site-to-site VPN

woody1144woody1144 Member Posts: 10 ■□□□□□□□□□
Hi,
I'm having issues configuring my basic site to site vpn. Its a simple IPSec set-up between two 1721 routers. I can't seem to ping from one computer to the other and this is my first vpn config so i'm not too well prepared.
set-up:

Node1(192.168.1.1)<-->(192.168.1.2)Router1(10.0.0.1)<-->(10.0.0.2)Router2(192.168.2.2)<-->(192.168.2.1)Node2

I was wondering if anyone can spot something up with my code as i'm truly stuck! icon_sad.gif

Router 1
hostname Router1                
! 
enable secret 5 $1$VoN1$WXaWwxV2SWUi63HieX0WX.                                              
! 
ip subnet-zero              
! 
! 
! 
ip audit notify log                   
ip audit po max-events 100                          
! 
! 
crypto isakmp policy 9                      
 hash md5         
 authentication pre-share                         
crypto isakmp key 1144 address 10.0.0.2                                       
! 
crypto ipsec security-association lifetime seconds 86400                                                        
! 
crypto ipsec transform-set 1144 esp-3des esp-md5-hmac                                                     
! 
crypto map 1144 10 ipsec-isakmp                               
 set peer 10.0.0.2                  
 set transform-set 1144                       
 match address 101                  
! 
! 
! 
! 
interface Ethernet0                   
 no ip address              
 shutdown         
 half-duplex            
! 
interface FastEthernet0                       
 ip address 192.168.1.2 255.255.255.0                                     
 speed auto           
! 
interface Serial0                 
 bandwidth 64             
 ip address 10.0.0.1 255.0.0.0                              
 encapsulation ppp
 crypto map 1144
!
ip classless
ip route 192.168.2.0 255.255.255.0 10.0.0.2
no ip http server
!
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
line con 0
line aux 0
line vty 0 4
 password woody1144
 login
!
end

Router 2
hostname Router2                
! 
enable secret 5 $1$yuQr$UhAc24BRrE5WSZcycd8PX0                                              
! 
ip subnet       
! 
! 
! 
ip audit notify log                   
ip audit po max-events 100                          
! 
! 
crypto isakmp policy 9                      
 hash md5         
 authentication pre-share                         
crypto isakmp key 1144 address 10.0.0.1                                       
! 
crypto ipsec security-association lifetime seconds 86400                                                        
! 
crypto ipsec transform-set 1144 esp-3des esp-md5-hmac                                                     
! 
crypto map 1144 10 ipsec-isakmp                               
 set peer 10.0.0.1                  
 set transform-set 1144                       
 match address 101                  
! 
! 
! 
! 
interface Ethernet0                   
 no ip address              
 shutdown         
 half-duplex            
! 
interface FastEthernet0                       
 ip address 192.168.2.2 255.255.255.0                                     
 speed auto           
! 
interface Serial0                 
 bandwidth 64             
 ip address 10.0.0.2 255.0.0.0                              
 encapsulation ppp                  
 clockrate 64000                
 crypto map 1144                
! 
ip classless            
ip route 192.168.1.0 255.255.255.0 10.0.0.1                                           
no ip http server                 
! 
! 
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255                                                                     
! 
! 
line con 0          
line aux 0
line vty 0 4
 password woody1144
 login
!
end

Thank you,

Richard

Comments

  • woody1144woody1144 Member Posts: 10 ■□□□□□□□□□
    I have changed my access lists to access-list 101 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0.

    I can now ping:
    from node 1 i can ping every interface apart from node 2
    node 2 can only ping the ethernet port on R2 (192.168.2.2)
    both routers can ping each other.
    Is there something wrong with my access lists or routing as this seems very strange!
  • NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    looks like no dh group or encryption statement in the isakmp policy. Your ACL's looked correct, flipped flopped basically. Try doing 'group 2' and 'encryption 3des' in crypto isakmp policy config mode on both sides. then put your ACL's back. Then do debug crypto ipsec sa and isakmp on both sides too see whats phase its getting to. that will tell you a lot....or should anyways..
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
  • woody1144woody1144 Member Posts: 10 ■□□□□□□□□□
    Hey,

    Awsome help thank you, i am now able to ping from one node to the other! woohoo!

    I decided i needed to actually check if the tunnel was working so i set up an ftp server on one node and transfered files to another. whilst this was happening i did some testing on the router with commands:
    show crypto isakmp sa

    show crypto ipsec sa

    show crypto engine connections active

    these show how many packets have been encrypted and decrypted and also what active tunnels there are and it all showed up with nothing.... does this mean the tunnel is having a few issues?

    Thanks a lot,

    Richard

    If it is any help here is the new configs from my routers:
    Password:
    Router1#sh run
    Building configuration...
    
    Current configuration : 1157 bytes
    !
    version 12.2
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname Router1
    !
    enable secret 5 $1$VoN1$WXaWwxV2SWUi63HieX0WX.
    !
    ip subnet-zero
    !
    !
    !
    ip audit notify log
    ip audit po max-events 100
    !
    !
    crypto isakmp policy 10
     encr 3des
     hash md5
     authentication pre-share
     group 2
    crypto isakmp key key1 address 10.0.0.2
    !
    crypto ipsec security-association lifetime seconds 86400
    !
    crypto ipsec transform-set set1 ah-md5-hmac esp-3des esp-md5-hmac
    !
    crypto map VPN-Map-1 10 ipsec-isakmp
     set peer 10.0.0.2
     set transform-set set1
     match address 101
    !
    !
    !
    !
    interface Ethernet0
     no ip address
     shutdown
     half-duplex
    !
    interface FastEthernet0
     ip address 192.168.1.2 255.255.255.0
     speed auto
    !
    interface Serial0
     bandwidth 64
     ip address 10.0.0.1 255.0.0.0
     encapsulation ppp
     crypto map VPN-Map-1
    !
    ip classless
    ip route 192.168.2.0 255.255.255.0 10.0.0.2
    no ip http server
    !
    !
    access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 // this was a mistake
    !
    !
    line con 0
    line aux 0
    line vty 0 4
     --More--
    
    User Access Verification
    
    Password:
    Router2>enable
    Password:
    Router2#sh run
    Building configuration...
    
    Current configuration : 1126 bytes
    !
    version 12.2
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname Router2
    !
    enable secret 5 $1$yuQr$UhAc24BRrE5WSZcycd8PX0
    !
    ip subnet-zero
    !
    !
    !
    ip audit notify log
    ip audit po max-events 100
    !
    !
    crypto isakmp policy 20
     encr 3des
     hash md5
     authentication pre-share
     group 2
    crypto isakmp key key1 address 10.0.0.1
    !
    crypto ipsec security-association lifetime seconds 86400
    !
    crypto ipsec transform-set set2 ah-md5-hmac esp-3des esp-md5-hmac
    !
    crypto map VPN-Map-2 20 ipsec-isakmp
     set peer 10.0.0.1
     set transform-set set2
     match address 102
    !
    !
    !
    !
    interface Ethernet0
     no ip address
     shutdown
     half-duplex
    !
    interface FastEthernet0
     ip address 192.168.2.2 255.255.255.0
     speed auto
    !
    interface Serial0
     bandwidth 64
     ip address 10.0.0.2 255.0.0.0
     encapsulation ppp
     clockrate 64000
     crypto map VPN-Map-2
    !
    ip classless
    ip route 192.168.1.0 255.255.255.0 10.0.0.1
    no ip http server
    !
    !
    access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    !
    !
    line con 0
    line aux 0
    line vty 0 4
     password *******
     login
     --More--
    

    I also have the read out from the testing on the tunnel:
    
    Router1#show crypto ipsec sa
    
    interface: Serial0
        Crypto map tag: VPN-Map-1, local addr. 10.0.0.1
    
       local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
       remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
       current_peer: 10.0.0.2
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
        #send errors 0, #recv errors 0
    
         local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
         path mtu 1500, media mtu 1500
         current outbound spi: 0
    
         inbound esp sas:
    
         inbound ah sas:
    
         inbound pcp sas:
    
         outbound esp sas:
    
         outbound ah sas:
    
         outbound pcp sas:
    
    
    Router1#
    Router1#show crypto engine connections active
    
      ID Interface       IP-Address      State  Algorithm           Encrypt  Decrypt
    
    Router1#
    
    
  • NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    Those outputs show you do not have a tunnel. First your ACL's are backwards now. If you have 192.168.1.2 configured on your LAN, then you need an ACL that is sourced from 192.168.1.0 on that device. Your ACL is sourced from 192.168.2.0 when your fa interface is 192.168.1.0.

    Your ACl needs to define interesting traffic TO BE encrypted that is sourced from the local LAN network and destined fro the remote LAN subnet. Pay attention to your ACL's or you will get Quick Mode FSM errors, in Phase2.

    You need to do debugs on both sides so you can watch what is happening in real time.

    You also have too much stuff in your transform set. All you need is to define 1 main security protocol for the MD5 hashing algorithm and one main protocol for encryption. Either AH or ESP, but not both. ESP is the de facto because it is more secure. I would stick with esp-md5-hmac and take out the AH.

    Now you can use AH hashing with ESP encryption, but not AH MD5 and ESP MD5 in the same set, I don;t think.

    Never tried nor have I ever witnessed it implemented that way. Back oin the earlier versions of IPsec , AH was used for hashing and ESP for encryption. But now ESP can do it all.

    This PDF is excellent if your serious about learning IPSec.

    csrc.nist.gov/publications/nistpubs/800-77/sp800-77.pdf
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
Sign In or Register to comment.