IPSec VPN High-Availability with HSRP

There seems to be an SA but pings fail...

r2#sh cry isa sa
dst             src             state          conn-id slot
136.3.234.254   136.3.234.2     QM_IDLE              1    0

r2#ping 150.1.1.1 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 150.1.2.2
U.U.U
Success rate is 0 percent (0/5)

It looks like outbound packets are in fact being encrypted.



r2#sh cry ipsec sa

interface: Ethernet0/0
    Crypto map tag: vpn, local addr. 136.3.234.2

   protected vrf:
   local  ident (addr/mask/prot/port): (150.1.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (150.1.1.0/255.255.255.0/0/0)
   current_peer: 136.3.234.254:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest 5
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 5, #recv errors 0

     local crypto endpt.: 136.3.234.2, remote crypto endpt.: 136.3.234.254
     path mtu 1500, media mtu 1500
     current outbound spi: F46E1637

     inbound esp sas:
      spi: 0x60803BB5(1619016629)
        transform: esp-3des esp-md5-hmac ,


R1 does know how to get back to the loopback on r2:


r1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

     136.1.0.0/24 is subnetted, 1 subnets
C       136.1.134.0 is directly connected, Ethernet0/0
     136.3.0.0/24 is subnetted, 1 subnets
R       136.3.234.0 [120/1] via 136.1.134.3, 00:00:00, Ethernet0/0
                    [120/1] via 136.1.134.4, 00:00:00, Ethernet0/0
     150.1.0.0/24 is subnetted, 2 subnets
R       150.1.2.0 [120/1] via 136.1.134.3, 00:00:00, Ethernet0/0
C       150.1.1.0 is directly connected, Loopback0
r1#

The crypro map looks to be correct:


r3#sh cry map
Redundancy Group: 1

Crypto Map "vpn" 10 ipsec-isakmp
    Peer = 136.3.234.2
    Extended IP access list r1-to-r2
        access-list r1-to-r2 permit ip 150.1.1.0 0.0.0.255 150.1.2.0 0.0.0.255
    Current peer: 136.3.234.2
    Security association lifetime: 4608000 kilobytes/3600 seconds
    PFS (Y/N): N
    Transform sets={
        3des-md5,
    }
    Reverse Route Injection Enabled
    Interfaces using crypto map vpn:
        Ethernet0/1


The Static route is injected and since we saw it on R1 I know its being redistributed.



r3#sh ip
Nov  3 22:42:30.245: %SYS-5-CONFIG_I: Configured from console by consoleroute
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

     136.1.0.0/24 is subnetted, 1 subnets
C       136.1.134.0 is directly connected, Ethernet0/0
     136.3.0.0/24 is subnetted, 1 subnets
C       136.3.234.0 is directly connected, Ethernet0/1
     150.1.0.0/24 is subnetted, 1 subnets
S       150.1.2.0 [1/0] via 136.3.234.2


When I fail R3s' interface it takes a minute and gets a new sa but still it fails.

r2#ping 150.1.1.1 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 150.1.2.2
.U.U.
Success rate is 0 percent (0/5)
r2#sh cry isa sa          
dst             src             state          conn-id slot
136.3.234.254   136.3.234.2     QM_IDLE              2    0
136.3.234.254   136.3.234.2     MM_NO_STATE          1    0 (deleted)

r2#


What am I missing here?

My configs can be found here on my blog.

 

Thanks.

Sign In or Register to comment.