cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
bdsmith2
New Contributor

VPN IKE up/IPsec down

We just underwent some changes to our network here and I was in touch with user "jayh" who was mighty helpful so hopefully he sees this post as well.  After we got all our VLANs added, routing successfully configured, and all is well I began to rebuild our primary 3 VPN tunnels.  The first is our Satellite office up in Michigan so I was able to get that setup and configured to work well, next I worked on my VPN tunnel back to my home (where I have a refurbished NV4430 running enhanced firmware) and got it working properly, then I was working on the VPN to my boss' house (where we have a refurbished NV4305 running enhanced firmware).  My boss's VPN is the only one seeming to give us problems. I tried to model the VPN to my house as an example with minimal differences between the two, but no luck.  Here are the IKE policies and Crypto map config excerpts for the VPNs:

My NV4430 (Dynamic Peer)

crypto ike policy 100

  initiate aggressive

  respond aggressive

  local-id fqdn BEN-NV4430

  peer <office IP here>

  attribute 1

  encryption 3des

  hash md5

  authentication pre-share

crypto ike remote-id address <office IP here> preshared-key <key here> ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

ip crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

  mode tunnel

ip crypto map VPN 10 ipsec-ike

  description IEC OFFICE

  match address ip VPN-10-vpn-selectors

  set peer <office IP here>

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 100

ip access-list extended VPN-10-vpn-selectors

  permit ip 172.16.10.0 0.0.0.255 172.16.0.0 0.0.31.255

ip policy-class Private

  allow list VPN-10-vpn-selectors stateless

ip policy-class Public

  allow reverse list VPN-10-vpn-selectors stateless

His NV4305 (Dynamic Peer)

crypto ike policy 100

  initiate aggressive

  respond aggressive

  local-id fqdn JohnHome

  peer <office IP here>

  attribute 1

    encryption 3des

    hash md5

    authentication pre-share

crypto ike remote-id address <office IP here> preshared-key <key here> ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

  mode tunnel

crypto map VPN 10 ipsec-ike

  description IEC-OFFICE

  match address VPN-10-vpn-selectors3

  set peer <office IP here>

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 100

ip access-list extended VPN-10-vpn-selectors3

  permit ip 192.168.111.0 0.0.0.255  172.16.0.0 0.0.31.255  

ip policy-class Private

  allow list VPN-10-vpn-selectors3 stateless

ip policy-class Public

  allow reverse list VPN-10-vpn-selectors3 stateless

Office NV4430 (Static Peer)

crypto ike policy 105

  no initiate

  respond anymode

  local-id address <office IP here>

  peer any

  client configuration pool MOBILE

  attribute 1

  encryption 3des

  hash md5

  authentication pre-share

crypto ike remote-id fqdn BenHome preshared-key <key here> ike-policy 105 crypto map VPN 110 no-mode-config no-xauth

crypto ike remote-id fqdn JohnHome preshared-key <key here> ike-policy 105 crypto map VPN 130 no-mode-config no-xauth

ip crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

  mode tunnel

ip crypto map VPN 110 ipsec-ike

  description BenHome

  match address ip VPN-110-vpn-selectors

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 105

ip crypto map VPN 130 ipsec-ike

  description JohnHome

  match address ip VPN-130-vpn-selectors3

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 105

ip access-list extended VPN-110-vpn-selectors

  permit ip 172.16.0.0 0.0.31.255 172.16.10.0 0.0.0.255 log

ip access-list extended VPN-130-vpn-selectors3

  permit ip 172.16.0.0 0.0.31.255 192.168.111.0 0.0.0.255

ip policy-class Private

  allow list VPN-130-vpn-selectors3 stateless

  allow list VPN-110-vpn-selectors stateless

ip policy-class Public

  allow reverse list VPN-130-vpn-selectors3 stateless

  allow reverse list VPN-110-vpn-selectors stateless

Note the MOBILE pool in the IKE policy 105 we are using... that is for a software VPN we have for employees who are at customer sites so there is no need for it to be included at our home sites.

===========================================

I also have a static route configured for my VPN since my LAN falls within the /19 summary above to send my traffic right out our ISP gateway so I don't get a "TTL expiration" error.

One is not needed for his LAN because it is outside of that /19 summary.

We've tried deleting and recreating his VPN several times and cannot get it to come up, however mine works perfectly fine. I also have a communication attempt that is rather long showing the PAYLOAD and then an "ikephase1 timeout/retry" that I can provide as well.

0 Kudos
2 Replies

Re: VPN IKE up/IPsec down

Hi bdsmith2,

What are the errors shown in 'debug crypto ike' sessions run on both office and your boss' router while you try to ping between them to initiate a tunnel?  Please obfuscate any passwords and public IP addresses as you need to.

--

Kind regards,

Mick

Re: VPN IKE up/IPsec down

Hi Mick,

I was able to get it resolved with Adtran last week.  What it ended up being was there was a residual NAT statement for an old server we had decommissioned, so for whatever reason, the VPN was hitting that NAT statement as it entered our office NV4430 causing the distant ends to never reach the crypto map on this end.  Thanks for the reply!