Question

Locked

IPSEC lan-lan

By steve ·
I have a ipsec tunnel between 2 cisco routers.
It only comes up if I set the ACL for permitted traffic to permit ip any any. If it's set to permit ip x.x.x.x 0.0.0.255 x.x.x.x 0.0.0.255 as it should be it does not come up. And I get the error "No peer struct to get peer description"
Can anybody help with this.

This conversation is currently closed to new comments.

8 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

You need to allow esp

by NetMan1958 In reply to IPSEC lan-lan

You need to allow tcp port 500 and the esp protocol to support ipsec vpn.
"permit tcp host x1.x1.x1.x1 host x2.x2.x2.x2 eq 500"
also
"permit esp host x1.x1.x1.x1 host x2.x2.x2.x2"
where x1 is the remote router's ip and x2 is this router's ip.

If you are going to have several remote vpns it might be better to replace "host x1" with "any" like so:
"permit tcp any host x2.x2.x2.x2 eq 500"
"permit esp any host x2.x2.x2.x2 eq 500"

Collapse -

ACL is in place

by steve In reply to You need to allow esp

Hi,

I have this ACL in place and this is not causing the problems.
ip access-list extended Internet-inbound-ACL
permit udp host 8x.x.x.x any eq isakmp
permit esp host 8x.x.x.x any
permit udp host 8x.x.x.x any eq non500-isakmp
permit ahp host 8x.x.x.x any
!

The problem is caused by the :
ip access-list extended Crypto-list
permit ip any any
In this ACL if I put in the permit ip 10.x.x.x 0.0.0.255 172.x.x.x 0.0.0.255 then I get the error.
So it's the ACL for allowing which traffic need to be encrypted over the tunnel.
And for some reason it only works with permit ip any any. I tried many things to edit the acl but it only works with ip any any.

regards,

Steve

Collapse -

Can you post your config

by NetMan1958 In reply to ACL is in place

Maybe if I look at the entire config I can spot the trouble.

Collapse -

Configs .

by steve In reply to Can you post your config

Router-A

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router A
!
boot-start-marker
boot-end-marker
resource policy
!
no aaa new-model
memory-size iomem 15
no network-clock-participate slot 1
no network-clock-participate wic 0
ip subnet-zero
no ip dhcp use vrf connected
ip vrf vpn
ip cef
no ip ips deny-action ips-interface
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ********** address 80.x.x.x
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 80.x.x.x
set transform-set 3DES-SHA-compression
set pfs group2
match address Crypto-list
!
!
!
!
interface FastEthernet0/0
description connected to Internet
ip address 81.x.x.x 255.255.255.248
duplex auto
speed auto
crypto map VPN-Map-1
!
!
interface FastEthernet0/1
description connected to EthernetLAN
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
!
ip default-gateway 81.x.x.x
ip classless
ip route 0.0.0.0 0.0.0.0 81.x.x.x
!
!
ip http server
no ip http secure-server
!
ip access-list extended Crypto-list
WITH THIS LINE IS DOES NOT WORK
permit ip 10.10.10.0 0.0.0.255 172.16.10.0 0.0.0.255
wITH THIS LINE IS WORKS
permit ip any any

ip access-list extended Internet-inbound-ACL
permit udp host 80.x.x.x any eq isakmp
permit esp host 80.x.x.x any
permit udp host 80.x.x.x any eq non500-isakmp
permit ahp host 80.x.x.x any
!
control-plane
!


router-B

version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router B
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
no ip dhcp use vrf connected
!
ip tcp synwait-time 10
no ip ips deny-action ips-interface
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ******** address 81.x.x.x
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 81.x.x.x
set transform-set 3DES-SHA-compression
set pfs group2
match address Crypto-list
!
!
!
interface FastEthernet0/0
description connected to Internet
ip address 80.x.x.x 255.255.255.224
ip virtual-reassembly
speed auto
full-duplex
crypto map VPN-Map-1
!
interface FastEthernet0/1
description connected to EthernetLAN
ip address 172.16.10.1 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
!
!
ip default-gateway 80.x.x.x
ip classless
ip route 0.0.0.0 0.0.0.0 80.x.x.x
ip route 172.16.10.2 255.255.255.255 FastEthernet0/1
!
ip http server
no ip http secure-server
!
ip access-list extended Crypto-list

WITH THIS LINE IT DOES NOT WORK
permit ip 172.16.10.0 0.0.0.255 10.10.10.0 0.0.0.255

WITH THIS LINE IT WORKS
permit ip any any

ip access-list extended Internet-inbound-ACL
permit udp host 81.X.X.X any eq isakmp
permit esp host 81.x.x.x any
permit udp host 81.x.x.x any eq non500-isakmp
permit ahp host 81.x.x.x any
!
logging trap debugging

control-plane

!
scheduler allocate 4000 1000
end

Collapse -

I'm not sure

by NetMan1958 In reply to Configs .

this has anything to do with it, but router A has this configured:
"ip vrf vpn"
Try removing that and see if it makes a difference.

Are those the complete configs for both routers? I don't see any NAT configurations and as you are using private IPs on both LANs NAT would be necessary for the nodes on the LAN to access the internet. However you have to deny NAT for the traffic going across the VPN so you would have an access-list for your NAT traffic that would look like this:
deny ip 10.10.10.0 0.0.0.255 172.16.10.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.255 any

Collapse -

Fixed!!!

by steve In reply to I'm not sure

Ok NetMan1958 thanks very much for the time and support.

I figured out what the problem was. When configured as it should with the correct acl for the crypto map, the vpn stayed down until I generated traffic from the source behind the vpn router. In my case the vpn came up without errors when I generated traffic from the 172.16.10.2. So all a long my problem why the vpn stayed down was that there was no traffic.

thanks agian,

Steve

Collapse -

Been there, done that

by NetMan1958 In reply to Fixed!!!

When I first started implementing VPN's on Cisco devices, I ran into that issue also. If you ping from the Cisco device to a non-local subnet, the pings originate from the outside interface's IP Address. So in order to force up an IPSEC tunnel you have to do one of two things:
(1) Ping from a device on the LAN
(2) Do an extended ping from the Cisco device and designate it's LAN IP as the source.

Glad you got her going!

Back to Networks Forum
8 total posts (Page 1 of 1)  

Related Discussions

Related Forums