2 Routers s2s vpn

Akiii

Hi,

I'm watching Jeremy's CCNA Sec nuggets and there's an implementing s2s vpn through cli section. I've redone it for like 3 times now and still couldn't get it to work, I cannot ping the other router. Help is appreciated, here are my confs:


Router 1
[HTML] Test5#sh run
Building configuration...


Current configuration : 1207 bytes
!
version 12.4
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Test5
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 25
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 60
encr aes
authentication pre-share
group 2
crypto isakmp key cbt address 192.168.1.1
!
!
crypto ipsec transform-set jeremy esp-aes esp-sha-hmac
!
crypto map s2s-vpn 100 ipsec-isakmp
set peer 192.168.1.1
set transform-set jeremy
match address 100
!
!
!
!
interface Loopback0
ip address 10.0.2.250 255.255.255.0
shutdown
!
interface FastEthernet2/0
ip address 192.168.5.1 255.255.255.0
speed 100
full-duplex
crypto map s2s-vpn
!
interface FastEthernet2/1
ip address 192.168.9.1 255.255.255.0
duplex full
speed 100
!
router eigrp 80
network 10.0.0.0
no auto-summary
!
ip http server
no ip http secure-server
!
ip forward-protocol nd
!
!
access-list 100 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
control-plane
!
!
!
!
!
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end[/HTML]Router2
[HTML]
outer(config)#do sh run
Building configuration...

Current configuration : 994 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cbt address 192.168.5.1
!
!
crypto ipsec transform-set jeremy esp-aes esp-sha-hmac
!
crypto map s2s-vpn 100 ipsec-isakmp
set peer 192.168.5.1
set transform-set jeremy
match address 100
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex full
speed 100
crypto map s2s-vpn
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
no ip http server
no ip http secure-server
ip classless
!
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
[/HTML]

peanutnoggin

A couple of things jumped out to me...

The interface on router 2 is shutdown. Also, router 2 doesn't have an access-list configured designating the traffic to bring up the vpn. HTH.

-Peanut

Akiii

peanutnoggin wrote: »

A couple of things jumped out to me...

The interface on router 2 is shutdown. Also, router 2 doesn't have an access-list configured designating the traffic to bring up the vpn. HTH.

-Peanut

Thanks I realized the interface was done before you posted I just made an ACL but still no joy.. updated the configs in the #1 post

peanutnoggin

Have you enabled "isakmp"?

crypto isakmp enable

I haven't configured a site-to-site vpn in awhile... I'm trying to think of other items. Everything appears to be right since you have identical configs (with the "mirrored" access-lists). Have you enabled debugging on the IKE Phase 1? Are you generating traffic from clients within the specified subnets? HTH.

-Peanut

bermovick

I tell ya, I've had the worst luck getting my VPNs to work too; then I'll wipe the whole configs, do exactly the same thing and have them work (I know I've done something different, but no idea what).

I'll load up gns3 and plug in your configs and see what I can figure out.

Akiii

peanutnoggin wrote: »

Have you enabled "isakmp"?

crypto isakmp enable

I haven't configured a site-to-site vpn in awhile... I'm trying to think of other items. Everything appears to be right since you have identical configs (with the "mirrored" access-lists). Have you enabled debugging on the IKE Phase 1? Are you generating traffic from clients within the specified subnets? HTH.

-Peanut

Yes, enabling isakmp was my first commands. I've connected the routers together with a crossover cable and tried to ping the other one, or set one of them as my default GW and ping the other router but no luck.

Ákos

bermovick

What's the topology like? What do you have between the 2?

Akiii

bermovick wrote: »

What's the topology like? What do you have between the 2?

Ok so I believe here comes the missunderstanding from my part. Do you actually need a cloud or something between the 2 devices? Can't you just put up an ipsec tunnel between the 2 routers via crossover cable?

stuh84

Try adding

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

Onto router 1 and

access-list 100 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255

On to router 2. In my experience, I've always needed an access list for both directions on each router, so you pretty much end up with the same ACL on each.

mikej412

Were the routers able to ping each other before you set up the tunnel?

Akiii

mikej412 wrote: »

Were the routers able to ping each other before you set up the tunnel?

They are newly set up routers, didn't try it. Both interfaces are in up up.

Do I need actually something between the 2 routers for the ipsec tunnel? Or a normal Crossover cable can do the job?

mikej412

Akiii wrote: »

Do I need actually something between the 2 routers for the ipsec tunnel?

Network connectivity.

bermovick

Akiii wrote: »

Ok so I believe here comes the missunderstanding from my part. Do you actually need a cloud or something between the 2 devices? Can't you just put up an ipsec tunnel between the 2 routers via crossover cable?

I think you probably could, except your interfaces aren't in the same subnet?

Akiii

bermovick wrote: »

I think you probably could, except your interfaces aren't in the same subnet?

Yes they aren't but I thought that the ipsec will do the routing between the subnets. So I'm really courius now that what do I have to place between the 2 routers or how to configure them to get it work.

A

bermovick

You still need 'normal' IP connectivity between the 2 points. Most of my labs involve a router or 2 between the 2 endpoints, but I'd think the premise is the same if there's no physical devices between the 2.

It looks like you're confusing what is being encrypted, thinking you'll encrypt 1.0 and 5.0, but what's really going to happen would be you're encrypting data coming in from other networks, through the endpoint routers, and encrypted before being sent out (normal IP routing) your 1.0/5.0 link.

... I'm not sure if I explain it well. It makes sense in my head.....

Akiii

bermovick wrote: »

You still need 'normal' IP connectivity between the 2 points. Most of my labs involve a router or 2 between the 2 endpoints, but I'd think the premise is the same if there's no physical devices between the 2.

It looks like you're confusing what is being encrypted, thinking you'll encrypt 1.0 and 5.0, but what's really going to happen would be you're encrypting data coming in from other networks, through the endpoint routers, and encrypted before being sent out (normal IP routing) your 1.0/5.0 link.

... I'm not sure if I explain it well. It makes sense in my head.....

thanks

I'll try to set up one of my routers as a GW and ping the other side with the modification that you guys told me that should be enough for ip connectivity, I hope it will work

bermovick

OK, first off, forgive me if this stuff doesn't come out well; I'm still not used to uploading and inserting images.

Secondly: R1 and R4 are computers here. They just LOOK like routers (I can't get QEMU to work, so I use routers as endpoint devices).



R2 and R3 are going to create a VPN tunnel for traffic going between the 192.168.1.0 and 192.168.3.0 networks. I still need normal IP connectivity from end-to-end though.

Here's the running-config from R2 and R3. R1 and R4 have no config other than ip addresses on the appropriate interface, and a default route.

R2

Building configuration...

Current configuration : 1050 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip cef
!
!
!
!         
!
!
!
!
!
! 
!
crypto isakmp policy 1
 encr aes
 hash md5
 authentication pre-share
 group 5
 lifetime 3600
crypto isakmp key woohoo address 192.168.2.2
!
!
crypto ipsec transform-set shorty esp-aes esp-md5-hmac 
!
crypto map R2_R3 100 ipsec-isakmp 
 set peer 192.168.2.2
 set transform-set shorty 
 match address vpn_acl
!         
!
!
interface FastEthernet0/0
 ip address 192.168.2.1 255.255.255.0
 duplex auto
 speed auto
 crypto map R2_R3
!
interface FastEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
router eigrp 1
 network 192.168.1.0
 network 192.168.2.0
 auto-summary
!
!
ip http server
no ip http secure-server
!
!
ip access-list extended vpn_acl
 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

and R3

Building configuration...

Current configuration : 1050 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip cef
!
!
!
!         
!
!
!
!
!
! 
!
crypto isakmp policy 1
 encr aes
 hash md5
 authentication pre-share
 group 5
 lifetime 3600
crypto isakmp key woohoo address 192.168.2.1
!
!
crypto ipsec transform-set shorty esp-aes esp-md5-hmac 
!
crypto map R3_R2 100 ipsec-isakmp 
 set peer 192.168.2.1
 set transform-set shorty 
 match address vpn_acl
!         
!
!
interface FastEthernet0/0
 ip address 192.168.2.2 255.255.255.0
 duplex auto
 speed auto
 crypto map R3_R2
!
interface FastEthernet0/1
 ip address 192.168.3.1 255.255.255.0
 duplex auto
 speed auto
!
router eigrp 1
 network 192.168.2.0
 network 192.168.3.0
 auto-summary
!
!
ip http server
no ip http secure-server
!
ip access-list extended vpn_acl
 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

Verified with debug crypto ipsec

*Mar  1 02:08:33.735: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 192.168.2.1, remote= 192.168.2.2, 
    local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel), 
    lifedur= 3600s and 4608000kb, 
    spi= 0xFCAF55ED(4239349229), conn_id= 0, keysize= 128, flags= 0x400A
*Mar  1 02:08:34.023: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 192.168.2.1, remote= 192.168.2.2, 
    local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel), 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x2
*Mar  1 02:08:34.027: Crypto mapdb : proxy_match
        src addr     : 192.168.1.0
        dst addr     : 192.168.3.0
        protocol     : 0
        src port     : 0
        dst port     : 0
*Mar  1 02:08:34.031: IPSEC(key_engine): got a queue event with 2 kei messages
*Mar  1 02:08:34.031: IPSEC(initialize_sas): ,
  (key eng. msg.) INBOUND local= 192.168.2.1, remote= 192.168.2.2, 
    local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel), 
    lifedur= 3600s and 4608000kb, 
    spi= 0xFCAF55ED(4239349229), conn_id= 0, keysize= 128, flags= 0x2
*Mar  1 02:08:34.031: IPSEC(initialize_sas): ,
  (key eng. msg.) OUTBOUND local= 192.168.2.1, remote= 192.168.2.2, 
    local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel), 
    lifedur= 3600s and 4608000kb, 
    spi= 0x8E9773AE(2392290222), conn_id= 0, keysize= 128, flags= 0xA
*Mar  1 02:08:34.035: Crypto mapdb : proxy_match
        src addr     : 192.168.1.0
        dst addr     : 192.168.3.0
        protocol     : 0
        src port     : 0
        dst port     : 0
*Mar  1 02:08:34.035: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 192.168.2.2
*Mar  1 02:08:34.035: IPSec: Flow_switching Allocated flow for sibling 80000002 
*Mar  1 02:08:34.035: IPSEC(policy_db_add_ident): src 192.168.1.0, dest 192.168.3.0, dest_port 0

*Mar  1 02:08:34.035: IPSEC(create_sa): sa created,
  (sa) sa_dest= 192.168.2.1, sa_proto= 50, 
    sa_spi= 0xFCAF55ED(4239349229), 
    sa_trans= esp-aes esp-md5-hmac , sa_conn_id= 2001
*Mar  1 02:08:34.035: IPSEC(create_sa): sa created,
  (sa) sa_dest= 192.168.2.2, sa_proto= 50, 
    sa_spi= 0x8E9773AE(2392290222), 
    sa_trans= esp-aes esp-md5-hmac , sa_conn_id= 2002

Akiii

Thanks for the illustration I've set up a same environment and it worked. The issue was that you need to have an active node on both ends(to wich you can assign an IP) but before that the ipsec tunnel will not get up.

Thanks again for your help

Á

bermovick

Well, you might be able to use an extended ping to ping from (in my example) R2's F0/1 port. That way the packet's source address is in the 192.168.1.0 network, which would trigger the ACL and cause R2 to attempt to build the VPN.

gregorio323

I'm sure this is faaaaaaar to late for the post but still the error was the interfaces where in the wrong subnet. That is the primary cause of them not being able to ping across the crossover cable. Looks like the config was right i just skimmed through it but what really stood out was the incorrect ip addressing.

phoeneous

gregorio323 wrote: »

the error was the interfaces where in the wrong subnet.

Wait, you're saying 192.168.2.1/24 and 192.168.2.2/24 are not in the same subnet?

networker050184

phoeneous wrote: »

Wait, you're saying 192.168.2.1/24 and 192.168.2.2/24 are not in the same subnet?

If you look at the configs in the OP he is using 192.168.5.1/24 on one side and 192.168.1.1/24 on the other for the link between the routers.

phoeneous

networker050184 wrote: »

If you look at the configs in the OP he is using 192.168.5.1/24 on one side and 192.168.1.1/24 on the other for the link between the routers.

Ah, I was looking at reply #17 which seems to be correct as far as the subnet between R2 and R3.

I also noticed that he doesnt have any routes configured, is this not necessary in a s2s vpn?

networker050184

phoeneous wrote: »

Ah, I was looking at reply #17 which seems to be correct as far as the subnet between R2 and R3.

I also noticed that he doesnt have any routes configured, is this not necessary in a s2s vpn?

You would need some sort of route to get to the peer address. Which in this case happens to be a directly connected address so there is no need to add a route manually.

phoeneous

networker050184 wrote: »

You would need some sort of route to get to the peer address. Which in this case happens to be a directly connected address so there is no need to add a route manually.

Gotcha. I'm studying with the same cbt as him and ironically I'm doing both the vpn videos tonight.

williamsimard

I have 2 cisco router set up with a VPN and I get an UP status showing they are connected and the VPN is working.

From network A, I have the router set to 10.23.1.150 for 0/0, and a static IP from our ISP for 0/1.

On Network B I have the router set to 192.168.1.1 for 0/0, and 0/1 has a static IP from our ISP.

If I am working on Network A and want to send data over the VPN, do I send it to 10.23.1.150 ? The main Gateway is another router with an address of 10.23.1.1

Thanks for the help.

Bill