Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN LAN to LAN IPSEC/GRE Tunnel problem - CISCO PIX

Status
Not open for further replies.
May 6, 2006
11
BH



Dear Friends,

I am trying to setup a VPN LAN - LAN TUNNEL between our branch office abd Head Office. First I will explain my existing setup, we have Leased line 512k between these offices and this acts Primary link with OSPF routing protocol. Now our management wants backup for this LL 512k. So I planned to built a LAN-LAN GRE over IPSEC tunnel through Internet for backup. We have Internet Leased line in Head office and ADSL in our branch office which coming through Internet Router and terminating on Cisco PIX at both the ends. We achieved Phase 1 ISAKMP but still Phase II IPSEC still down. When we check out the pix logs, we can see only Encrypted traffic at one end of pix and only Decrypted traffic at other end of pix, its not happening vice versa. Even OSPF is showing INIT at one end of Router and other end is showing nothing. Please find attached the configuration and logs of this scenario. Kindly analyse this problem and give us a feedback.


Configuration:-
================




VPN LAN - LAN TUNNEL BETWEEN Head office(SIDE -A) and Branch office(SIDE-B)
=============================================================================


HO ROUTER -- SIDE A

=====================



interface loopback13

ip address 10.10.13.1 255.255.255.255




interface Tunnel2
bandwidth 1024
ip address 10.10.11.1 255.255.255.252
ip route-cache flow
ip ospf cost 400
tunnel source Loopback13
tunnel destination 10.10.13.9
end





router ospf 100


network 10.10.11.0 0.0.0.3 area 0




ip route 10.10.13.9 255.255.255.255 192.168.101.253 ( pix gateway)





HO PIX - SIDE A

==============


access-list bnc-tunnel-vpn permit ip host 10.10.13.1 host 10.10.13.9


access-list nonat permit ip host 10.10.13.1 host 10.10.13.9


crypto ipsec transform-set 3avalanche-md5 esp-3des esp-md5-hmac


crypto map forsberg 62 ipsec-isakmp
crypto map forsberg 62 match address bnc-tunnel-vpn
crypto map forsberg 62 set peer 77.69.xxx.xxx
crypto map forsberg 62 set transform-set 3avalanche-md5





isakmp policy 62 authentication pre-share

isakmp policy 62 encryption 3des

isakmp policy 62 hash md5

isakmp policy 62 group 2

isakmp policy 62 lifetime 86400


isakmp key ****** address 77.69.xxx.xxx netmask 255.255.255.255


route inside 10.10.13.1 255.255.255.255 192.168.101.254 ( router gateway)




===========================================================






Branch office Router -- SIDE B

==================





interface Loopback13
ip address 10.10.13.9 255.255.255.255





interface Tunnel2

bandwidth 1024
ip address 10.10.11.2 255.255.255.252
ip route-cache flow
ip ospf cost 400
tunnel source Loopback13
tunnel destination 10.10.13.1
end





router ospf 100

network 10.10.11.0 0.0.0.3 area 0



ip route 10.10.13.1 255.255.255.255 10.6.10.251 ( pix gateway)




BRANCH OFFICE pix - SIDE B

=========================


access-list london-tunnel permit ip host 10.10.13.9 host 10.10.13.1


access-list nonat permit ip host 10.10.13.9 host 10.10.13.1


crypto ipsec transform-set 3avalanche-md5 esp-3des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address london-tunnel
crypto map outside_map 20 set peer 217.17.xxx.xxx
crypto map outside_map 20 set transform-set 3avalanche-md5


isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400



isakmp key ******* address 217.17.xxx.xxx netmask 255.255.255.255


route inside 10.10.13.9 255.255.255.255 10.6.10.254 ( router gateway)


=================================================================================


LOGS:-

===============


interface: outside
Crypto map tag: outside_map, local addr. 77.69.XXX.XXX

local ident (addr/mask/prot/port): (10.10.13.9/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.10.13.1/255.255.255.255/0/0)
current_peer: 217.17.XXX.XXX:500
dynamic allocated peer ip: 0.0.0.0

PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 7244, #pkts decrypt: 7244, #pkts verify 7244
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 77.69.XX.XXX, remote crypto endpt.: 217.17.XXX.XXX
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: c4ad1ef6

inbound esp sas:
spi: 0x39a0baeb(966834923)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 7, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4607803/13564)
IV size: 8 bytes
replay detection support: Y


local ident (addr/mask/prot/port): (10.10.13.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.10.13.9/255.255.255.255/0/0)
current_peer: 77.69.XXX.XXX:500
dynamic allocated peer ip: 0.0.0.0

PERMIT, flags={origin_is_acl,}
#pkts encaps: 42574, #pkts encrypt: 42574, #pkts digest 42574
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 32349, #recv errors 0

local crypto endpt.: 217.17.XXX.XXX, remote crypto endpt.: 77.69.XXX.XXX
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 39a0baeb

inbound esp sas:
spi: 0xc4ad1ef6(3299679990)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 22, crypto map: forsberg
sa timing: remaining key lifetime (k/sec): (4608000/13632)
IV size: 8 bytes
replay detection support: Y



Crypto Map "outside_map" 20 ipsec-isakmp
Peer = 217.17.XXX.XXX
access-list bahrain-tunnel; 1 elements
access-list bahrain-tunnel line 1 permit ip host 10.10.13.9 host 10.10.13.1 (hitcnt=6)
Current peer: 217.17.XXX.XXX
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ bnc-vpn-set, }



Crypto Map "forsberg" 62 ipsec-isakmp
Peer = 77.69.XXX.XXX
access-list bnc-tunnel-vpn; 1 elements
access-list bnc-tunnel-vpn line 1 permit ip host 10.10.13.1 host 10.10.13.9 (hitcnt=3761145)
Current peer: 77.69.XXX.XXX
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ 3avalanche-md5, }




crypto ipsec transform-set 3avalanche-md5 esp-3des esp-md5-hmac

crypto ipsec transform-set bnc-vpn-set esp-3des esp-md5-hmac


Thanks in advance.

Regards,
C.R.Vidhu



Thanks,

C.R.Vidhu
CCNA & CCNP(Routing & Switching)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top