IPSEC in GNS3 with SDM

Deltah_Deltah_ Member Posts: 51 ■■□□□□□□□□
in CCNP
Hi there,

I can't found what's wrong with this situation...

I'm trying to set up a IPSEC between 2 routers with serial interfaces in GNS3.

Interfaces are up, my crypto configuration is correct, firewall/NAT/Routing is correct, but my tunnel status is down and I can't ping the other side, I was able to do this before the config of ipsec.

So, what is my problem ?

Router A

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 192.168.2.6
!
!
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
!
crypto map map1 6 ipsec-isakmp
description Tunnel to192.168.2.6
set peer 192.168.2.6
set transform-set cisco
match address 100
!
!
!
!
interface Serial0/0
ip address 192.168.2.5 255.255.255.252
encapsulation ppp
serial restart-delay 0
crypto map map1


interface Ethernet1/0
ip address 172.16.5.46 255.255.255.0
half-duplex

router rip
version 2
network 172.16.0.0
network 192.168.2.0
!
ip http server
ip http secure-server
ip route 10.1.1.0 255.255.255.0 192.168.2.6
!
!
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.16.5.0 0.0.0.255 10.1.1.0 0.0.0.255
RouterB

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 192.168.2.5
!
!
crypto ipsec transform-set set1 esp-3des esp-md5-hmac
!
crypto map map2 6 ipsec-isakmp
description Tunnel to192.168.2.5
set peer 192.168.2.5
set transform-set set1
match address 101
!
!
!
!
interface Ethernet0/0
ip address 10.1.1.5 255.255.255.0
half-duplex
!
interface Serial1/0
ip address 192.168.2.6 255.255.255.252
encapsulation ppp
serial restart-delay 0
crypto map map2

router rip
version 2
network 10.0.0.0
network 192.168.2.0
ip route 172.16.5.0 255.255.255.0 192.168.2.5
!
ip http server
ip http secure-server

access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.5.0 0.0.0.255
· Share on FacebookShare on Twitter

Comments

  • _maurice_maurice Member Posts: 142
    Are you pinging from the routers, or are you pinging from behind the routers? Try an extended ping with a source of the ethernet interface.
    · Share on FacebookShare on Twitter
  • jezg76jezg76 Member Posts: 97 ■■□□□□□□□□
    The only difference I had in my config to yours was using 192.168.1.0/24, as opposed to 172.16.5.0/24.

    R1#ping 10.1.1.5 source fastEthernet 0/0

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.1.1.5, timeout is 2 seconds:
    Packet sent with a source address of 192.168.1.254
    .!!!!
    Success rate is 80 percent (4/5), round-trip min/avg/max = 92/114/136 ms
    R1#sh cry
    R1#sh crypto isa
    R1#sh crypto isakmp sa
    dst src state conn-id slot status
    192.168.2.6 192.168.2.5 QM_IDLE 1 0 ACTIVE

    I do believe _maurice hit the nail on the dome.
    policy-map type inspect TACO
    class type inspect BELL
    drop log
    · Share on FacebookShare on Twitter
  • _maurice_maurice Member Posts: 142
    woohoo - recognition! :P
    · Share on FacebookShare on Twitter
  • Deltah_Deltah_ Member Posts: 51 ■■□□□□□□□□
    The extended ping wasn't a success so I retry from the beginning and it's working well.

    Thank you.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.