Site to Site IPsec VPN

Netstudent

Can someone take a look at this config. Something isn't right, I need a litle bit of assistance from the pros. I am trying to setup an ipsec VPN with dynamips.

TOPOLOGY:

LAN(192.168.1.1)

---

R1--Serial(200.1.1.0/30)

---

R2

---

LAN(10.10.10.1)

Running Config on R1:

crypto ipsec transform-set MySet esp-aes esp-sha-hmac
crypto ipsec transform-set ivdf3-1 esp-aes esp-sha-hmac
!
crypto map VPN1 10 ipsec-isakmp
 set peer 200.1.1.2
 set transform-set ivdf3-1
 set pfs group5
 match address 101
crypto map VPN1 20 ipsec-isakmp
 set peer 200.1.1.6
 set transform-set ivdf3-1
 set pfs group5
 match address 102
!
!
!
!
interface Loopback1
 ip address 10.10.10.1 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Serial1/0
 ip address 200.1.1.1 255.255.255.252
 serial restart-delay 0
 clock rate 64000
 crypto map VPN1
!
interface Serial1/1
 ip address 200.1.1.5 255.255.255.252
 serial restart-delay 0
 clock rate 64000
 crypto map VPN1
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/4
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/5
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/6
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/7
 no ip address
 shutdown
 serial restart-delay 0
!
ip classless
ip route 172.16.16.1 255.255.255.255 200.1.1.6
ip route 192.168.1.1 255.255.255.255 200.1.1.2
no ip http server
no ip http secure-server
!
!
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

Running Config on R2

crypto ipsec transform-set ivdf3-1 esp-aes esp-sha-hmac
!
crypto map VPN1 10 ipsec-isakmp
 set peer 200.1.1.1
 set transform-set ivdf3-1
 set pfs group5
 match address 101
!
!
!
!
interface Loopback1
 ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Serial1/0
 ip address 200.1.1.2 255.255.255.252
 serial restart-delay 0
 crypto map VPN1
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/4
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/5
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/6
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/7
 no ip address
 shutdown
 serial restart-delay 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 200.1.1.1
no ip http server
no ip http secure-server
!
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255

Now with a normal ping everything is great, but with an extended ping to define the source of the encrypted traffic, I get nothing.

R1#ping
Protocol [ip]:
Target IP address: 192.168.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.10.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
.....
Success rate is 0 percent (0/5)

R1#show crypto isakmp sa
dst src state conn-id slot

What did I miss, with as little bashing as possible.

R1 has 2 crypto map processes because I planned on a multi spoke VPN, but one at a time. the other router isn;t shown here.

Would setting a GRE tunnel help? IS there any limitation to having a VPN tunnel start at a loopback interface?

kafifi13

I'm just learning about IPsec over VPN with an ASA firewall so i have little experiance but since you are using NAT did you try the command

nat(inside) 0 access-list 111 for example.

Sorry that's the best i could come up with after looking at your configs.

Netstudent

nah I'm not using NAT. This is a emulation with dynamips to the addressing isn't rfc 1918 compliant.

BTW, in my topology above where it says LAN, that is just a Loopback interface, not a Fa port.

kafifi13

Ok...let me look at some of the notes i had setup for the firewall and see if i can find anything that sticks out.

dtlokee

You're missing your ISAKMP configuration

something like:

crypto isakmp policy 10
authentication pre-share
encryption aes 256
hash sha
group 5

then you neeed the peer configuration

crypto isakmp key cisco address 200.1.1.2 255.255.255.255

and on R2 it will be

crypto isakmp policy 10
authentication pre-share
encryption aes 256
hash sha
group 5


crypto isakmp key cisco address 200.1.1.1 255.255.255.255

Netstudent

Once again, Thank you Derek. Let me key that in and see what happens.


EDIT - Yep that did it.

mikej412

Don't forget to set your date/time and domain.

You may also need to crypto key generate rsa .....

Netstudent

mikej412 wrote:

Don't forget to set your date/time and domain.

You may also need to crypto key generate rsa .....

Is that common practice with all ipsec configs or only when enrolling to an external Certificate Authority?