2 Replies Latest reply on Jun 9, 2017 9:23 AM by bdsmith2

    VPN IKE up/IPsec down

    bdsmith2 New Member

      We just underwent some changes to our network here and I was in touch with user "jayh" who was mighty helpful so hopefully he sees this post as well.  After we got all our VLANs added, routing successfully configured, and all is well I began to rebuild our primary 3 VPN tunnels.  The first is our Satellite office up in Michigan so I was able to get that setup and configured to work well, next I worked on my VPN tunnel back to my home (where I have a refurbished NV4430 running enhanced firmware) and got it working properly, then I was working on the VPN to my boss' house (where we have a refurbished NV4305 running enhanced firmware).  My boss's VPN is the only one seeming to give us problems. I tried to model the VPN to my house as an example with minimal differences between the two, but no luck.  Here are the IKE policies and Crypto map config excerpts for the VPNs:

       

      My NV4430 (Dynamic Peer)

      crypto ike policy 100

        initiate aggressive

        respond aggressive

        local-id fqdn BEN-NV4430

        peer <office IP here>

        attribute 1

        encryption 3des

        hash md5

        authentication pre-share

       

      crypto ike remote-id address <office IP here> preshared-key <key here> ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

      ip crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

        mode tunnel

       

      ip crypto map VPN 10 ipsec-ike

        description IEC OFFICE

        match address ip VPN-10-vpn-selectors

        set peer <office IP here>

        set transform-set esp-3des-esp-md5-hmac

        ike-policy 100

       

      ip access-list extended VPN-10-vpn-selectors

        permit ip 172.16.10.0 0.0.0.255 172.16.0.0 0.0.31.255

       

      ip policy-class Private

        allow list VPN-10-vpn-selectors stateless

       

      ip policy-class Public

        allow reverse list VPN-10-vpn-selectors stateless

       

       

       

      His NV4305 (Dynamic Peer)

      crypto ike policy 100

        initiate aggressive

        respond aggressive

        local-id fqdn JohnHome

        peer <office IP here>

        attribute 1

          encryption 3des

          hash md5

          authentication pre-share

       

      crypto ike remote-id address <office IP here> preshared-key <key here> ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

      crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

        mode tunnel

       

      crypto map VPN 10 ipsec-ike

        description IEC-OFFICE

        match address VPN-10-vpn-selectors3

        set peer <office IP here>

        set transform-set esp-3des-esp-md5-hmac

        ike-policy 100

       

      ip access-list extended VPN-10-vpn-selectors3

        permit ip 192.168.111.0 0.0.0.255  172.16.0.0 0.0.31.255  

       

      ip policy-class Private

        allow list VPN-10-vpn-selectors3 stateless

       

      ip policy-class Public

        allow reverse list VPN-10-vpn-selectors3 stateless

       

       

      Office NV4430 (Static Peer)

      crypto ike policy 105

        no initiate

        respond anymode

        local-id address <office IP here>

        peer any

        client configuration pool MOBILE

        attribute 1

        encryption 3des

        hash md5

        authentication pre-share

       

      crypto ike remote-id fqdn BenHome preshared-key <key here> ike-policy 105 crypto map VPN 110 no-mode-config no-xauth

      crypto ike remote-id fqdn JohnHome preshared-key <key here> ike-policy 105 crypto map VPN 130 no-mode-config no-xauth

      ip crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

        mode tunnel

       

      ip crypto map VPN 110 ipsec-ike

        description BenHome

        match address ip VPN-110-vpn-selectors

        set transform-set esp-3des-esp-md5-hmac

        ike-policy 105

       

      ip crypto map VPN 130 ipsec-ike

        description JohnHome

        match address ip VPN-130-vpn-selectors3

        set transform-set esp-3des-esp-md5-hmac

        ike-policy 105

       

      ip access-list extended VPN-110-vpn-selectors

        permit ip 172.16.0.0 0.0.31.255 172.16.10.0 0.0.0.255 log

      ip access-list extended VPN-130-vpn-selectors3

        permit ip 172.16.0.0 0.0.31.255 192.168.111.0 0.0.0.255

       

      ip policy-class Private

        allow list VPN-130-vpn-selectors3 stateless

        allow list VPN-110-vpn-selectors stateless

       

      ip policy-class Public

        allow reverse list VPN-130-vpn-selectors3 stateless

        allow reverse list VPN-110-vpn-selectors stateless

       

      Note the MOBILE pool in the IKE policy 105 we are using... that is for a software VPN we have for employees who are at customer sites so there is no need for it to be included at our home sites.

       

      ===========================================

      I also have a static route configured for my VPN since my LAN falls within the /19 summary above to send my traffic right out our ISP gateway so I don't get a "TTL expiration" error.

      One is not needed for his LAN because it is outside of that /19 summary.

       

      We've tried deleting and recreating his VPN several times and cannot get it to come up, however mine works perfectly fine. I also have a communication attempt that is rather long showing the PAYLOAD and then an "ikephase1 timeout/retry" that I can provide as well.

        • Re: VPN IKE up/IPsec down
          mick Visitor

          Hi bdsmith2,

           

          What are the errors shown in 'debug crypto ike' sessions run on both office and your boss' router while you try to ping between them to initiate a tunnel?  Please obfuscate any passwords and public IP addresses as you need to.

          --

          Kind regards,

          Mick

            • Re: VPN IKE up/IPsec down
              bdsmith2 New Member

              Hi Mick,

               

              I was able to get it resolved with Adtran last week.  What it ended up being was there was a residual NAT statement for an old server we had decommissioned, so for whatever reason, the VPN was hitting that NAT statement as it entered our office NV4430 causing the distant ends to never reach the crypto map on this end.  Thanks for the reply!