VPN Ipsec config problem

[Luxxor]

Hi folks,
I configure 2x 2621 routers redundant with HSRP and they [R1 should make a VPN connection with the KR Router].
Some how the VPN connection is not working as I hopped.
Hier ist my Config, and im realy thank for any help.

KR#show run
Building configuration...
Current configuration : 1805 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname KR
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ip subnet-zero
ip cef
!
!
ip audit po max-events 100
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key avodaq address 10.1.3.10 255.255.255.224
crypto isakmp keepalive 10
crypto isakmp profile cisco
description cisco
keyring default
self-identity address
match identity address 10.1.3.21 255.255.255.224
keepalive 10 retry 2
crypto ipsec optional retry 60
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set VPN esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto ipsec profile cisco
description cisco
set security-association lifetime seconds 3600
set isakmp-profile cisco
!
!
crypto map VPN-2-R1 10 ipsec-isakmp
set peer 10.1.3.10
set transform-set VPN
set pfs group2
match address 110
qos pre-classify
!
!
interface Tunnel0
ip address 10.1.3.90 255.255.255.224
tunnel source 10.1.3.21
tunnel destination 10.1.3.10
tunnel protection ipsec profile cisco
!
interface FastEthernet0/0
ip address 10.1.3.21 255.255.255.224
speed 100
full-duplex
crypto map VPN-2-R1
!
interface FastEthernet0/1
ip address 10.1.3.62 255.255.255.224
speed 100
full-duplex
!
no ip http server
no ip http secure-server
ip classless
ip route 10.1.2.0 255.255.255.224 10.1.3.10
!
!
access-list 110 permit ip 10.1.3.32 0.0.0.31 10.1.3.0 0.0.0.31
access-list 111 deny ip 10.1.3.32 0.0.0.31 10.1.3.0 0.0.0.31
access-list 112 permit ip any any
!
line con 0
password cisco
login
line aux 0
line vty 0 4
password cisco
login
!
end
>>>>>>>>>> And this is the R1<<<<<<<<<

R1#show run
Building configuration...

Current configuration : 2070 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot system flash
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
ip cef
!
ip audit po max-events 100
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key avodaq address 10.1.3.21 255.255.255.224
crypto isakmp keepalive 10
crypto isakmp profile cisco
description cisco
keyring default
self-identity address
match identity address 10.1.3.20 255.255.255.224
keepalive 10 retry 2
crypto ipsec optional retry 60
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set VPN esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto ipsec profile cisco
description cisco
set security-association lifetime seconds 3600
set isakmp-profile cisco
!
!
crypto map VPN-2-KR 10 ipsec-isakmp
set peer 10.1.3.21
set transform-set VPN
set pfs group1
match address 111
qos pre-classify
!
interface Tunnel0
ip address 10.1.3.91 255.255.255.224
tunnel source 10.1.3.10
tunnel destination 10.1.3.21
tunnel protection ipsec profile cisco
!
interface FastEthernet0/0
ip address 10.1.3.20 255.255.255.224
duplex auto
speed 100
standby 1 ip 10.1.3.10
standby 1 timers 3 4
standby 1 priority 120
standby 1 preempt
crypto map VPN-2-KR
!
interface FastEthernet0/1
ip address 10.1.2.20 255.255.255.224
duplex auto
speed 100
standby ip 10.1.2.2
standby timers 3 4
standby priority 120
standby preempt
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.3.21
!
access-list 111 permit ip 10.1.2.0 0.0.0.31 10.1.3.64 0.0.0.31
access-list 111 permit ip 10.1.2.0 0.0.0.31 10.1.3.0 0.0.0.31
access-list 112 deny ip 10.1.2.0 0.0.0.31 10.1.3.0 0.0.0.31
access-list 113 permit ip any any
!
line con 0
password cisco
login
line aux 0
password cisco
login
line vty 0 4
password cisco
login
transport input all
!
end

 

[unclerico]

Have you tried running any debugs??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Minue]

Hello
Is this is lab setup?Also what problems are you having?Please post a "show crypto isakmp sa", "show crypto ipsec sa" and the conf of the other redundant router.
Regards

 

[Luxxor]

Yes it´s a lab Config for my trainee final exam Project.
The problem is that I get this massage every time when I ping to the other end of the network.


*Mar 1 08:31:02.385: IPSEC(validate_transform_proposal): invalid local address 10.1.3.10
*Mar 1 08:31:02.385: ISAKMP (0:5): IPSec policy invalidated proposal
*Mar 1 08:31:02.385: ISAKMP (0:5): phase 2 SA policy not acceptable!
(local 10.1.3.10 remote 10.1.3.21)
*Mar 1 08:31:02.389: ISAKMP (0:5): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH:
for node 114125970: state = IKE_QM_READY
*Mar 1 08:31:02.389: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 10.1.3.21

KR#show crypto isakmp sa detail
C-id Local Remote I-VRF Encr Hash Auth DH Lifetime Cap.
1 10.1.3.21 10.1.3.20 3des md5 psk 2 07:59:01 D

KR#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: VPN-2-R1, local addr. 10.1.3.21

protected vrf:
local ident (addr/mask/prot/port): (10.1.3.32/255.255.255.224/0/0)
remote ident (addr/mask/prot/port): (10.1.2.0/255.255.255.224/0/0)
current_peer: 10.1.3.10:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 4, #recv errors 0

local crypto endpt.: 10.1.3.21, remote crypto endpt.: 10.1.3.10
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0

inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:

 

[Minue]

Hello
I don't know where you got the example for your conf.But in Cisco white papers I have never seen such an implementation.Your are try to use GRE over IPSEC and IPSEC VTI's at the same time.It's one or the other,that mean you would have to remove the crypto map and leave the ipsec profile,or the other way around.Also to do high availability VPN's you don't use tunnels interfaces,nor point the IPSEC tunnel to the HSRP virtual address.If I may say your configuration is full of errors.If it's to configure high availability VPN's you want to configure I can send you a link or guide you throw steps.
Regards

 

[Luxxor]

Yes your right in mean time I noticed it
So I deconfig the GRE Tunel and the ipsec profil … anyway I still have the same problem I think because of the HSRP VIP anyway if you can send me a link or guide steps that would be great.
And thank you

 

[Minue]

Hello
Can you post your present conf's.For what it's worth I did some searching around and I found a Cisco implementation with the HSRP Virtual IP terminating the tunnel.So your setup is possible.As far as real life goes,I think it would be difficult to provision because,you would need a switch on the Front-end.
You maybe running into problems because the VPN gateways are in the same subnet.You would normally need a router in the middle of the two VPN gateways,playing the part of an ISP.Just like in the below link.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml

Regards

 

[Luxxor]

Hi, thank you very much for the informative Link, finally my VPN config with HSRP is working. Only tricky part is line 9 and 11.
I had to give a name for the HSRP and configuring the crypto map on interface its IMPORTEN that i use redundancy <HSRP Name> without that command the redundancy is not going to work.

EXP:
1. interface FastEthernet0/0
2. ip address 10.1.3.20 255.255.255.224
3. duplex auto
4. speed 100
5. standby 1 ip 10.1.3.10
6. standby 1 timers 3 4
7. standby 1 priority 120
8. standby 1 preempt
9. standby 1 name VPN-KR
10. standby 1 track FastEthernet0/1
11. crypto map VPN-2-KR redundancy VPN-KR

if u like I can post my 2 Router config

 

[Minue]

Hello
That's nice to here.Yes I would like to see the conf's of all 3 routers.Also did you setup the lab with the mystery router that divides the subnets.
Regards

 

[Luxxor]

Hi,
No I didn’t setup a mystery Router.
And it Looks like I have a new problem no challenge with HSRP
I can transport data through the VPN without any problem and the HSRP vip 10.1.3.10 is also working without any Problem but the VIP 10.1.2.2 is not working as it should be.

EXP:
when i´m transport data from PC1 to PC2 it goes through the VPN and when I plug out the Router (R1) E1 Port then it should deliver the data through the Router (R2) E0.
exactly what he does not!!!

In R2 I get this Error massage:
*Mar 1 01:45:55.167: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /10.1.2.4, src_addr= 10.1.3.60, prot= 1

(active Router)
E0------R1----E1
| |
PC1--KR-- (vpn)-- 10.1.3.10(hsrp)10.1.2.2-- PC2
(Router)
| |
E1----R2----E0
(Standby Router)


[[[KR ROUTER]]]
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key avodaq address 10.1.3.10 255.255.255.224
crypto isakmp keepalive 10
crypto ipsec optional retry 60
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set VPN esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map VPN-2-R1 10 ipsec-isakmp
set peer 10.1.3.10
set transform-set VPN
set pfs group2
match address 100
!
!
interface Loopback0
ip address 20.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.1.3.21 255.255.255.224
ip access-group 101 in
speed 100
full-duplex
crypto map VPN-2-R1
!
interface FastEthernet0/1
ip address 10.1.3.62 255.255.255.224
speed 100
full-duplex
!
no ip http server
no ip http secure-server
ip classless
ip route 10.1.2.0 255.255.255.224 10.1.3.10
ip route 99.99.99.99 255.255.255.255 10.1.3.10
!
access-list 100 permit ip 10.1.3.32 0.0.0.31 10.1.2.0 0.0.0.31
access-list 100 permit ip 10.1.3.32 0.0.0.31 host 99.99.99.99

[[[R1]]]
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86000
crypto isakmp key avodaq address 10.1.3.21 255.255.255.224
crypto isakmp keepalive 10
crypto ipsec optional retry 60
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set VPN esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map VPN-2-KR 10 ipsec-isakmp
description cisco
set peer 10.1.3.21
set transform-set VPN
set pfs group2
match address 111
!
!
interface Loopback0
ip address 99.99.99.99 255.255.255.255
!
interface FastEthernet0/0
ip address 10.1.3.20 255.255.255.224
duplex auto
speed 100
standby 1 ip 10.1.3.10
standby 1 timers msec 999 2
standby 1 priority 120
standby 1 preempt
standby 1 name VPN-KR
standby 1 track FastEthernet0/1
crypto map VPN-2-KR redundancy VPN-KR
!
interface FastEthernet0/1
ip address 10.1.2.20 255.255.255.224
duplex auto
speed 100
standby ip 10.1.2.2
standby timers msec 999 2
standby priority 120
standby preempt
standby track FastEthernet0/0
!
router rip
network 10.0.0.0
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.3.21
ip route 20.1.1.1 255.255.255.255 10.1.3.21
!
access-list 111 permit esp 10.1.2.0 0.0.0.31 10.1.3.32 0.0.0.31
access-list 111 permit ip 10.1.2.0 0.0.0.31 10.1.3.32 0.0.0.31
access-list 111 permit ip 10.1.2.0 0.0.0.31 host 20.1.1.1

[[[R2]]]
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key avodaq address 10.1.3.21 255.255.255.224
crypto isakmp keepalive 10
crypto ipsec optional retry 60
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set VPN esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map VPN-2-KR 10 ipsec-isakmp
description cisco
set peer 10.1.3.21
set transform-set VPN
set pfs group2
match address 112
!
!
interface Loopback0
ip address 20.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.1.2.30 255.255.255.224
speed auto
full-duplex
standby ip 10.1.2.2
standby timers msec 999 2
standby priority 110
standby preempt
standby track FastEthernet0/1
!
interface FastEthernet0/1
ip address 10.1.3.30 255.255.255.224
duplex auto
speed 100
standby track FastEthernet0/0
standby 1 ip 10.1.3.10
standby 1 timers msec 999 2
standby 1 priority 110
standby 1 preempt
standby 1 name VPN-2-KR1
crypto map VPN-2-KR redundancy VPN-2-KR1
!
router rip
network 10.0.0.0
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.3.21
!
!
access-list 112 permit ip 10.1.2.0 0.0.0.31 10.1.3.32 0.0.0.31
access-list 112 permit ip 10.1.2.0 0.0.0.31 host 20.1.1.1
access-list 112 permit esp 10.1.2.0 0.0.0.31 10.1.3.32 0.0.0.31

 

[Minue]

Hello
Thanks for the conf.I think you may have a problem with the physical setup.It's not very clear to me.Can you please explain how the router are inter-connected.Also I would try to troubleshoot the problem by killing the second HSRP on the LAN.
Regards

 

[Luxxor]

KR Router is a C2621
R1 also 2621
R2 also 2621
SW1 is a 2940
SW2 is a 3550

Router Ethernet Port SW SW Port
KR e1 SW1 0/7
KR e0 SW1 0/6
R1 e0 SW1 0/1
R1 e1 SW2 0/3
R2 e1 SW1 0/4
R2 e0 SW2 0/2

On SW1 port 5 is PC 1
And SW2 port 0/6 is the PC 2

 

[Luxxor]

So I finally finish the Troubleshooting and I found the problem !
The problem was on the Router (R1) HSRP groupe1
As u sees the Command track fastEthernet 0/1 I put 20 because default it will just minis -10
The problem was after the opposite line go down the both interfaces war at the same high priority.

i hope u know what i mean

interface FastEthernet0/0
ip address 10.1.3.20 255.255.255.224
duplex auto
speed 100
standby 1 ip 10.1.3.10
standby 1 timers msec 999 2
standby 1 priority 120
standby 1 preempt
standby 1 authentication 123
standby 1 name VPN-KR
standby 1 track FastEthernet0/1 20
crypto map VPN-2-KR redundancy VPN-KR

interface FastEthernet0/1
ip address 10.1.2.20 255.255.255.224
duplex auto
speed 100
standby 2 ip 10.1.2.2
standby 2 timers msec 999 2
standby 2 priority 110
standby 2 preempt
standby 2 authentication 321


anyway thank you very much

 

[Minue]

Yes! I do understand what you mean.We had a topic on the same problem.

http://www.tek-tips.com/viewthread.cfm?qid=1533289&page=3

Anyway good trobleshooting on your part.
Regards