IPSec Tunnel problem, need help !!
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||
|
Posted by yellow on January 2, 2007, 4:54 am
Please log in for more thread options I've two sites (SG & KL) running with Cisco router and connected with an ipsec tunnel. Recently, there's a new subnet created in 'KL'. I've modified the crypto acl, include the new subnet in both router setting. Unfortunately, SG's workstation failed to connect to the new subnet of 'KL'. Then I checked both router crypto map status, it said isakmp SA is failed to established. Under existing tunnel setting, both subnets are under the same isakmp & ipsec profile, as well as same secret key. Why does the new subnet SA can't be established but the old subnet does work without any problem ? Any thought ? For my understanding, both routers will negotiate and exchanged local network parameters, if both parameters & profile are matched, the SA will be established. Will these routers attempt to connect to the new subnet during SA negotiation ? As the new subnet is connected to another router device behind the lan, the router may not have the access during negotiation stage. would it be the cause ? I only want to ensure the SA will be established and I'll troubleshoot the connectivity issue later. Below are 'sh cry isakmp output' & two routers configuration for your reference : SGoff1#sh cry isa sa dst src state conn-id slot 190.22.13.129 218.101.136.5 MM_NO_STATE 155 0 (deleted) 218.101.136.5 190.22.13.129 QM_IDLE 156 0 SG router:- crypto isakmp key xxxxx address 200.75.1.254 crypto map KLoff1 1 ipsec-isakmp set peer 200.75.1.254 set transform-set esp-3des-sha match address KL-SG interface FastEthernet0/0 description Outside ip address 218.101.136.5 255.255.255.128 crypto map YNRVPN28501 ! interface FastEthernet0/1 description Outside ip address 192.168.146.1 255.255.255.0 crypto map YNRVPN28501 ip access-list extended KL-SG permit ip 192.168.146.0 0.0.0.255 host 190.22.13.129 <- workable permit ip 172.168.192.0 0.0.0.63 host 190.22.13.129 <- failed !! KL router:- crypto isakmp key xxxxx address 218.101.136.5 crypto map SGoff1 1 ipsec-isakmp set peer 204.10.132.5 set transform-set esp-3des-sha match address SG-KL ! interface FastEthernet0/0 description Outside ip address 200.75.1.254 255.255.255.252 ip nat outside crypto map SGoff1 ! interface FastEthernet0/1 description Inside ip address 190.22.13.129 255.255.255.128 ip nat inside ! ip classless ip route 0.0.0.0 0.0.0.0 200.75.1.253 ! ip nat inside source list sg-nat interface FastEthernet0/1 overload ! ip access-list extended SG-KL permit ip host 190.22.13.129 192.168.146.0 0.0.0.255 <- workable permit ip host 190.22.13.129 172.168.192.0 0.0.0.63 <- failed !! ip access-list extended sg-nat permit ip any 192.168.146.0 0.0.255.255 permit ip any 172.168.192.0 0.0.0.63 | |||||||||||||
|
Posted by Al on January 2, 2007, 2:26 pm
Please log in for more thread options yellow wrote: The peer addresses don't appear to add up: ! crypto map SGoff1 1 ipsec-isakmp set peer 204.10.132.5 ! crypto isakmp key xxxxx address 218.101.136.5 ! Shouldn't it be 'set peer 218.101.136.5' on the KL router? | |||||||||||||
|
Posted by yellow on January 3, 2007, 3:25 am
Please log in for more thread options Ah, it's my typo mistake. it should be
crypto map KLoff1 1 ipsec-isakmp set peer 218.101.136.5 The issue is the first net - permit ip 192.168.146.0 0.0.0.255 host 190.22.13.129 is workable, both net share the same crypto map and isakmp profile. Why only the first net does work ? Al =BCg=B9D=A1G > yellow wrote:
> > Hi,
> > > > I've two sites (SG & KL) running with Cisco router and connected with > > an ipsec tunnel. Recently, there's a new subnet created in 'KL'. I've > > modified the crypto acl, include the new subnet in both router setting. > > Unfortunately, SG's workstation failed to connect to the new subnet of > > 'KL'. Then I checked both router crypto map status, it said isakmp SA > > is failed to established. > > > > Under existing tunnel setting, both subnets are under the same isakmp & > > ipsec profile, as well as same secret key. Why does the new subnet SA > > can't be established but the old subnet does work without any problem ? > > Any thought ? > > > > For my understanding, both routers will negotiate and exchanged local > > network parameters, if both parameters & profile are matched, the SA > > will be established. Will these routers attempt to connect to the new > > subnet during SA negotiation ? As the new subnet is connected to > > another router device behind the lan, the router may not have the > > access during negotiation stage. would it be the cause ? I only want to > > ensure the SA will be established and I'll troubleshoot the > > connectivity issue later. > > > > Below are 'sh cry isakmp output' & two routers configuration for your > > reference : > > > > SGoff1#sh cry isa sa > > dst src state conn-id slot > > 190.22.13.129 218.101.136.5 MM_NO_STATE 155 0 (deleted) > > 218.101.136.5 190.22.13.129 QM_IDLE 156 0 > > > > SG router:- > > crypto isakmp key xxxxx address 200.75.1.254 > > > > crypto map KLoff1 1 ipsec-isakmp > > set peer 200.75.1.254 > > set transform-set esp-3des-sha > > match address KL-SG > > > > interface FastEthernet0/0 > > description Outside > > ip address 218.101.136.5 255.255.255.128 > > crypto map YNRVPN28501 > > ! > > interface FastEthernet0/1 > > description Outside > > ip address 192.168.146.1 255.255.255.0 > > crypto map YNRVPN28501 > > > > ip access-list extended KL-SG > > permit ip 192.168.146.0 0.0.0.255 host 190.22.13.129 <- workable > > permit ip 172.168.192.0 0.0.0.63 host 190.22.13.129 <- failed !! > > > > KL router:- > > crypto isakmp key xxxxx address 218.101.136.5 > > > > crypto map SGoff1 1 ipsec-isakmp > > set peer 204.10.132.5 > > set transform-set esp-3des-sha > > match address SG-KL > > ! > > interface FastEthernet0/0 > > description Outside > > ip address 200.75.1.254 255.255.255.252 > > ip nat outside > > crypto map SGoff1 > > ! > > interface FastEthernet0/1 > > description Inside > > ip address 190.22.13.129 255.255.255.128 > > ip nat inside > > ! > > ip classless > > ip route 0.0.0.0 0.0.0.0 200.75.1.253 > > ! > > ip nat inside source list sg-nat interface FastEthernet0/1 overload > > ! > > ip access-list extended SG-KL > > permit ip host 190.22.13.129 192.168.146.0 0.0.0.255 <- workable > > permit ip host 190.22.13.129 172.168.192.0 0.0.0.63 <- failed !! > > ip access-list extended sg-nat > > permit ip any 192.168.146.0 0.0.255.255 > > permit ip any 172.168.192.0 0.0.0.63 >
> The peer addresses don't appear to add up: > > ! > crypto map SGoff1 1 ipsec-isakmp > set peer 204.10.132.5 > ! > crypto isakmp key xxxxx address 218.101.136.5 > ! >=20 > Shouldn't it be 'set peer 218.101.136.5' on the KL router? | |||||||||||||
|
Posted by none on January 3, 2007, 9:50 pm
Please log in for more thread options On Wed, 03 Jan 2007 00:25:39 -0800, yellow wrote:
> The issue is the first net - permit ip 192.168.146.0 0.0.0.255 host
> 190.22.13.129 is workable, both net share the same crypto map and > isakmp profile. Why only the first net does work ? Based on this ... > > SGoff1#sh cry isa sa
> > dst src state conn-id slot > > 190.22.13.129 218.101.136.5 MM_NO_STATE 155 0 (deleted) > > 218.101.136.5 190.22.13.129 QM_IDLE 156 0 It looks like the original SA needs to be cleared - I would ensure these are cleared on both ends. I'm not sure of the router command but on a PIX it would be "clear ipsec sa" but I think on the router you have to give a connection ID when you clear it | |||||||||||||
| Similar Threads | Posted |
| IPSec Tunnel problem, need help !! | January 2, 2007, 4:54 am |
| opsf over ipsec tunnel problem | January 24, 2008, 6:31 am |
| site to site IPSEC Tunnel question problem with NAT T | November 2, 2006, 3:01 pm |
| IPSEC Tunnel Goes Down | July 10, 2006, 5:51 am |
| IPSEC Tunnel Down | July 12, 2006, 4:20 am |
| PIX-to-PIX IPSec VPN Tunnel | July 21, 2006, 7:29 pm |
| IPSEC Tunnel Going down | August 7, 2006, 4:32 am |
| GRE tunnel and IPsec | August 24, 2006, 2:57 pm |
| IPSec tunnel between ASA and *BSD | May 26, 2007, 2:13 pm |
| IPSec tunnel with no transmission. | January 9, 2006, 10:22 am |
| IPSec tunnel with no transmission. | January 9, 2006, 11:08 am |
| IPsec tunnel: PIX to VPN concentratror behind the PIX | November 6, 2006, 10:38 pm |
| RDP fails on IPSec Tunnel | June 9, 2007, 8:25 am |
| Re: RDP fails on IPSec Tunnel | June 9, 2007, 12:11 pm |
| How to add a second IPSEC tunnel to my PIX515 | October 1, 2007, 4:07 am |
>
> I've two sites (SG & KL) running with Cisco router and connected with
> an ipsec tunnel. Recently, there's a new subnet created in 'KL'. I've
> modified the crypto acl, include the new subnet in both router setting.
> Unfortunately, SG's workstation failed to connect to the new subnet of
> 'KL'. Then I checked both router crypto map status, it said isakmp SA
> is failed to established.
>
> Under existing tunnel setting, both subnets are under the same isakmp &
> ipsec profile, as well as same secret key. Why does the new subnet SA
> can't be established but the old subnet does work without any problem ?
> Any thought ?
>
> For my understanding, both routers will negotiate and exchanged local
> network parameters, if both parameters & profile are matched, the SA
> will be established. Will these routers attempt to connect to the new
> subnet during SA negotiation ? As the new subnet is connected to
> another router device behind the lan, the router may not have the
> access during negotiation stage. would it be the cause ? I only want to
> ensure the SA will be established and I'll troubleshoot the
> connectivity issue later.
>
> Below are 'sh cry isakmp output' & two routers configuration for your
> reference :
>
> SGoff1#sh cry isa sa
> dst src state conn-id slot
> 190.22.13.129 218.101.136.5 MM_NO_STATE 155 0 (deleted)
> 218.101.136.5 190.22.13.129 QM_IDLE 156 0
>
> SG router:-
> crypto isakmp key xxxxx address 200.75.1.254
>
> crypto map KLoff1 1 ipsec-isakmp
> set peer 200.75.1.254
> set transform-set esp-3des-sha
> match address KL-SG
>
> interface FastEthernet0/0
> description Outside
> ip address 218.101.136.5 255.255.255.128
> crypto map YNRVPN28501
> !
> interface FastEthernet0/1
> description Outside
> ip address 192.168.146.1 255.255.255.0
> crypto map YNRVPN28501
>
> ip access-list extended KL-SG
> permit ip 192.168.146.0 0.0.0.255 host 190.22.13.129 <- workable
> permit ip 172.168.192.0 0.0.0.63 host 190.22.13.129 <- failed !!
>
> KL router:-
> crypto isakmp key xxxxx address 218.101.136.5
>
> crypto map SGoff1 1 ipsec-isakmp
> set peer 204.10.132.5
> set transform-set esp-3des-sha
> match address SG-KL
> !
> interface FastEthernet0/0
> description Outside
> ip address 200.75.1.254 255.255.255.252
> ip nat outside
> crypto map SGoff1
> !
> interface FastEthernet0/1
> description Inside
> ip address 190.22.13.129 255.255.255.128
> ip nat inside
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 200.75.1.253
> !
> ip nat inside source list sg-nat interface FastEthernet0/1 overload
> !
> ip access-list extended SG-KL
> permit ip host 190.22.13.129 192.168.146.0 0.0.0.255 <- workable
> permit ip host 190.22.13.129 172.168.192.0 0.0.0.63 <- failed !!
> ip access-list extended sg-nat
> permit ip any 192.168.146.0 0.0.255.255
> permit ip any 172.168.192.0 0.0.0.63