3825 (revision 1.2) with 487424K/36864K bytes of memory. Processor board ID FTX1422AH5E 2 Gigabit Ethernet interfaces 1 Virtual Private Network (VPN) Module DRAM configuration is 64 bits wide with parity enabled. 479K bytes of NVRAM. 500472K bytes of ATA System CompactFlash (Read/Write) System image file is "flash:c3825-adventerprisek9-mz.151-4.M10.bin" show license Index 1 Feature: ios-ips-update On Tue, May 1, 2018 at 11:57 AM, Randy <[email protected]> wrote: > outside-in access-lists allow proto 50, udp 500 and udp4500 if applicable? > > > > > ________________________________ > From: Emille Blanc <[email protected]> > To: Scott Miller <[email protected]> > Cc: cisco-nsp <[email protected]> > Sent: Tuesday, May 1, 2018 10:51 AM > Subject: Re: [c-nsp] VPN tunnel between two Cisco 3825's > > > > Forgive the obvious question; > Are your 3800's licensed for IPSEC, and or the grace period hasn't > been exhausted if not? > They require the SECK9 license. > > I'd maybe specify the local source-address in your crypto maps. > Otherwise, nothing stands out as erroneous to me. > > -----Original Message----- > From: cisco-nsp [mailto:[email protected]] On Behalf > Of Scott Miller > Sent: Tuesday, May 01, 2018 10:28 AM > To: Alex K. > Cc: cisco-nsp > Subject: Re: [c-nsp] VPN tunnel between two Cisco 3825's > > Both sides show the same. > cpe-rpa-kal-gw-01#show cry isa sa > IPv4 Crypto ISAKMP SA > dst src state conn-id status > > IPv6 Crypto ISAKMP SA > > cpe-rpa-kal-gw-01# > > > wtc-mar-gw-01# show cry isa sa > IPv4 Crypto ISAKMP SA > dst src state conn-id status > > IPv6 Crypto ISAKMP SA > > wtc-mar-gw-01# > > > > Debug of RPA side shows this when crypto map VPNMAP removed and added > back to gi0/0: > > *May 1 17:05:57.559: IPSEC(rte_mgr): ID: 3 Event: Delete ident > remove routes from static map *May 1 17:05:57.559: IPSEC(rte_mgr): > Delete Route found ID 3 *May 1 17:05:57.559: IPSEC(rte_mgr): VPN > Route Refcount 1 > GigabitEthernet0/0 > *May 1 17:05:57.563: IPSEC(rte_mgr): ID: 3 Event: Delete ident > remove routes from static map *May 1 17:05:57.563: IPSEC(rte_mgr): > Delete Route found ID 3 *May 1 17:05:57.563: IPSEC(rte_mgr): VPN > Route Refcount 0 > GigabitEthernet0/0 > *May 1 17:05:57.563: IPSEC(rte_mgr): ID: 4 Event: Delete ident > remove routes from static map *May 1 17:05:57.563: IPSEC(rte_mgr): > Delete Route found ID 4 *May 1 17:05:57.563: IPSEC(rte_mgr): VPN > Route Refcount 1 > GigabitEthernet0/0 > *May 1 17:05:57.563: IPSEC(rte_mgr): ID: 4 Event: Delete ident > remove routes from static map *May 1 17:05:57.563: IPSEC(rte_mgr): > Delete Route found ID 4 *May 1 17:05:57.563: IPSEC(rte_mgr): VPN > Route Refcount 0 > GigabitEthernet0/0 > *May 1 17:05:57.567: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF *May 1 > 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event - > create for 66.135.65.98 *May 1 17:06:02.131: IPSEC(rte_mgr): Route > add Peer 66.135.65.98 , Destination 192.168.1.0, Nexthop 0.0.0.0, RT > type 1 *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added > 192.168.1.0 > 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance > 1 *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static > event - create for 66.135.65.98 *May 1 17:06:02.131: IPSEC(rte_mgr): > Route add Peer 66.135.65.98 , Destination 192.168.2.0, Nexthop > 0.0.0.0, RT type 1 *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route > Added 192.168.2.0 > 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance > 1 *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static > event - create for 66.135.65.98 *May 1 17:06:02.131: IPSEC(rte_mgr): > Route add Peer 66.135.65.98 , Destination 192.168.1.0, Nexthop > 0.0.0.0, RT type 1 *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route > Refcount 2 66.135.65.98 on > GigabitEthernet0/0 > *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event > - create for 66.135.65.98 *May 1 17:06:02.131: IPSEC(rte_mgr): Route > add Peer 66.135.65.98 , Destination 192.168.2.0, Nexthop 0.0.0.0, RT > type 1 *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 > 66.135.65.98 on > GigabitEthernet0/0 > *May 1 17:06:02.135: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON > > > > > On Tue, May 1, 2018 at 10:45 AM, Alex K. <[email protected]> wrote: > > > Hi Scott, > > > > What state "show cry isa sa" the VPN ends on? Anyhow, your > > configuration seems to be correct (I didn't went over the ACLs > > though, I hope they're exact mirror of each other), Anything > > suspicious shows up with "debug cry isakmp"? > > > > Not passing traffic might be related to your no-nat configuration, > > but in my humble opinion, you can safely put it aside, till VPN > > reached > so-called > > QM_IDLE state. > > > > Alex. > > > > > > בתאריך יום ג׳, 1 במאי 2018, 19:02, מאת Scott Miller < > [email protected] > > >: > > > >> I'm trying to create a VPN on two Cisco 3825's, on the same ISP in > >> order to have access to eachother's network. > >> > >> On each side, I have them built as follows: > >> > >> Site WTC Inside network > >> 192.168.1.0/24 > >> 192.168.2.0/24 > >> > >> Site RPA Inside network > >> 192.168.3.0/24 > >> 192.168.4.0/24 > >> > >> WTC: > >> crypto isakmp policy 11 > >> encr 3des > >> hash md5 > >> authentication pre-share > >> group 2 > >> lifetime 28800 > >> crypto isakmp key <SECRETKEY-MATCHES> address 208.123.206.17 crypto > >> isakmp nat keepalive 30 ! > >> ! > >> crypto ipsec transform-set MYSET esp-3des esp-md5-hmac ! > >> crypto map VPNMAP 10 ipsec-isakmp > >> description Connection to WTC > >> set peer 208.123.206.17 > >> set transform-set MYSET > >> match address 110 > >> reverse-route static > >> > >> interface GigabitEthernet0/0 > >> crypto map VPNMAP > >> > >> ip route 192.168.4.0 255.255.255.0 GigabitEthernet0/0 > >> > >> access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 > >> 0.0.0.255 access-list 110 permit ip 192.168.2.0 0.0.0.255 > >> 192.168.4.0 0.0.0.255 access-list 110 permit ip 192.168.1.0 > >> 0.0.0.255 192.168.4.0 0.0.0.255 access-list 110 permit ip > >> 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255 access-list 110 permit > >> ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 110 > >> permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list > >> 110 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255 > >> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 > >> 0.0.0.255 > >> > >> access-list 120 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255 > >> access-list 120 permit ip 192.168.2.0 0.0.0.255 any > >> > >> route-map nonat permit 10 > >> match ip address 120 > >> > >> > >> RPA: > >> crypto isakmp policy 11 > >> encr 3des > >> hash md5 > >> authentication pre-share > >> group 2 > >> lifetime 28800 > >> crypto isakmp key <SECRETKEY-MATCHES> address 66.135.65.98 crypto > >> isakmp nat keepalive 30 ! > >> ! > >> crypto ipsec transform-set MYSET esp-3des esp-md5-hmac ! > >> crypto map VPNMAP 10 ipsec-isakmp > >> description Connection to WTC > >> set peer 66.135.65.98 > >> set transform-set MYSET > >> match address 110 > >> reverse-route static > >> ! > >> ! > >> interface GigabitEthernet0/0 > >> crypto map VPNMAP > >> > >> ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/0 ip route > >> 192.168.2.0 255.255.255.0 GigabitEthernet0/0 > >> > >> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 > >> 0.0.0.255 access-list 110 permit ip 192.168.3.0 0.0.0.255 > >> 192.168.2.0 0.0.0.255 access-list 110 permit ip 192.168.4.0 > >> 0.0.0.255 192.168.1.0 0.0.0.255 access-list 110 permit ip > >> 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 > >> > >> access-list 120 deny ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 > >> access-list 120 permit ip 192.168.4.0 0.0.0.255 any > >> > >> route-map nonat permit 10 > >> match ip address 120 > >> > >> > >> The tunnel will not establish ... > >> Yesterday it did come up, but would not pass traffic. > >> Today, it's showing down on both sides: > >> > >> cpe-rpa-kal-gw-01#show crypto ses > >> Crypto session current status > >> > >> Interface: GigabitEthernet0/0 > >> Session status: DOWN > >> Peer: (gi0/0 of WTC) port 500 > >> IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 > >> 192.168.1.0/255.255.255.0 > >> Active SAs: 0, origin: crypto map > >> IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0 > >> 192.168.1.0/255.255.255.0 > >> Active SAs: 0, origin: crypto map > >> IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 > >> 192.168.2.0/255.255.255.0 > >> Active SAs: 0, origin: crypto map > >> IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0 > >> 192.168.2.0/255.255.255.0 > >> Active SAs: 0, origin: crypto map > >> > >> cpe-rpa-kal-gw-01# > >> > >> > >> Logs for RPA show when I remove 'crypto map VPNMAP' from gi0/0 and > >> put > it > >> back: > >> > >> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static > >> event - create for 66.135.65.98 *May 1 15:20:28.427: > >> IPSEC(rte_mgr): Route add Peer 66.135.65.98 , Destination > >> 192.168.1.0, Nexthop 0.0.0.0, RT type 1 *May 1 15:20:28.427: > >> IPSEC(rte_mgr): VPN Route Added 192.168.1.0 > >> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 > >> distance 1 *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event > >> RRI static event - create for 66.135.65.98 *May 1 15:20:28.427: > >> IPSEC(rte_mgr): Route add Peer 66.135.65.98 , Destination > >> 192.168.2.0, Nexthop 0.0.0.0, RT type 1 *May 1 15:20:28.427: > >> IPSEC(rte_mgr): VPN Route Added 192.168.2.0 > >> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 > >> distance 1 *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event > >> RRI static event - create for 66.135.65.98 *May 1 15:20:28.427: > >> IPSEC(rte_mgr): Route add Peer 66.135.65.98 , Destination > >> 192.168.1.0, Nexthop 0.0.0.0, RT type 1 *May 1 15:20:28.427: > >> IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 > on > >> GigabitEthernet0/0 > >> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static > >> event - create for 66.135.65.98 *May 1 15:20:28.427: > >> IPSEC(rte_mgr): Route add Peer 66.135.65.98 , Destination > >> 192.168.2.0, Nexthop 0.0.0.0, RT type 1 *May 1 15:20:28.427: > >> IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 > on > >> GigabitEthernet0/0 > >> *May 1 15:20:28.431: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON *May 1 > >> 15:20:34.539: No peer struct to get peer description *May 1 > >> 15:20:34.539: No peer struct to get peer description *May 1 > >> 15:20:34.539: No peer struct to get peer description *May 1 > >> 15:20:34.539: No peer struct to get peer description > >> cpe-rpa-kal-gw-01# > >> > >> cpe-rpa-kal-gw-01#show cry ses > >> Crypto session current status > >> > >> Interface: GigabitEthernet0/0 > >> Session status: DOWN > >> Peer: 66.135.65.98 port 500 > >> IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 > >> 192.168.1.0/255.255.255.0 > >> Active SAs: 0, origin: crypto map > >> IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0 > >> 192.168.1.0/255.255.255.0 > >> Active SAs: 0, origin: crypto map > >> IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 > >> 192.168.2.0/255.255.255.0 > >> Active SAs: 0, origin: crypto map > >> IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0 > >> 192.168.2.0/255.255.255.0 > >> Active SAs: 0, origin: crypto map > >> > >> cpe-rpa-kal-gw-01# > >> > >> Anyone see what I might be doing wrong? > >> _______________________________________________ > >> cisco-nsp mailing list [email protected] > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > >> > > > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
