2 Replies Latest reply on Sep 15, 2015 12:13 PM by petersjncv

    2nd VPN tunnel will not come up

    kb9mfd New Member

      I have two 3448's, both now have two internet connections and two vlans. Each vlan uses a different WAN threw PBR and that is working. I have two VPN tunnels, one for each vlan going over each a different WAN. The first VPN for the Voice vlan 110 that is using the main WAN on each side works, the second VPN for the vlan 100 will not come up. I have the settings for the tunnel the same for both, but even when I try to ping to initiate the tunnel just like it did for the first tunnel I get nothing. I did a debug crypto on all the sub elements and nothing displays, unlike the other one, there is no attempt to get the tunnel up. Because I am using PBR for the WAN on vlan 100 is there something more I have to do? Here is the config -

       

      !

      ! ADTRAN, Inc. OS version R10.6.0.E

      ! Boot ROM version 13.03.00.SB

      ! Platform: NetVanta 3448, part number 1200821E1

      ! Serial number LBADTN1340AR588

      !

      !

      hostname "NV3448-BRD"

      !

      clock timezone -6-Central-Time

      !

      ip subnet-zero

      ip classless

      ip default-gateway 123.123.12.165

      ip routing

      ipv6 unicast-routing

      !

      !

      name-server 4.2.2.2 8.8.8.8

      !

      ip local policy route-map DATA-Map

      !

      no auto-config

       

      event-history on

      no logging forwarding

      logging forwarding priority-level info

      no logging email

      !

      service password-encryption

      !

      banner motd #

       

      #

      !

      !

      ip firewall

      no ip firewall alg msn

      no ip firewall alg mszone

      no ip firewall alg h323

      !

      no dot11ap access-point-control

      !

      ip dhcp database local

      ip dhcp excluded-address 172.16.10.1 172.16.10.49

      ip dhcp excluded-address 192.168.1.1 192.168.1.199

      !

      ip dhcp pool "Data"

        network 192.168.1.0 255.255.255.0

        dns-server 4.2.2.2 8.8.8.8

        default-router 192.168.1.1

      !

      ip dhcp pool "Voice"

        network 172.16.10.0 255.255.255.0

        dns-server 4.2.2.2 8.8.8.8

        default-router 172.16.10.2

      !

      ip crypto

      !

      crypto ike policy 100

        initiate main

        respond anymode

        local-id address 123.123.12.166

        peer 44.44.1.178

        attribute 1

          encryption 3des

          hash md5

          authentication pre-share

      !

      crypto ike policy 101

        initiate main

        respond anymode

        local-id address 123.123.112.146

        peer 99.99.99.99

        attribute 1

          encryption 3des

          hash md5

          authentication pre-share

      !

      crypto ike remote-id address 44.44.1.178 preshared-key pppppppp ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

      crypto ike remote-id address 99.99.99.99 preshared-key pppppppp ike-policy 101 crypto map VPN1 10 no-mode-config no-xauth

      !

      crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

        mode tunnel

      !

      crypto map VPN 10 ipsec-ike

        description Janesville Voice

        match address VPN-10-vpn-selectors

        set peer 44.44.1.178

        set transform-set esp-3des-esp-md5-hmac

        ike-policy 100

      !

      crypto map VPN1 10 ipsec-ike

        description Janesville Data

        match address VPN1-10-vpn-selectors

        set peer 99.99.99.99

        set transform-set esp-3des-esp-md5-hmac

        ike-policy 101

      !

      !

      !

      !

      vlan 1

        name "Default"

      !

      vlan 100

        name "Data"

      !

      vlan 110

        name "Voice"

      !

      !

      !

      no ethernet cfm

      !

      interface eth 0/1

        description Charter WAN

        ip address  123.123.12.166  255.255.255.252

        ip mtu 1500

        ip access-policy Public1

        crypto map VPN

        no shutdown

      !

      !

      interface eth 0/2

        description Charter WAN

        ip address  123.123.112.146  255.255.255.252

        ip mtu 1500

        ip access-policy Public2

        crypto map VPN1

        no shutdown

      !

      !

      !

      interface switchport 0/1

        description Link to Switch

        spanning-tree edgeport

        no shutdown

        switchport mode trunk

        switchport trunk native vlan 100

      !

      interface switchport 0/2

        description Audiocodes

        spanning-tree edgeport

        no shutdown

        switchport access vlan 110

        qos default-cos 7

      !

      interface switchport 0/3

        spanning-tree edgeport

        no shutdown

        switchport mode trunk

        switchport trunk native vlan 100

      !

      interface switchport 0/4

        spanning-tree edgeport

        no shutdown

        switchport mode trunk

        switchport trunk native vlan 100

      !

      interface switchport 0/5

        spanning-tree edgeport

        no shutdown

        switchport mode trunk

        switchport trunk native vlan 100

      !

      interface switchport 0/6

        spanning-tree edgeport

        no shutdown

        switchport mode trunk

        switchport trunk native vlan 100

      !

      interface switchport 0/7

        spanning-tree edgeport

        no shutdown

        switchport mode trunk

        switchport trunk native vlan 100

      !

      interface switchport 0/8

        spanning-tree edgeport

        no shutdown

        switchport mode trunk

        switchport trunk native vlan 100

      !

      !

      !

      interface vlan 1

        no ip address

        shutdown

      !

      interface vlan 100

        description Data

        ip address  192.168.1.2  255.255.255.0

        no ip proxy-arp

        ip policy route-map DATA-Map

        ip mtu 1500

        ip access-policy Private

        no rtp quality-monitoring

        no awcp

        no shutdown

      !

      interface vlan 110

        description Voice

        ip address  172.16.10.2  255.255.255.0

        no ip proxy-arp

        ip mtu 1500

        ip access-policy Private

        no rtp quality-monitoring

        no awcp

        no shutdown

      !

      !

      !

      !

      route-map DATA-Map permit 10

        match ip address DataInt

        set ip next-hop 123.123.112.145

      !

      !

      !

      !

      ip access-list extended DataInt

        deny   ip 192.168.0.0 0.0.0.255  192.168.0.0 0.0.0.255     log

        deny   ip 192.168.0.0 0.0.0.255  192.168.1.0 0.0.0.255     log

        deny   ip 192.168.0.0 0.0.0.255  172.16.0.0 0.0.0.255     log

        deny   ip 192.168.0.0 0.0.0.255  172.16.10.0 0.0.0.255     log

        deny   ip 192.168.1.0 0.0.0.255  192.168.0.0 0.0.0.255     log

        deny   ip 192.168.1.0 0.0.0.255  192.168.1.0 0.0.0.255     log

        deny   ip 192.168.1.0 0.0.0.255  172.16.0.0 0.0.0.255     log

        deny   ip 192.168.1.0 0.0.0.255  172.16.10.0 0.0.0.255     log

        deny   ip 172.16.0.0 0.0.0.255  172.16.0.0 0.0.0.255     log

        deny   ip 172.16.0.0 0.0.0.255  172.16.10.0 0.0.0.255     log

        deny   ip 172.16.0.0 0.0.0.255  192.168.0.0 0.0.0.255     log

        deny   ip 172.16.0.0 0.0.0.255  192.168.1.0 0.0.0.255     log

        deny   ip 172.16.10.0 0.0.0.255  172.16.0.0 0.0.0.255     log

        deny   ip 172.16.10.0 0.0.0.255  172.16.10.0 0.0.0.255     log

        deny   ip 172.16.10.0 0.0.0.255  192.168.0.0 0.0.0.255     log

        deny   ip 172.16.10.0 0.0.0.255  192.168.1.0 0.0.0.255     log

        permit ip any  any     log

      !

      ip access-list extended self

        remark Traffic to NetVanta

        permit ip any  any     log

      !

      ip access-list extended VPN-10-vpn-selectors

        permit ip 172.16.10.0 0.0.0.255  172.16.0.0 0.0.0.255   

      !

      ip access-list extended VPN1-10-vpn-selectors

        permit ip 192.168.1.0 0.0.0.255  192.168.0.0 0.0.0.255   

      !

      ip access-list extended web-acl-6

        remark NAT Public 1

        permit ip any  any     log

      !

      ip access-list extended web-acl-7

        remark NAT Public 2

        permit ip any  any     log

      !

      ip policy-class Private

        allow list VPN1-10-vpn-selectors stateless

        allow list VPN-10-vpn-selectors stateless

        allow list self self

        nat source list web-acl-6 interface eth 0/1 overload policy Public1

        nat source list web-acl-7 interface eth 0/2 overload policy Public2

      !

      ip policy-class Public1

        allow reverse list VPN-10-vpn-selectors stateless

      !

      ip policy-class Public2

        allow reverse list VPN1-10-vpn-selectors stateless

      !

      ip route 0.0.0.0 0.0.0.0 123.123.12.165

      ip route 0.0.0.0 0.0.0.0 123.123.112.145 5

      !

      no tftp server

      no tftp server overwrite

      http server

      http secure-server

      no snmp agent

      no ip ftp server

      ip ftp server default-filesystem flash

      no ip scp server

      no ip sntp server

      !

      !

      ip sip udp 5060

      ip sip tcp 5060

      !

        • Re: 2nd VPN tunnel will not come up
          setel.uc New Member

          I know this is a year old, but did you get this to work? I am about to implement this same exact scenario - my config is almost identical to yours, so I'm guessing I will have the same problem. 

            • Re: 2nd VPN tunnel will not come up
              petersjncv Visitor

              If you use the same config as the one posted, it will not work.

               

              There should be a dedicated static route for the 2nd VPN if you want both tunnels up at the same time.  Just because the crypto map is on the 2nd WAN interface doesn't mean the router will forward packets to the destination out that interface.  You can use a PBR for this, but it must be used as the global policy and not be attached to an interface, as that will only apply the policy to packets matched coming into that interface.

               

              You will also need a static route or PBR for the LOCAL traffic that is supposed to traverse the VPN, so that each network goes out the correct tunnel.

               

              So in general terms.

               

              **ROUTES**

              0.0.0.0 0.0.0.0 gateway1

              0.0.0.0 0.0.0.0 gateway2 5 (weighted for failover, presumably.  This could be better done through the WLR features of the router, using a track.  The primary route only goes away if the interface goes down configured this way).

              VPN#1.DEST.IP 255.255.255.255 gateway1

              VPN#2.DEST.IP 255.255.255.255 gateway2

              172.16.0.0 255.255.255.0 gateway1 (this forces traffic to that interface and it will be matched by the crypto policy so it doesn't go public)

              192.168.0.0 255.255.255.0 gateway2 (this forces traffic to that interface and it will be matched by the crypto policy so it doesn't go public)