1. Home
  2. Cisco Systems
  3. IP Sec & VPN Client Together

IP Sec & VPN Client Together

Hi,

I am having problems with a VPN, basically it all seems to work then all of a sudden the IPSEC tunnels to the remote branches stop working and the only way I can get them working again is to take off all the VPN client configuration and reboot the router, doe any one have any ideas?

I have searched all the articles I can find and still no joy!

It would be much appreciated, I have been banging my head against the wall for days now and I am seriously losing the will to live :)

Thanks Jamie

Current configuration : 10727 bytes ! version 12.4 service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname portbury1803w ! boot-start-marker warm-reboot boot-end-marker ! no logging buffered enable password P4lgcpfwng ! aaa new-model ! ! aaa authentication login default local aaa authentication login console none aaa authorization exec default local aaa authorization network default local ! aaa session-id common ! resource policy ! ! ! ip cef ! ! ip domain name xxx.xxx.xxx.xxx ip name-server 194.73.82.242 ip name-server 194.72.6.57 ip multicast-routing ip ips notify SDEE ! ! crypto pki trustpoint TP-self-signed-1858581259 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1858581259 revocation-check none rsakeypair TP-self-signed-1858581259 ! ! crypto pki certificate chain TP-self-signed-1858581259 certificate self-signed 01 30820255 308201BE A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 31383538 35383132 3539301E 170D3036 30343034 30393038 30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38353835 38313235 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B676 2794B011 EA33DF85 0F444F20 C4B153F8 29DEB52B EF459B79 2E64B2EA 4ED5F88C 4F5D8ECC D4E57DAB B00A6F7B CA55FD58 2FF9047B A72302E6 626DC7BC 3C5E4B21 C9BD0C29 76542431 8151CEBC 22FBEE21 574A8C82 88C98AFB C3BEFE97 16C01407 EE5DDDAD 72A8E70B D0EB341D 38BD7781 33CE0012 BD117F52 A6EE7A5A 22650203 010001A3 7D307B30 0F060355 1D130101 FF040530 030101FF 30280603 551D1104 21301F82 1D706F72 74627572 79313830 33772E6C 616E6567 726F7570 2E636F2E 756B301F 0603551D 23041830 168014A6 EE48F764 6E27DA39 5E423786 7D51301A A605D030 1D060355 1D0E0416 0414A6EE 48F7646E 27DA395E 4237867D 51301AA6 05D0300D 06092A86 4886F70D 01010405 00038181 00A33E1C 07D0C42E 741FE905 EBBD8F98 E35442A4 615C78F3 79F90E0A 354708EE 7A99ABFE FC2C270B 1F17FA7D B02537F7 978AED4A B6F6531F 6FFB7E37 CB0F1669 260A79B7 CEB2367B FBAC4814 B4E31A36 AA604ED8 AC508AB0 9C8BCB4D 436DD950 378EC420 D705CAD2 F8BCE6AB D99E8ACD C8BD0AE3 58FE2FD9 A0EBEF04 E5770F04 A2 quit username cisco privilege 15 secret xxx username xxx password 0 xxx ! ! controller DSL 0 shutdown line-term cpe ! ! crypto isakmp policy 1 hash md5 authentication pre-share ! crypto isakmp policy 2 encr 3des authentication pre-share group 2 crypto isakmp key p0rt123 address xxx.xxx.xxx.xxx crypto isakmp key p0rt123 address xxx.xxx.xxx.xxx crypto isakmp key p0rt123 address xxx.xxx.xxx.xxx crypto isakmp key p0rt123 address xxx.xxx.xxx.xxx crypto isakmp key p0rt123 address xxx.xxx.xxx.xxx crypto isakmp key p0rt123 address xxx.xxx.xxx.xxx crypto isakmp key p0rt123 address xxx.xxx.xxx.xxx crypto isakmp key p0rt123 address xxx.xxx.xxx.xxx crypto isakmp key p0rt123 address xxx.xxx.xxx.xxx crypto isakmp client configuration address-pool local VPNClients ! crypto isakmp client configuration group lanevpn key xxx dns 195.111.111.6 domain lane-main.local pool VPNClients acl 101 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-des esp-md5-hmac crypto ipsec transform-set VPNClientSet esp-3des esp-sha-hmac ! crypto dynamic-map lane-dynamic 10 set transform-set VPNClientSet ! ! crypto map CMAP_LANE client authentication list default crypto map CMAP_LANE isakmp authorization list default crypto map CMAP_LANE client configuration address respond crypto map CMAP_LANE 1 ipsec-isakmp set peer xxx.xxx.xxx.xxx set transform-set ESP-3DES-SHA match address 115 crypto map CMAP_LANE 2 ipsec-isakmp set peer xxx.xxx.xxx.xxx set transform-set ESP-3DES-SHA match address 116 crypto map CMAP_LANE 3 ipsec-isakmp set peer xxx.xxx.xxx.xxx set transform-set ESP-3DES-SHA match address 117 crypto map CMAP_LANE 4 ipsec-isakmp set peer xxx.xxx.xxx.xxx set transform-set ESP-3DES-SHA match address 118 crypto map CMAP_LANE 5 ipsec-isakmp set peer xxx.xxx.xxx.xxx set transform-set ESP-3DES-SHA match address 119 crypto map CMAP_LANE 6 ipsec-isakmp set peer xxx.xxx.xxx.xxx set transform-set ESP-3DES-SHA match address 120 crypto map CMAP_LANE 7 ipsec-isakmp set peer xxx.xxx.xxx.xxx set transform-set ESP-3DES-SHA match address 121 crypto map CMAP_LANE 8 ipsec-isakmp set peer xxx.xxx.xxx.xxx set transform-set ESP-3DES-SHA match address 122 crypto map CMAP_LANE 9 ipsec-isakmp set peer xxx.xxx.xxx.xxx set transform-set ESP-3DES-SHA match address 123 crypto map CMAP_LANE 100 ipsec-isakmp dynamic lane-dynamic ! ! ! ! interface FastEthernet0 bandwidth 2048 ip address xxx.xxx.xxx.xxx 255.255.255.240 ip nat outside ip virtual-reassembly no ip route-cache cef no ip route-cache duplex auto speed auto no cdp enable crypto map CMAP_LANE ! interface BRI0 no ip address encapsulation hdlc shutdown ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 ! interface FastEthernet5 ! interface FastEthernet6 ! interface FastEthernet7 ! interface FastEthernet8 ! interface Dot11Radio0 no ip address shutdown speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0

48.0 54.0 station-role root ! interface Dot11Radio1 no ip address shutdown speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 station-role root ! interface Vlan1 ip address 195.111.111.25 255.255.255.0 ip nat inside ip virtual-reassembly no ip route-cache cef no ip route-cache ! ip local pool VPNClients 192.168.200.1 192.168.200.254 ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx ip route 172.16.1.0 255.255.255.0 195.111.111.1 ip route 192.168.2.0 255.255.255.0 FastEthernet0 ip route 192.168.3.0 255.255.255.0 195.111.111.1 ip route 192.168.4.0 255.255.255.0 195.111.111.1 ip route 192.168.5.0 255.255.255.0 195.111.111.1 ip route 192.168.7.0 255.255.255.0 FastEthernet0 ip route 192.168.8.0 255.255.255.0 195.111.111.1 ip route 192.168.111.0 255.255.255.0 195.111.111.1 ip route 192.168.112.0 255.255.255.0 195.111.111.1 ip route 192.168.113.0 255.255.255.0 195.111.111.1 ip route 192.168.114.0 255.255.255.0 195.111.111.1 ip route 192.168.115.0 255.255.255.0 195.111.111.1 ip route 192.168.116.0 255.255.255.0 195.111.111.1 ip route 192.168.117.0 255.255.255.0 FastEthernet0 ip route 192.168.118.0 255.255.255.0 FastEthernet0 ip route 192.168.119.0 255.255.255.0 FastEthernet0 ip route 192.168.120.0 255.255.255.0 FastEthernet0 ip route 192.168.121.0 255.255.255.0 FastEthernet0 ip route 192.168.122.0 255.255.255.0 FastEthernet0 ip route 192.168.123.0 255.255.255.0 FastEthernet0 ip route 192.168.240.0 255.255.255.0 195.111.111.1 ip route 192.168.253.0 255.255.255.0 195.111.111.1 ! ! ip http server ip http secure-server ip nat pool natoverload xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.240 ip nat inside source list 100 pool natoverload overload ip nat inside source static tcp 195.111.111.46 25 xxx.xxx.xxx.xxx 25 extendable ip nat inside source static tcp 195.111.111.6 80 xxx.xxx.xxx.xxx 80 extendable ! access-list 100 deny ip 195.111.111.0 0.0.0.255 192.168.120.0 0.0.0.255 access-list 100 deny ip 195.111.111.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 100 deny ip any 192.168.117.0 0.0.0.255 access-list 100 deny ip 192.168.117.0 0.0.0.255 any access-list 100 deny ip 195.111.111.0 0.0.0.255 192.168.7.0 0.0.0.255 access-list 100 deny ip 195.111.111.0 0.0.0.255 192.168.119.0 0.0.0.255 access-list 100 deny ip 195.111.111.0 0.0.0.255 192.168.121.0 0.0.0.255 access-list 100 deny ip 195.111.111.0 0.0.0.255 192.168.118.0 0.0.0.255 access-list 100 deny ip 195.111.111.0 0.0.0.255 192.168.122.0 0.0.0.255 access-list 100 deny ip 195.111.111.0 0.0.0.255 192.168.123.0 0.0.0.255 access-list 100 deny ip any 192.168.200.0 0.0.0.255 access-list 100 deny ip 192.168.200.0 0.0.0.255 any access-list 100 permit ip 195.111.111.0 0.0.0.255 any access-list 101 permit ip 192.168.120.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 101 permit ip 192.168.117.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 101 permit ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 101 permit ip 192.168.119.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 101 permit ip 192.168.121.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 101 permit ip 192.168.118.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 101 permit ip 192.168.122.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 101 permit ip 192.168.123.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 101 permit ip 172.16.1.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 101 permit ip 192.168.5.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 101 permit ip 192.168.8.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 101 permit ip 192.168.111.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 101 permit ip 192.168.113.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 101 permit ip 192.168.114.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 101 permit ip 192.168.115.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 101 permit ip 192.168.116.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 101 permit ip 192.168.240.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 101 permit ip 192.168.253.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 101 permit ip 195.111.111.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 115 permit ip 195.111.111.0 0.0.0.255 192.168.120.0 0.0.0.255 access-list 116 permit ip 195.111.111.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 117 permit ip 195.111.111.0 0.0.0.255 192.168.117.0 0.0.0.255 access-list 117 permit ip 192.168.200.0 0.0.0.255 192.168.117.0 0.0.0.255 access-list 118 permit ip 195.111.111.0 0.0.0.255 192.168.7.0 0.0.0.255 access-list 119 permit ip 195.111.111.0 0.0.0.255 192.168.119.0 0.0.0.255 access-list 120 permit ip 195.111.111.0 0.0.0.255 192.168.121.0 0.0.0.255 access-list 121 permit ip 195.111.111.0 0.0.0.255 192.168.118.0 0.0.0.255 access-list 122 permit ip 195.111.111.0 0.0.0.255 192.168.122.0 0.0.0.255 access-list 123 permit ip 195.111.111.0 0.0.0.255 192.168.123.0 0.0.0.255 ! ! ! ! ! radius-server host 195.111.111.6 auth-port 1645 acct-port 1646 radius-server key p0rt123 ! control-plane ! ! line con 0 line aux 0 line vty 0 4 privilege level 15 transport input telnet ssh transport output all ! scheduler allocate 4000 1000 ! webvpn context Default_context ssl authenticate verify all ! no inservice ! end
Reply to
Jamie Watson
Loading thread data ...

Had the same issue,

the internet can be intermittent, so connections drop by lowering the phase 1 timeout, it will mean that phase1 will have to renegioate more often, if the connection drops then phase 1 will still be active on one side and will not allow another connection to connect, therefore by changing the timeout to say 10 mins, will mean the connection will drop and then will allow the new request and start up

Reply to
bob

You can probably get the VPN back if you do a clear cry sa

If you do the right end you will only have to do one end I would guess. Further if you identify the correct SA you may be able to clear only the affected one. Oddly enough the last time I tried to clear only one SA I was not able to figure out how to do it.

Maybe clear cry sess remote/local is the one.

More generally, this is interesting. I see behaviour like this (failed crypto tunnels that won't come back without a clear cry sa) from time to time and have never got to the bottom of it.

However if the behaviour described is correct, namely that phase 1 (whatever that is exactly:-) cannot recover in the event that say an interface directly attached to a crypto end point goes down briefly, then I would say that the protocol (IPSEC/IKE whatever one it is) is not suitable for production use.

This type of fragile behaviour would be unique in my networking experience.

Maybe someone can support/clarify?

Thanks for any input.

Reply to
anybody43

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.