Having issues with VPN
I am working with a Cisco 871 running OSPF with VPN/GRE. I am using a wireless WAN and my sh crypto sess indicates "Down-Negotiating". I have cleared the crypto session and retried to no avail. I have another 871 that works fine with this setup and I cannot see to figure out where it is failing. I can post SH RUN results if anyone can tell me their thoughts. However, I am racking my brain. I did plug into the wireless WAN router and confirmed that it is operational.
Comments
-
shednik
Member Posts: 2,005
how about a sh crypto iskmp sa and ipsec sa...then show us your configs on each side. -
flipmad
Member Posts: 184
I had to remove the public IPs for Security reasons. I have not applied the access-lists and confirmed the preshared keys match. The WAN (FE4) is a NAT'd address so it is dynamically pulling public IP on the host end.
sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
Public IP 192.168.254.3 MM_KEY_EXCH 2011 0 ACTIVE
Public IP 192.168.254.3 MM_KEY_EXCH 2012 0 ACTIVE
Here is portion of Sh Run
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key "key" address (Public Ip of HQ)
crypto isakmp key "key" address (Public Ip of HQ2)
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map cust 1 ipsec-isakmp
set peer (Public Ip of HQ)
set transform-set ESP-3DES-SHA
match address 101
crypto map cust 2 ipsec-isakmp
set peer (Public Ip of HQ2)
set transform-set ESP-3DES-SHA
match address 102
interface Loopback1
description Primary VPN Interface IP
ip address 10.255.1.98 255.255.255.255
interface Loopback2
description Secondary VPN Interface IP
ip address 10.255.2.98 255.255.255.255
interface Tunnel1
description Connected to HQ1
ip address 10.255.13.130 255.255.255.252
ip mtu 1412
ip ospf cost 10
ip ospf flood-reduction
ip ospf mtu-ignore
tunnel source 10.255.1.98
tunnel destination 10.255.255.1
!
interface Tunnel2
description CONNECTED TO HQ2
ip address 10.255.14.130 255.255.255.252
ip mtu 1412
ip ospf cost 100
ip ospf flood-reduction
ip ospf mtu-ignore
tunnel source 10.255.2.98
tunnel destination 10.255.255.2
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description Connected to Wireless
ip address 192.168.254.3 255.255.255.0
ip nat outside
no ip virtual-reassembly
duplex auto
speed auto
crypto map customer
!
interface Vlan1
description Connected_to_LAN
ip address 10.125.14.97 255.255.255.224
ip helper-address 10.1.2.20
ip nat inside
ip virtual-reassembly
!
router ospf 1
router-id 10.125.14.96
log-adjacency-changes
network 10.125.14.96 0.0.0.31 area 51
network 10.255.13.128 0.0.0.3 area 51
network 10.255.14.128 0.0.0.3 area 51
!
ip route 10.255.255.1 255.255.255.255 FastEthernet4
ip route 10.255.255.2 255.255.255.255 FastEthernet4
ip route HQ1 255.255.255.255 192.168.254.1
ip route HQ2 255.255.255.255 192.168.254.1
!
no ip http server
no ip http secure-server
ip nat inside source list NAT interface FastEthernet4 overload
!
ip access-list extended outside-in
!
access-list 101 permit ip host 10.255.1.98 host 10.255.255.1
access-list 102 permit ip host 10.255.2.98 host 10.255.255.2
access-list 103 deny ip host 10.255.1.98 host 10.255.255.1
access-list 103 deny ip host 10.255.2.98 host 10.255.255.2
access-list 103 permit ip 10.125.14.96 0.0.0.31 any
access-list 199 deny tcp any any eq 22
access-list 199 permit ip any any
!
!
route-map NAT permit 10
match ip address 103
here is the host end 3851 Tunnel config (all of this is confirmed working as this tunnel has already been used with this same setup b4)
interface Tunnel98
bandwidth 1000
ip address 10.255.13.129 255.255.255.252
ip mtu 1412
ip ospf cost 10
ip ospf flood-reduction
ip ospf mtu-ignore
tunnel source 10.255.255.1
tunnel destination 10.255.1.98