Wireless Access

Hello all,

I was successful configured S-S VPN between 2400 and 3400 AOS 5 using this configuration, but for AOS 6 between 620 and 3400 controllers, the tunnel could not establish.  I knew 4500 UPD is working, because RAPs are working and using the same tunnel.  Here are my configurations:

At master:

(BTCWC03) #show datapath session table 66.37.244.77

Datapath Session Table Entries

------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT

       D - deny, R - redirect, Y - no syn

       H - high prio, P - set prio, T - set ToS

       C - client, M - mirror, V - VOIP

       Q - Real-Time Quality analysis

       I - Deep inspect, U - Locally destined

       E - Media Deep Inspect, G - media signal

  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge Flags

--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- -----

66.37.244.77    172.18.254.96   17   4500  4500   0/0     0 0   4   local       41   FY

172.18.254.96   66.37.244.77    17   4500  4500   0/0     0 0   0   local       41   FC

#show crypto-local ipsec-map MASTER2SITE

Crypto Map Template"MASTER2SITE" 100

         IKE Version: 1

         lifetime: [300 - 86400] seconds, no volume limit

         PFS (Y/N): N

         Transform sets={ *DEFAULT-TRANSFORM* }

         Peer gateway: 66.37.244.77

         Interface: VLAN 1

         Source network: 172.18.0.0/255.255.0.0

         Destination network: 172.16.18.0/255.255.255.0

         Pre-Connect (Y/N): Y

         Tunnel Trusted (Y/N): Y

         Forced NAT-T (Y/N): N (tried with both Y and N)

At site:

#show crypto-local ipsec-map
Crypto Map Template"SITE2MASTER" 100
         IKE Version: 1

         lifetime: [300 - 86400] seconds, no volume limit

         PFS (Y/N): N

         Transform sets={ *DEFAULT-TRANSFORM* }

         Peer gateway: 192.188.142.132 (this address NAT to master IP address)

         Interface: VLAN 10

         Source network: 172.16.18.0/255.255.255.0

         Destination network: 172.18.0.0/255.255.0.0

         Pre-Connect (Y/N): Y

         Tunnel Trusted (Y/N): Y

         Forced NAT-T (Y/N): N (tried with both Y and N)

Thank you for your help!

Trinh Nguyen

Use force NAT-T on both sides, otherwise the tunnel will require ports besides UDP 4500.

Pre-Connect desides which side will establish the tunnel and you should have it only on one side for now so that it is deterministic.

Use "show crypto ipsec sa" to see if there is a security association between those two sides.  If not, we have to do debugging on the security logs to find out how the tunnel gets established and why it does not get setup.

Thanks for your response Colin, but still no tunnel.

I compared the configuration with known working AOS 5 site-site VPN, they are identical.  I remembered when I first setup AOS 6, I could not get the RAP tunnel to work, so I opened a case with support, he had to add this line to ip access-list session “control”, and RAP took off immediately.

 10        any     any          udp 8209      permit      Low

 Any more suggestions or ideas?  What is the best debug for VPN?

Regards,

Trinh Nguyen

Port 8209 is only used for APs... so that will not work here.

All I can say that make sure that the VLAN is the VLAN of the Egress interface of the controller.

Turn on debugging:

config t

logging level debug security process l2tp

logging level debug security process crypto

logging level debug security subcat vpn

logging level debug security subcat IKE

Then, while it is connecting, do a "show log security 50"

Don't ask me why it work, and here are how I did it: deleted both ipsec-local maps at master and site controllers, rebuilt the new maps with different names, and different ipsec-map-number.  Problem solved just like that!

Glad to hear it!