point to point VPN does not reconnect.

[StaplesMan]

I have a Cisco 1721 router at my home behind a VOIP router. And my brother (seth) has a Cisco 1720 router behind his VOIP router. My VOIP router has a DMZ pointing to my Cisco 1721 router.

We wanted to build a VPN between our networks so I have configured the routers as follows, below. Before shipping his router to him I have connected it up locally and at my work for testing.

So far the VPN will connect just fine. Both connected back to back (at home) and at work over the internet. VPNs establish and will stay connected all day as long as data is sent. But once data stops sending after a few minutes the vpn will shut down, and will not start back. There is no command I can issue that will reconnect the VPN. Only fix is to restart the routers.

On my home router the Fa0 is the internet port. (IP:192.168.7.2 in this example)

On the remote router the E0 is the internet port. DHCP

Also on my home router I have two VPN connections. Map clientmap and map vpn. The clientmap is for cisco vpn client and the vpn is for the point to point vpn, that I'm having the problem with. I currently have the map vpn applied to the Fa0 interface.

Any and all advice would be helpful.

Thanks,
Bobby


****************( My Home Router 1721 )*****************************

version 12.4
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
!
hostname FireWall
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
memory-size iomem 25
clock timezone CST -6
clock summer-time cdt recurring
no ip source-route
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip domain round-robin
ip domain name gage.local
ip name-server 204.127.203.135
ip name-server 216.148.225.135
ip name-server 4.2.2.2

!
!
!
!
!
username xxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxx
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxxxxxxxxx address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group xxxxxx
key xxxxxxxxxxxxxxxxxxxxx
dns 192.168.78.1
wins 192.168.78.1
pool ippool
acl 108
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set vpnset esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
crypto dynamic-map rtpmap 11
set transform-set vpnset
match address 115
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
crypto map vpn 11 ipsec-isakmp dynamic rtpmap
!
!
!
interface Loopback1
ip address 10.0.0.1 255.255.255.248
!
interface Ethernet5
no ip address
shutdown
half-duplex
!
interface FastEthernet0
mac-address 0004.dc0c.b55b
ip ddns update access.rkgage.net
ip address dhcp
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
rate-limit output access-group 2020 512000 256000 786000 conform-action transmi
t exceed-action drop
no ip route-cache cef
no ip route-cache
speed auto
no cdp enable
crypto map vpn
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface Vlan1
ip address 192.168.78.2 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool ippool 192.168.79.100 192.168.79.200
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip nat inside source list 101 interface FastEthernet0 overload

ip dns server
!
logging source-interface Vlan1
logging 192.168.78.1
access-list 101 deny ip any 192.168.11.0 0.0.0.255
access-list 101 deny ip any 192.168.79.0 0.0.0.255
access-list 101 deny ip any 192.168.10.0 0.0.0.255
access-list 101 permit ip any any
access-list 103 remark Inbound Access List logging
access-list 103 deny tcp any any eq ftp
access-list 103 permit udp any any eq bootpc
access-list 103 permit icmp any any
access-list 103 permit ip 192.168.79.0 0.0.0.255 any
access-list 103 permit ip 192.168.7.0 0.0.0.255 any
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.78.0 0.0.0.255
access-list 103 deny ip 10.0.0.0 0.255.255.255 any log
access-list 103 deny ip 192.168.0.0 0.0.255.255 any log
access-list 103 deny ip 172.16.0.0 0.15.255.255 any log
access-list 103 deny ip 0.0.0.0 0.255.255.255 any log
access-list 103 deny ip 127.0.0.0 0.255.255.255 any log
access-list 103 deny ip 169.254.0.0 0.0.255.255 any log
access-list 103 deny ip 192.0.2.0 0.0.0.255 any log
access-list 103 deny ip 198.18.0.0 0.1.255.255 any log
access-list 103 deny ip 224.0.0.0 15.255.255.255 any log
access-list 103 permit ip any any
access-list 108 permit ip 10.0.0.0 0.0.0.7 any
access-list 108 permit ip 192.168.78.0 0.0.0.255 any
access-list 108 permit ip 192.168.79.0 0.0.0.255 any
access-list 115 permit ip 192.168.78.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 2020 permit icmp any any echo
snmp-server community public RO
!
control-plane
!






****************( Remote Location Router 1720 )*****************************


version 12.3
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
!
hostname SethFirewall
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
!
memory-size iomem 25
clock timezone MST -6
clock summer-time cdt recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip domain round-robin
ip domain name coridan.local
ip name-server 204.127.203.135
ip name-server 216.148.225.135
ip name-server 4.2.2.2
!
ip dhcp pool seth
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 208.67.220.220 208.67.222.222
netbios-name-server 192.168.10.1
!
ip cef
ip audit po max-events 100
!
!
username xxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxx
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key xxxxxxxxxxxxxxxxxx address 192.168.7.2
!

crypto ipsec transform-set vpnset esp-des esp-md5-hmac
!
!
crypto map vpn 1 ipsec-isakmp
set peer 192.168.7.2
set transform-set vpnset
match address 115
!
!
!
interface Ethernet0
mac-address 0000.1231.1234
bandwidth 512
ip address dhcp
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
no ip route-cache cef
no ip route-cache
half-duplex
no cdp enable
crypto map vpn
!
interface FastEthernet0
ip address 192.168.10.1 255.255.255.0
ip nat inside
speed auto
!
ip local pool ippool 192.168.79.100 192.168.79.200
ip nat inside source list 101 interface Ethernet0 overload
ip classless
no ip http server
no ip http secure-server
!
ip dns server
!
logging source-interface FastEthernet0
logging 192.168.78.1
access-list 101 deny ip any 192.168.78.0 0.0.0.255
access-list 101 deny ip any 192.168.79.0 0.0.0.255
access-list 101 permit ip any any
access-list 103 remark Inbound Access List logging
access-list 103 deny tcp any any eq ftp
access-list 103 permit udp any any eq bootpc
access-list 103 permit icmp any any
access-list 103 permit ip 192.168.79.0 0.0.0.255 any
access-list 103 permit ip 192.168.7.0 0.0.0.255 any
access-list 103 permit ip 192.168.78.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 103 deny ip 10.0.0.0 0.255.255.255 any log
access-list 103 deny ip 192.168.0.0 0.0.255.255 any log
access-list 103 deny ip 172.16.0.0 0.15.255.255 any log
access-list 103 deny ip 0.0.0.0 0.255.255.255 any log
access-list 103 deny ip 127.0.0.0 0.255.255.255 any log
access-list 103 deny ip 169.254.0.0 0.0.255.255 any log
access-list 103 deny ip 192.0.2.0 0.0.0.255 any log
access-list 103 deny ip 198.18.0.0 0.1.255.255 any log
access-list 103 deny ip 224.0.0.0 15.255.255.255 any log
access-list 103 permit ip any any
access-list 108 permit ip host 192.168.11.1 any
access-list 108 permit ip 192.168.10.0 0.0.0.255 any
access-list 108 permit ip 192.168.79.0 0.0.0.255 any
access-list 115 permit ip 192.168.10.0 0.0.0.255 192.168.78.0 0.0.0.255
access-list 2020 permit icmp any any echo
!


CCNA, A+, HP Certified Professional

 

[burtsbees]

Why not just use the Cisco routers as VPN servers?

Burt

 

[StaplesMan]

don't quite understand... How would I do that?

CCNA, A+, HP Certified Professional

 

[burtsbees]

Whoops---I misread---I thought it said that the Cisco routers were behind VPN routers...

Do you have ISAKMP ports statically NATted in the VoIP routers? Are they Vonage or something? Are these VoIP routers capable of handling the VPN?

I have never set up a VPN BEHIND routers---the VPN devices (always Cisco) have been the edge devices...your config may not jive with NAT too well...

Burt

 

[StaplesMan]

All I can say about if the VOIP boxes support vpns or not is the connection seems to establish and work reliably but would just stops after no activity.

On my end (Home router) it is statically NATted, via a DMZ static IP. (Dynamicaly assigned by mac so it always get the same IP from the voip box) The voip box we are using on both ends are Lynksys SPA-2102 units.

Now to top it off last week I had both units connected back to back and had this problem where the network would drop and then not reconnect. But now after cleaning up the config for posting online it seems that this problem no longer exists.

I left the routers connected over night and this morning I was able to ping over the vpn without any problems.

CCNA, A+, HP Certified Professional

 

[StaplesMan]

Seeing the above seems fixed, I do have another question. In my home config where I have two different crypto maps, for me two connect using my cisco vpn client software I must change the crypto map on the interface to clientmap instead of VPN. But of course the P2P VPN goes down.

From my understanding if I was to change the following config it would allow both to be connected at the same time. But from my testing this does not seem to work.

I know I must be missing something. If I'm doing everything correctly then I can get you more detailed error messages. But I think I'm missing something else that may need to be changed. Can you give any advice?

Thanks!

******** Current Config ******
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
crypto map vpn 11 ipsec-isakmp dynamic rtpmap


******** New config **********
crypto map vpn client authentication list userauthen
crypto map vpn isakmp authorization list groupauthor
crypto map vpn client configuration address respond
crypto map vpn 10 ipsec-isakmp dynamic dynmap
!
crypto map vpn 11 ipsec-isakmp dynamic rtpmap



CCNA, A+, HP Certified Professional

 

[burtsbees]

Got me on that one...had a post myself about the same thing...screwed up my ssh rsa keys...had to keep only my remote access map...

Burt

 

[StaplesMan]

Never Gave the answer to my original problem. The fix was to place IP Crypto isakmp keepalive 10 on the client side and that fixed the disconnection problems.

CCNA, A+, HP Certified Professional