site-to-site VPN

woody1144

Hi,
I'm having issues configuring my basic site to site vpn. Its a simple IPSec set-up between two 1721 routers. I can't seem to ping from one computer to the other and this is my first vpn config so i'm not too well prepared.
set-up:

Node1(192.168.1.1)<-->(192.168.1.2)Router1(10.0.0.1)<-->(10.0.0.2)Router2(192.168.2.2)<-->(192.168.2.1)Node2

I was wondering if anyone can spot something up with my code as i'm truly stuck!

Router 1

hostname Router1                
! 
enable secret 5 $1$VoN1$WXaWwxV2SWUi63HieX0WX.                                              
! 
ip subnet-zero              
! 
! 
! 
ip audit notify log                   
ip audit po max-events 100                          
! 
! 
crypto isakmp policy 9                      
 hash md5         
 authentication pre-share                         
crypto isakmp key 1144 address 10.0.0.2                                       
! 
crypto ipsec security-association lifetime seconds 86400                                                        
! 
crypto ipsec transform-set 1144 esp-3des esp-md5-hmac                                                     
! 
crypto map 1144 10 ipsec-isakmp                               
 set peer 10.0.0.2                  
 set transform-set 1144                       
 match address 101                  
! 
! 
! 
! 
interface Ethernet0                   
 no ip address              
 shutdown         
 half-duplex            
! 
interface FastEthernet0                       
 ip address 192.168.1.2 255.255.255.0                                     
 speed auto           
! 
interface Serial0                 
 bandwidth 64             
 ip address 10.0.0.1 255.0.0.0                              
 encapsulation ppp
 crypto map 1144
!
ip classless
ip route 192.168.2.0 255.255.255.0 10.0.0.2
no ip http server
!
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
line con 0
line aux 0
line vty 0 4
 password woody1144
 login
!
end

Router 2

hostname Router2                
! 
enable secret 5 $1$yuQr$UhAc24BRrE5WSZcycd8PX0                                              
! 
ip subnet       
! 
! 
! 
ip audit notify log                   
ip audit po max-events 100                          
! 
! 
crypto isakmp policy 9                      
 hash md5         
 authentication pre-share                         
crypto isakmp key 1144 address 10.0.0.1                                       
! 
crypto ipsec security-association lifetime seconds 86400                                                        
! 
crypto ipsec transform-set 1144 esp-3des esp-md5-hmac                                                     
! 
crypto map 1144 10 ipsec-isakmp                               
 set peer 10.0.0.1                  
 set transform-set 1144                       
 match address 101                  
! 
! 
! 
! 
interface Ethernet0                   
 no ip address              
 shutdown         
 half-duplex            
! 
interface FastEthernet0                       
 ip address 192.168.2.2 255.255.255.0                                     
 speed auto           
! 
interface Serial0                 
 bandwidth 64             
 ip address 10.0.0.2 255.0.0.0                              
 encapsulation ppp                  
 clockrate 64000                
 crypto map 1144                
! 
ip classless            
ip route 192.168.1.0 255.255.255.0 10.0.0.1                                           
no ip http server                 
! 
! 
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255                                                                     
! 
! 
line con 0          
line aux 0
line vty 0 4
 password woody1144
 login
!
end

Thank you,

Richard

woody1144

I have changed my access lists to access-list 101 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0.

I can now ping:
from node 1 i can ping every interface apart from node 2
node 2 can only ping the ethernet port on R2 (192.168.2.2)
both routers can ping each other.
Is there something wrong with my access lists or routing as this seems very strange!

Netstudent

looks like no dh group or encryption statement in the isakmp policy. Your ACL's looked correct, flipped flopped basically. Try doing 'group 2' and 'encryption 3des' in crypto isakmp policy config mode on both sides. then put your ACL's back. Then do debug crypto ipsec sa and isakmp on both sides too see whats phase its getting to. that will tell you a lot....or should anyways..

woody1144

Hey,

Awsome help thank you, i am now able to ping from one node to the other! woohoo!

I decided i needed to actually check if the tunnel was working so i set up an ftp server on one node and transfered files to another. whilst this was happening i did some testing on the router with commands:
show crypto isakmp sa

show crypto ipsec sa

show crypto engine connections active

these show how many packets have been encrypted and decrypted and also what active tunnels there are and it all showed up with nothing.... does this mean the tunnel is having a few issues?

Thanks a lot,

Richard

If it is any help here is the new configs from my routers:

Password:
Router1#sh run
Building configuration...

Current configuration : 1157 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
enable secret 5 $1$VoN1$WXaWwxV2SWUi63HieX0WX.
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key key1 address 10.0.0.2
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set set1 ah-md5-hmac esp-3des esp-md5-hmac
!
crypto map VPN-Map-1 10 ipsec-isakmp
 set peer 10.0.0.2
 set transform-set set1
 match address 101
!
!
!
!
interface Ethernet0
 no ip address
 shutdown
 half-duplex
!
interface FastEthernet0
 ip address 192.168.1.2 255.255.255.0
 speed auto
!
interface Serial0
 bandwidth 64
 ip address 10.0.0.1 255.0.0.0
 encapsulation ppp
 crypto map VPN-Map-1
!
ip classless
ip route 192.168.2.0 255.255.255.0 10.0.0.2
no ip http server
!
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 // this was a mistake
!
!
line con 0
line aux 0
line vty 0 4
 --More--

User Access Verification

Password:
Router2>enable
Password:
Router2#sh run
Building configuration...

Current configuration : 1126 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router2
!
enable secret 5 $1$yuQr$UhAc24BRrE5WSZcycd8PX0
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
!
crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key key1 address 10.0.0.1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set set2 ah-md5-hmac esp-3des esp-md5-hmac
!
crypto map VPN-Map-2 20 ipsec-isakmp
 set peer 10.0.0.1
 set transform-set set2
 match address 102
!
!
!
!
interface Ethernet0
 no ip address
 shutdown
 half-duplex
!
interface FastEthernet0
 ip address 192.168.2.2 255.255.255.0
 speed auto
!
interface Serial0
 bandwidth 64
 ip address 10.0.0.2 255.0.0.0
 encapsulation ppp
 clockrate 64000
 crypto map VPN-Map-2
!
ip classless
ip route 192.168.1.0 255.255.255.0 10.0.0.1
no ip http server
!
!
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
line con 0
line aux 0
line vty 0 4
 password *******
 login
 --More--

I also have the read out from the testing on the tunnel:

Router1#show crypto ipsec sa

interface: Serial0
    Crypto map tag: VPN-Map-1, local addr. 10.0.0.1

   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer: 10.0.0.2
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:


Router1#
Router1#show crypto engine connections active

  ID Interface       IP-Address      State  Algorithm           Encrypt  Decrypt

Router1#

Netstudent

Those outputs show you do not have a tunnel. First your ACL's are backwards now. If you have 192.168.1.2 configured on your LAN, then you need an ACL that is sourced from 192.168.1.0 on that device. Your ACL is sourced from 192.168.2.0 when your fa interface is 192.168.1.0.

Your ACl needs to define interesting traffic TO BE encrypted that is sourced from the local LAN network and destined fro the remote LAN subnet. Pay attention to your ACL's or you will get Quick Mode FSM errors, in Phase2.

You need to do debugs on both sides so you can watch what is happening in real time.

You also have too much stuff in your transform set. All you need is to define 1 main security protocol for the MD5 hashing algorithm and one main protocol for encryption. Either AH or ESP, but not both. ESP is the de facto because it is more secure. I would stick with esp-md5-hmac and take out the AH.

Now you can use AH hashing with ESP encryption, but not AH MD5 and ESP MD5 in the same set, I don;t think.

Never tried nor have I ever witnessed it implemented that way. Back oin the earlier versions of IPsec , AH was used for hashing and ESP for encryption. But now ESP can do it all.

This PDF is excellent if your serious about learning IPSec.

csrc.nist.gov/publications/nistpubs/800-77/sp800-77.pdf