cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
New Contributor III

2nd VPN tunnel will not come up

I have two 3448's, both now have two internet connections and two vlans. Each vlan uses a different WAN threw PBR and that is working. I have two VPN tunnels, one for each vlan going over each a different WAN. The first VPN for the Voice vlan 110 that is using the main WAN on each side works, the second VPN for the vlan 100 will not come up. I have the settings for the tunnel the same for both, but even when I try to ping to initiate the tunnel just like it did for the first tunnel I get nothing. I did a debug crypto on all the sub elements and nothing displays, unlike the other one, there is no attempt to get the tunnel up. Because I am using PBR for the WAN on vlan 100 is there something more I have to do? Here is the config -

!

! ADTRAN, Inc. OS version R10.6.0.E

! Boot ROM version 13.03.00.SB

! Platform: NetVanta 3448, part number 1200821E1

! Serial number LBADTN1340AR588

!

!

hostname "NV3448-BRD"

!

clock timezone -6-Central-Time

!

ip subnet-zero

ip classless

ip default-gateway 123.123.12.165

ip routing

ipv6 unicast-routing

!

!

name-server 4.2.2.2 8.8.8.8

!

ip local policy route-map DATA-Map

!

no auto-config

event-history on

no logging forwarding

logging forwarding priority-level info

no logging email

!

service password-encryption

!

banner motd #

#

!

!

ip firewall

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

!

no dot11ap access-point-control

!

ip dhcp database local

ip dhcp excluded-address 172.16.10.1 172.16.10.49

ip dhcp excluded-address 192.168.1.1 192.168.1.199

!

ip dhcp pool "Data"

  network 192.168.1.0 255.255.255.0

  dns-server 4.2.2.2 8.8.8.8

  default-router 192.168.1.1

!

ip dhcp pool "Voice"

  network 172.16.10.0 255.255.255.0

  dns-server 4.2.2.2 8.8.8.8

  default-router 172.16.10.2

!

ip crypto

!

crypto ike policy 100

  initiate main

  respond anymode

  local-id address 123.123.12.166

  peer 44.44.1.178

  attribute 1

    encryption 3des

    hash md5

    authentication pre-share

!

crypto ike policy 101

  initiate main

  respond anymode

  local-id address 123.123.112.146

  peer 99.99.99.99

  attribute 1

    encryption 3des

    hash md5

    authentication pre-share

!

crypto ike remote-id address 44.44.1.178 preshared-key pppppppp ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

crypto ike remote-id address 99.99.99.99 preshared-key pppppppp ike-policy 101 crypto map VPN1 10 no-mode-config no-xauth

!

crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

  mode tunnel

!

crypto map VPN 10 ipsec-ike

  description Janesville Voice

  match address VPN-10-vpn-selectors

  set peer 44.44.1.178

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 100

!

crypto map VPN1 10 ipsec-ike

  description Janesville Data

  match address VPN1-10-vpn-selectors

  set peer 99.99.99.99

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 101

!

!

!

!

vlan 1

  name "Default"

!

vlan 100

  name "Data"

!

vlan 110

  name "Voice"

!

!

!

no ethernet cfm

!

interface eth 0/1

  description Charter WAN

  ip address  123.123.12.166  255.255.255.252

  ip mtu 1500

  ip access-policy Public1

  crypto map VPN

  no shutdown

!

!

interface eth 0/2

  description Charter WAN

  ip address  123.123.112.146  255.255.255.252

  ip mtu 1500

  ip access-policy Public2

  crypto map VPN1

  no shutdown

!

!

!

interface switchport 0/1

  description Link to Switch

  spanning-tree edgeport

  no shutdown

  switchport mode trunk

  switchport trunk native vlan 100

!

interface switchport 0/2

  description Audiocodes

  spanning-tree edgeport

  no shutdown

  switchport access vlan 110

  qos default-cos 7

!

interface switchport 0/3

  spanning-tree edgeport

  no shutdown

  switchport mode trunk

  switchport trunk native vlan 100

!

interface switchport 0/4

  spanning-tree edgeport

  no shutdown

  switchport mode trunk

  switchport trunk native vlan 100

!

interface switchport 0/5

  spanning-tree edgeport

  no shutdown

  switchport mode trunk

  switchport trunk native vlan 100

!

interface switchport 0/6

  spanning-tree edgeport

  no shutdown

  switchport mode trunk

  switchport trunk native vlan 100

!

interface switchport 0/7

  spanning-tree edgeport

  no shutdown

  switchport mode trunk

  switchport trunk native vlan 100

!

interface switchport 0/8

  spanning-tree edgeport

  no shutdown

  switchport mode trunk

  switchport trunk native vlan 100

!

!

!

interface vlan 1

  no ip address

  shutdown

!

interface vlan 100

  description Data

  ip address  192.168.1.2  255.255.255.0

  no ip proxy-arp

  ip policy route-map DATA-Map

  ip mtu 1500

  ip access-policy Private

  no rtp quality-monitoring

  no awcp

  no shutdown

!

interface vlan 110

  description Voice

  ip address  172.16.10.2  255.255.255.0

  no ip proxy-arp

  ip mtu 1500

  ip access-policy Private

  no rtp quality-monitoring

  no awcp

  no shutdown

!

!

!

!

route-map DATA-Map permit 10

  match ip address DataInt

  set ip next-hop 123.123.112.145

!

!

!

!

ip access-list extended DataInt

  deny   ip 192.168.0.0 0.0.0.255  192.168.0.0 0.0.0.255     log

  deny   ip 192.168.0.0 0.0.0.255  192.168.1.0 0.0.0.255     log

  deny   ip 192.168.0.0 0.0.0.255  172.16.0.0 0.0.0.255     log

  deny   ip 192.168.0.0 0.0.0.255  172.16.10.0 0.0.0.255     log

  deny   ip 192.168.1.0 0.0.0.255  192.168.0.0 0.0.0.255     log

  deny   ip 192.168.1.0 0.0.0.255  192.168.1.0 0.0.0.255     log

  deny   ip 192.168.1.0 0.0.0.255  172.16.0.0 0.0.0.255     log

  deny   ip 192.168.1.0 0.0.0.255  172.16.10.0 0.0.0.255     log

  deny   ip 172.16.0.0 0.0.0.255  172.16.0.0 0.0.0.255     log

  deny   ip 172.16.0.0 0.0.0.255  172.16.10.0 0.0.0.255     log

  deny   ip 172.16.0.0 0.0.0.255  192.168.0.0 0.0.0.255     log

  deny   ip 172.16.0.0 0.0.0.255  192.168.1.0 0.0.0.255     log

  deny   ip 172.16.10.0 0.0.0.255  172.16.0.0 0.0.0.255     log

  deny   ip 172.16.10.0 0.0.0.255  172.16.10.0 0.0.0.255     log

  deny   ip 172.16.10.0 0.0.0.255  192.168.0.0 0.0.0.255     log

  deny   ip 172.16.10.0 0.0.0.255  192.168.1.0 0.0.0.255     log

  permit ip any  any     log

!

ip access-list extended self

  remark Traffic to NetVanta

  permit ip any  any     log

!

ip access-list extended VPN-10-vpn-selectors

  permit ip 172.16.10.0 0.0.0.255  172.16.0.0 0.0.0.255   

!

ip access-list extended VPN1-10-vpn-selectors

  permit ip 192.168.1.0 0.0.0.255  192.168.0.0 0.0.0.255   

!

ip access-list extended web-acl-6

  remark NAT Public 1

  permit ip any  any     log

!

ip access-list extended web-acl-7

  remark NAT Public 2

  permit ip any  any     log

!

ip policy-class Private

  allow list VPN1-10-vpn-selectors stateless

  allow list VPN-10-vpn-selectors stateless

  allow list self self

  nat source list web-acl-6 interface eth 0/1 overload policy Public1

  nat source list web-acl-7 interface eth 0/2 overload policy Public2

!

ip policy-class Public1

  allow reverse list VPN-10-vpn-selectors stateless

!

ip policy-class Public2

  allow reverse list VPN1-10-vpn-selectors stateless

!

ip route 0.0.0.0 0.0.0.0 123.123.12.165

ip route 0.0.0.0 0.0.0.0 123.123.112.145 5

!

no tftp server

no tftp server overwrite

http server

http secure-server

no snmp agent

no ip ftp server

ip ftp server default-filesystem flash

no ip scp server

no ip sntp server

!

!

ip sip udp 5060

ip sip tcp 5060

!

Labels (4)
0 Kudos
Reply
2 Replies
Highlighted
New Contributor

Re: 2nd VPN tunnel will not come up

I know this is a year old, but did you get this to work? I am about to implement this same exact scenario - my config is almost identical to yours, so I'm guessing I will have the same problem. 

0 Kudos
Highlighted
Contributor
Contributor

Re: 2nd VPN tunnel will not come up

If you use the same config as the one posted, it will not work.

There should be a dedicated static route for the 2nd VPN if you want both tunnels up at the same time.  Just because the crypto map is on the 2nd WAN interface doesn't mean the router will forward packets to the destination out that interface.  You can use a PBR for this, but it must be used as the global policy and not be attached to an interface, as that will only apply the policy to packets matched coming into that interface.

You will also need a static route or PBR for the LOCAL traffic that is supposed to traverse the VPN, so that each network goes out the correct tunnel.

So in general terms.

**ROUTES**

0.0.0.0 0.0.0.0 gateway1

0.0.0.0 0.0.0.0 gateway2 5 (weighted for failover, presumably.  This could be better done through the WLR features of the router, using a track.  The primary route only goes away if the interface goes down configured this way).

VPN#1.DEST.IP 255.255.255.255 gateway1

VPN#2.DEST.IP 255.255.255.255 gateway2

172.16.0.0 255.255.255.0 gateway1 (this forces traffic to that interface and it will be matched by the crypto policy so it doesn't go public)

192.168.0.0 255.255.255.0 gateway2 (this forces traffic to that interface and it will be matched by the crypto policy so it doesn't go public)