1. Home
  2. Cisco Systems
  3. Hairpin VPN not responding

Hairpin VPN not responding

Recently I have created an hairpin VPN using a ASA 5510 (8.0(4)28) as a hub and Cisco 877 (12.4(4)T8) as the spokes.

This works fine, but only if I "start" the connection manually. For example:

  • When I ping from spoke 1 to spoke 2 I don't receive a response;
  • When I immedialtely ping from spoke 2 to spoke 1 I do receive a response;
  • If I return to spoke 1, suddenly I can ping spoke 2.

The server situated in spoke 2 has an interval to poll devices in spoke 1, so after a while tehre is no connectivity. At least not until I start it again.

I already have configured keepalives on the ASA and the routers, but to no avail.

Can someone please shed some light on this situation? I added the appropriate parts of the config below.

192.168.1.0 is the hub site. All other ranges are spokes.

Thanks.

Ikke

ASA config

access-list 118 extended permit ip 192.168.1.0 255.255.255.0

192.168.118.0 255.255.255.0 access-list 118 extended permit ip 192.168.119.0 255.255.255.0 192.168.118.0 255.255.255.0 access-list 119 extended permit ip 192.168.1.0 255.255.255.0 192.168.119.0 255.255.255.0 access-list 119 extended permit ip 192.168.118.0 255.255.255.0 192.168.119.0 255.255.255.0

crypto ipsec transform-set Secure esp-aes-256 esp-sha-hmac crypto ipsec security-association lifetime seconds 3600 crypto ipsec security-association lifetime kilobytes 4608000

crypto map Torens 118 match address 118 crypto map Torens 118 set peer xx.yy.zz.161 crypto map Torens 118 set transform-set Secure crypto map Torens 119 match address 119 crypto map Torens 119 set peer xx.yy.zz.241 crypto map Torens 119 set transform-set Secure

crypto isakmp identity address crypto isakmp enable Internet crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 21600

tunnel-group xx.yy.zz.161 type ipsec-l2l tunnel-group xx.yy.zz.161 ipsec-attributes pre-shared-key * isakmp keepalive threshold 15 retry 10

tunnel-group xx.yy.zz.241 type ipsec-l2l tunnel-group xx.yy.zz.241 ipsec-attributes pre-shared-key * isakmp keepalive threshold 15 retry 10

Cisco 877

crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key aabbccdd address xx.yy.zz.65 crypto isakmp nat keepalive 20

access-list 100 permit ip 192.168.118.0 0.0.0.63 192.168.1.0 0.0.0.255 access-list 100 permit ip 192.168.118.0 0.0.0.63 192.168.119.0

0.0.0.255

crypto ipsec transform-set Secure esp-aes 256 esp-sha-hmac ! crypto map VPN 10 ipsec-isakmp set peer xx.yy.zz.65 set transform-set Secure match address 100

interface Dialer0 crypto map VPN

Reply to
ikkemij
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.