Mutiple Ipsec Tunnels from Main site

Hi!

I have setup mutiple Site-to-Site Ipsec tunnels from our main site to our smaller sites.

The wierd thing happening is that whenever i enter the “match address” for that specifi site the vpn stops the VPN traffic even if the tunnel is up.

This is the base of it:

crypto map dyn-map 11 match address VPN-ACL1
crypto map dyn-map 11 set peer XXX.XXX.XXX.XX1
crypto map dyn-map 11 set ikev2 ipsec-proposal Ikev2-AES256-SHA256
crypto map dyn-map 12 set peer XXX.XXX.XXX.XX2
crypto map dyn-map 12 set ikev1 transform-set THN_VPN2
crypto map dyn-map 13 set peer XXX.XXX.XXX.XX3
crypto map dyn-map 13 set ikev1 transform-set THN_VPN3
crypto map dyn-map 14 set peer XXX.XXX.XXX.XX4
crypto map dyn-map 14 set ikev1 transform-set THN_VPN4
crypto map dyn-map interface outside

The tunnels like this works, (the smaller sites have “match address”)

As you can see i only have one working Match address from this configuration.
Should they all be in the same ACL?

Any ideas why this might be happening?

Hello Ali

So from what I understand, your match address command for map 11 using VPN-ACL1 is working correctly, right? But when you add the match address for the other sites (12, 13 etc) those don’t seem to work. Traffic stops functioning on them, right?

The ACLs are used to match interesting traffic, that is, traffic that should be tunneled and encrypted. Without those ACLs indicating what is interesting traffic, the config is incomplete. So you should have a separate ACL that indicates the interesting traffic for each of your tunnels. Can you give us a little more information about the behavior you are experiencing so that we can help you further?

I hope this has been helpful!

Laz

Hi!

Sorry for late respons!

So from what I understand, your match address command for map 11 using VPN-ACL1 is working correctly, right? But when you add the match address for the other sites (12, 13 etc) those don’t seem to work. Traffic stops functioning on them, right?

Exactly so!

What’s happening is that if I put up the statement on thoose specific tunnels aswell the traffic stops,
So let say that I would add:

crypto map dyn-map 12 match address VPN-ACL2

The site 12 would stop working, and the tunnel wouldn’t go up, if I remeber correclty is says something about not having any “intresting” traffic.
This happens for the rest of the tunnels aswell.
The strange thing is that the tunnel works as expected when the configuration is “incomplete” but not when I complete the configuration by adding “Match address”.

Forgot to mention that I am working on ASA routers for all sites.

This is the configuration on the other side: Site 12.

access-list VPN-ACL extended permit ip 192.168.27.0 255.255.255.240 192.168.20.0 255.255.255.0
crypto map VPNMAP 12 match address VPN-ACL
crypto map VPNMAP 12 set peer XXX.XXX.XXX.XXX
crypto map VPNMAP 12 set ikev1 transform-set THN_VPN2
crypto map VPNMAP interface outside.

It should not work when its incomplete, but it does. And it should work when its complete which it doesn’t :smiley: . So the configuration has to be Incomplete on the main Site for it to work. Can I be missing some proxy commands after the ACL statement?

I have gone over every textbook and also your site on how to setup this (they are exactly the same configuration).

Hello Ali

This sounds like a strange situation. If you have no crypto maps referencing ACLs to define interesting traffic, and yet your tunnels are up and running, something else must be matching to create interesting traffic. Also you mentioned that when you apply the ACL, the tunnel would go down and an error message about not having any interesting traffic appears? Can you elaborate on that? Where do you see it and under what circumstances?

I suggest you use some debugs on your topology to determine how traffic is matched and sent through the tunnel. You can use one or more of the following:

  • debug crypto ipsec
  • debug crypto isakmp
  • debug crypto ikev2 protocol
  • debug crypto ikev2 platform
  • debug crypto ikev2 internal
  • debug access-list

Let us know how you get along in your troubleshooting, and share with us your results so we can help you further.

I hope this has been helpful!

Laz