Issue with IPsec on IOS routers
wseyller
Member Posts: 44 ■■■□□□□□□□
I have been able to get the IPsec working in GNS3 with two Cisco 7200 routers. I use a router in the middle to simulate the ISP. I can pass traffic between the two LANS.
I have applied the same configuration to two real routers and I can't get traffic to pass. The tunnel shows up from both devices after attempting to send traffic.
Is this an issue with different platform or different versions of IOS. I can't make it work on real routers. I just put a router in the middle again to simulate an isp.
Here is the configuration I copy and paste into each router.
ROUTER 1 - cisco 2821 with 15.1 ios
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400
!
crypto isakmp key GbgcvA9TrpfJe9ja address 99.65.224.217
!
ip access-list extended VPN-TRAFFIC
permit ip host 10.1.2.57 192.168.55.0 0.0.0.255
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 99.65.224.217
set transform-set TS
match address VPN-TRAFFIC
!
interface FastEthernet0/1
10.1.2.1 255.255.255.0
ip nat inside
no shut
!
interface FastEthernet0/0
ip address 110.50.101.212 255.255.252.0
ip nat outside
crypto map CMAP
no shut
!
ip nat inside source list 100 interface fastethernet0/0 overload
!
access-list 100 deny ip host 10.1.2.57 192.168.55.0 0.0.0.255
access-list 100 permit ip 10.1.2.0 0.0.0.255 any
!
ip route 0.0.0.0 0.0.0.0 110.50.100.1
ROUTER 2 - cisco 1841 with 12.4 ios
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400
!
crypto isakmp key GbgcvA9TrpfJe9ja address 110.50.101.212
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.55.0 0.0.0.255 host 10.1.2.57
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 110.50.101.212
set transform-set TS
match address VPN-TRAFFIC
!
interface FastEthernet0/1
ip address 192.168.55.1 255.255.255.0
ip nat inside
no shut
!
interface FastEthernet0/0
ip address 99.65.224.217 255.255.252.0
ip nat outside
crypto map CMAP
no shut
!
ip nat inside source list 100 interface fastethernet0/0 overload
!
access-list 100 deny ip 192.168.55.0 0.0.0.255 host 10.1.2.57
access-list 100 permit ip 192.168.55.0 0.0.0.255 any
!
ip route 0.0.0.0 0.0.0.0 99.65.224.1
I have applied the same configuration to two real routers and I can't get traffic to pass. The tunnel shows up from both devices after attempting to send traffic.
Is this an issue with different platform or different versions of IOS. I can't make it work on real routers. I just put a router in the middle again to simulate an isp.
Here is the configuration I copy and paste into each router.
ROUTER 1 - cisco 2821 with 15.1 ios
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400
!
crypto isakmp key GbgcvA9TrpfJe9ja address 99.65.224.217
!
ip access-list extended VPN-TRAFFIC
permit ip host 10.1.2.57 192.168.55.0 0.0.0.255
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 99.65.224.217
set transform-set TS
match address VPN-TRAFFIC
!
interface FastEthernet0/1
10.1.2.1 255.255.255.0
ip nat inside
no shut
!
interface FastEthernet0/0
ip address 110.50.101.212 255.255.252.0
ip nat outside
crypto map CMAP
no shut
!
ip nat inside source list 100 interface fastethernet0/0 overload
!
access-list 100 deny ip host 10.1.2.57 192.168.55.0 0.0.0.255
access-list 100 permit ip 10.1.2.0 0.0.0.255 any
!
ip route 0.0.0.0 0.0.0.0 110.50.100.1
ROUTER 2 - cisco 1841 with 12.4 ios
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400
!
crypto isakmp key GbgcvA9TrpfJe9ja address 110.50.101.212
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.55.0 0.0.0.255 host 10.1.2.57
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 110.50.101.212
set transform-set TS
match address VPN-TRAFFIC
!
interface FastEthernet0/1
ip address 192.168.55.1 255.255.255.0
ip nat inside
no shut
!
interface FastEthernet0/0
ip address 99.65.224.217 255.255.252.0
ip nat outside
crypto map CMAP
no shut
!
ip nat inside source list 100 interface fastethernet0/0 overload
!
access-list 100 deny ip 192.168.55.0 0.0.0.255 host 10.1.2.57
access-list 100 permit ip 192.168.55.0 0.0.0.255 any
!
ip route 0.0.0.0 0.0.0.0 99.65.224.1
Comments
-
scaredoftests
Mod Posts: 2,780 Mod
ACL issue? We have a palo alto ipsec tunnel at work. We have a connection to a cisco ASA in another state. Frequently, his ACLs screw up and we have no connection because of that. Once that gets corrected, the ipsec tunnel works.Never let your fear decide your fate....
