2 Routers s2s vpn

AkiiiAkiii MemberMember Posts: 80 ■■□□□□□□□□
Hi,

I'm watching Jeremy's CCNA Sec nuggets and there's an implementing s2s vpn through cli section. I've redone it for like 3 times now and still couldn't get it to work, I cannot ping the other router. Help is appreciated, here are my confs:


Router 1
[HTML] Test5#sh run
Building configuration...


Current configuration : 1207 bytes
!
version 12.4
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Test5
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 25
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 60
encr aes
authentication pre-share
group 2
crypto isakmp key cbt address 192.168.1.1
!
!
crypto ipsec transform-set jeremy esp-aes esp-sha-hmac
!
crypto map s2s-vpn 100 ipsec-isakmp
set peer 192.168.1.1
set transform-set jeremy
match address 100
!
!
!
!
interface Loopback0
ip address 10.0.2.250 255.255.255.0
shutdown
!
interface FastEthernet2/0
ip address 192.168.5.1 255.255.255.0
speed 100
full-duplex
crypto map s2s-vpn
!
interface FastEthernet2/1
ip address 192.168.9.1 255.255.255.0
duplex full
speed 100
!
router eigrp 80
network 10.0.0.0
no auto-summary
!
ip http server
no ip http secure-server
!
ip forward-protocol nd
!
!
access-list 100 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
control-plane
!
!
!
!
!
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end[/HTML]Router2
[HTML]
outer(config)#do sh run
Building configuration...

Current configuration : 994 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cbt address 192.168.5.1
!
!
crypto ipsec transform-set jeremy esp-aes esp-sha-hmac
!
crypto map s2s-vpn 100 ipsec-isakmp
set peer 192.168.5.1
set transform-set jeremy
match address 100
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex full
speed 100
crypto map s2s-vpn
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
no ip http server
no ip http secure-server
ip classless
!
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
[/HTML]

Comments

  • peanutnogginpeanutnoggin Senior Member Member Posts: 1,096 ■■■□□□□□□□
    A couple of things jumped out to me...

    The interface on router 2 is shutdown. Also, router 2 doesn't have an access-list configured designating the traffic to bring up the vpn. HTH.

    -Peanut
    We cannot have a superior democracy with an inferior education system!

    -Mayor Cory Booker
  • AkiiiAkiii Member Member Posts: 80 ■■□□□□□□□□
    A couple of things jumped out to me...

    The interface on router 2 is shutdown. Also, router 2 doesn't have an access-list configured designating the traffic to bring up the vpn. HTH.

    -Peanut

    Thanks I realized the interface was done before you posted :) I just made an ACL but still no joy.. updated the configs in the #1 post
  • peanutnogginpeanutnoggin Senior Member Member Posts: 1,096 ■■■□□□□□□□
    Have you enabled "isakmp"?

    crypto isakmp enable

    I haven't configured a site-to-site vpn in awhile... I'm trying to think of other items. Everything appears to be right since you have identical configs (with the "mirrored" access-lists). Have you enabled debugging on the IKE Phase 1? Are you generating traffic from clients within the specified subnets? HTH.

    -Peanut
    We cannot have a superior democracy with an inferior education system!

    -Mayor Cory Booker
  • bermovickbermovick Senior Member Member Posts: 1,135 ■■■■□□□□□□
    I tell ya, I've had the worst luck getting my VPNs to work too; then I'll wipe the whole configs, do exactly the same thing and have them work (I know I've done something different, but no idea what).

    I'll load up gns3 and plug in your configs and see what I can figure out.
    Latest Completed: CISSP

    Current goal: Dunno
  • AkiiiAkiii Member Member Posts: 80 ■■□□□□□□□□
    Have you enabled "isakmp"?

    crypto isakmp enable

    I haven't configured a site-to-site vpn in awhile... I'm trying to think of other items. Everything appears to be right since you have identical configs (with the "mirrored" access-lists). Have you enabled debugging on the IKE Phase 1? Are you generating traffic from clients within the specified subnets? HTH.

    -Peanut

    Yes, enabling isakmp was my first commands. I've connected the routers together with a crossover cable and tried to ping the other one, or set one of them as my default GW and ping the other router but no luck.

    Ákos
  • bermovickbermovick Senior Member Member Posts: 1,135 ■■■■□□□□□□
    What's the topology like? What do you have between the 2?
    Latest Completed: CISSP

    Current goal: Dunno
  • AkiiiAkiii Member Member Posts: 80 ■■□□□□□□□□
    bermovick wrote: »
    What's the topology like? What do you have between the 2?


    Ok so I believe here comes the missunderstanding from my part. Do you actually need a cloud or something between the 2 devices? Can't you just put up an ipsec tunnel between the 2 routers via crossover cable?
  • stuh84stuh84 Senior Member Member Posts: 503
    Try adding

    access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

    Onto router 1 and

    access-list 100 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255

    On to router 2. In my experience, I've always needed an access list for both directions on each router, so you pretty much end up with the same ACL on each.
    Work In Progress: CCIE R&S Written

    CCIE Progress - Hours reading - 15, hours labbing - 1
  • mikej412mikej412 Cisco Moderator Member Posts: 10,086 ■■■■■■■■■■
    Were the routers able to ping each other before you set up the tunnel?
    :mike: Cisco Certifications -- Collect the Entire Set!
  • AkiiiAkiii Member Member Posts: 80 ■■□□□□□□□□
    mikej412 wrote: »
    Were the routers able to ping each other before you set up the tunnel?


    They are newly set up routers, didn't try it. Both interfaces are in up up.

    Do I need actually something between the 2 routers for the ipsec tunnel? Or a normal Crossover cable can do the job?
  • mikej412mikej412 Cisco Moderator Member Posts: 10,086 ■■■■■■■■■■
    Akiii wrote: »
    Do I need actually something between the 2 routers for the ipsec tunnel?
    Network connectivity.
    :mike: Cisco Certifications -- Collect the Entire Set!
  • bermovickbermovick Senior Member Member Posts: 1,135 ■■■■□□□□□□
    Akiii wrote: »
    Ok so I believe here comes the missunderstanding from my part. Do you actually need a cloud or something between the 2 devices? Can't you just put up an ipsec tunnel between the 2 routers via crossover cable?

    I think you probably could, except your interfaces aren't in the same subnet?
    Latest Completed: CISSP

    Current goal: Dunno
  • AkiiiAkiii Member Member Posts: 80 ■■□□□□□□□□
    bermovick wrote: »
    I think you probably could, except your interfaces aren't in the same subnet?


    Yes they aren't but I thought that the ipsec will do the routing between the subnets. So I'm really courius now that what do I have to place between the 2 routers or how to configure them to get it work.

    A
  • bermovickbermovick Senior Member Member Posts: 1,135 ■■■■□□□□□□
    You still need 'normal' IP connectivity between the 2 points. Most of my labs involve a router or 2 between the 2 endpoints, but I'd think the premise is the same if there's no physical devices between the 2.

    It looks like you're confusing what is being encrypted, thinking you'll encrypt 1.0 and 5.0, but what's really going to happen would be you're encrypting data coming in from other networks, through the endpoint routers, and encrypted before being sent out (normal IP routing) your 1.0/5.0 link.

    ... I'm not sure if I explain it well. It makes sense in my head.....
    Latest Completed: CISSP

    Current goal: Dunno
  • AkiiiAkiii Member Member Posts: 80 ■■□□□□□□□□
    bermovick wrote: »
    You still need 'normal' IP connectivity between the 2 points. Most of my labs involve a router or 2 between the 2 endpoints, but I'd think the premise is the same if there's no physical devices between the 2.

    It looks like you're confusing what is being encrypted, thinking you'll encrypt 1.0 and 5.0, but what's really going to happen would be you're encrypting data coming in from other networks, through the endpoint routers, and encrypted before being sent out (normal IP routing) your 1.0/5.0 link.

    ... I'm not sure if I explain it well. It makes sense in my head.....

    thanks

    I'll try to set up one of my routers as a GW and ping the other side with the modification that you guys told me that should be enough for ip connectivity, I hope it will work
  • bermovickbermovick Senior Member Member Posts: 1,135 ■■■■□□□□□□
    OK, first off, forgive me if this stuff doesn't come out well; I'm still not used to uploading and inserting images.

    Secondly: R1 and R4 are computers here. They just LOOK like routers (I can't get QEMU to work, so I use routers as endpoint devices).

    bermovick-albums-stuff-picture157-littlevpn.jpg

    R2 and R3 are going to create a VPN tunnel for traffic going between the 192.168.1.0 and 192.168.3.0 networks. I still need normal IP connectivity from end-to-end though.

    Here's the running-config from R2 and R3. R1 and R4 have no config other than ip addresses on the appropriate interface, and a default route.

    R2
    Building configuration...
    
    Current configuration : 1050 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname R2
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no aaa new-model
    !
    resource policy
    !
    memory-size iomem 5
    ip cef
    !
    !
    !
    !         
    !
    !
    !
    !
    !
    ! 
    !
    crypto isakmp policy 1
     encr aes
     hash md5
     authentication pre-share
     group 5
     lifetime 3600
    crypto isakmp key woohoo address 192.168.2.2
    !
    !
    crypto ipsec transform-set shorty esp-aes esp-md5-hmac 
    !
    crypto map R2_R3 100 ipsec-isakmp 
     set peer 192.168.2.2
     set transform-set shorty 
     match address vpn_acl
    !         
    !
    !
    interface FastEthernet0/0
     ip address 192.168.2.1 255.255.255.0
     duplex auto
     speed auto
     crypto map R2_R3
    !
    interface FastEthernet0/1
     ip address 192.168.1.1 255.255.255.0
     duplex auto
     speed auto
    !
    router eigrp 1
     network 192.168.1.0
     network 192.168.2.0
     auto-summary
    !
    !
    ip http server
    no ip http secure-server
    !
    !
    ip access-list extended vpn_acl
     permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
    !
    !
    !
    control-plane
    !
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    !
    !
    end
    

    and R3
    Building configuration...
    
    Current configuration : 1050 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname R3
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no aaa new-model
    !
    resource policy
    !
    memory-size iomem 5
    ip cef
    !
    !
    !
    !         
    !
    !
    !
    !
    !
    ! 
    !
    crypto isakmp policy 1
     encr aes
     hash md5
     authentication pre-share
     group 5
     lifetime 3600
    crypto isakmp key woohoo address 192.168.2.1
    !
    !
    crypto ipsec transform-set shorty esp-aes esp-md5-hmac 
    !
    crypto map R3_R2 100 ipsec-isakmp 
     set peer 192.168.2.1
     set transform-set shorty 
     match address vpn_acl
    !         
    !
    !
    interface FastEthernet0/0
     ip address 192.168.2.2 255.255.255.0
     duplex auto
     speed auto
     crypto map R3_R2
    !
    interface FastEthernet0/1
     ip address 192.168.3.1 255.255.255.0
     duplex auto
     speed auto
    !
    router eigrp 1
     network 192.168.2.0
     network 192.168.3.0
     auto-summary
    !
    !
    ip http server
    no ip http secure-server
    !
    ip access-list extended vpn_acl
     permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
    !
    !
    !
    control-plane
    !
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    !
    !
    end
    

    Verified with debug crypto ipsec
    *Mar  1 02:08:33.735: IPSEC(sa_request): ,
      (key eng. msg.) OUTBOUND local= 192.168.2.1, remote= 192.168.2.2, 
        local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), 
        remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
        protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel), 
        lifedur= 3600s and 4608000kb, 
        spi= 0xFCAF55ED(4239349229), conn_id= 0, keysize= 128, flags= 0x400A
    *Mar  1 02:08:34.023: IPSEC(validate_proposal_request): proposal part #1,
      (key eng. msg.) INBOUND local= 192.168.2.1, remote= 192.168.2.2, 
        local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), 
        remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
        protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel), 
        lifedur= 0s and 0kb, 
        spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x2
    *Mar  1 02:08:34.027: Crypto mapdb : proxy_match
            src addr     : 192.168.1.0
            dst addr     : 192.168.3.0
            protocol     : 0
            src port     : 0
            dst port     : 0
    *Mar  1 02:08:34.031: IPSEC(key_engine): got a queue event with 2 kei messages
    *Mar  1 02:08:34.031: IPSEC(initialize_sas): ,
      (key eng. msg.) INBOUND local= 192.168.2.1, remote= 192.168.2.2, 
        local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), 
        remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
        protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel), 
        lifedur= 3600s and 4608000kb, 
        spi= 0xFCAF55ED(4239349229), conn_id= 0, keysize= 128, flags= 0x2
    *Mar  1 02:08:34.031: IPSEC(initialize_sas): ,
      (key eng. msg.) OUTBOUND local= 192.168.2.1, remote= 192.168.2.2, 
        local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), 
        remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
        protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel), 
        lifedur= 3600s and 4608000kb, 
        spi= 0x8E9773AE(2392290222), conn_id= 0, keysize= 128, flags= 0xA
    *Mar  1 02:08:34.035: Crypto mapdb : proxy_match
            src addr     : 192.168.1.0
            dst addr     : 192.168.3.0
            protocol     : 0
            src port     : 0
            dst port     : 0
    *Mar  1 02:08:34.035: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 192.168.2.2
    *Mar  1 02:08:34.035: IPSec: Flow_switching Allocated flow for sibling 80000002 
    *Mar  1 02:08:34.035: IPSEC(policy_db_add_ident): src 192.168.1.0, dest 192.168.3.0, dest_port 0
    
    *Mar  1 02:08:34.035: IPSEC(create_sa): sa created,
      (sa) sa_dest= 192.168.2.1, sa_proto= 50, 
        sa_spi= 0xFCAF55ED(4239349229), 
        sa_trans= esp-aes esp-md5-hmac , sa_conn_id= 2001
    *Mar  1 02:08:34.035: IPSEC(create_sa): sa created,
      (sa) sa_dest= 192.168.2.2, sa_proto= 50, 
        sa_spi= 0x8E9773AE(2392290222), 
        sa_trans= esp-aes esp-md5-hmac , sa_conn_id= 2002
    
    Latest Completed: CISSP

    Current goal: Dunno
  • AkiiiAkiii Member Member Posts: 80 ■■□□□□□□□□
    Thanks for the illustration I've set up a same environment and it worked. The issue was that you need to have an active node on both ends(to wich you can assign an IP) but before that the ipsec tunnel will not get up.

    Thanks again for your help :)

    Á
  • bermovickbermovick Senior Member Member Posts: 1,135 ■■■■□□□□□□
    Well, you might be able to use an extended ping to ping from (in my example) R2's F0/1 port. That way the packet's source address is in the 192.168.1.0 network, which would trigger the ACL and cause R2 to attempt to build the VPN.
    Latest Completed: CISSP

    Current goal: Dunno
  • gregorio323gregorio323 Senior Member Member Posts: 201 ■■■□□□□□□□
    I'm sure this is faaaaaaar to late for the post :) but still the error was the interfaces where in the wrong subnet. That is the primary cause of them not being able to ping across the crossover cable. Looks like the config was right i just skimmed through it but what really stood out was the incorrect ip addressing.
  • phoeneousphoeneous Go ping yourself... Member Posts: 2,333 ■■■■■■■□□□
    the error was the interfaces where in the wrong subnet.

    Wait, you're saying 192.168.2.1/24 and 192.168.2.2/24 are not in the same subnet?
  • networker050184networker050184 Went to the dark side.... Mod Posts: 11,962 Mod
    phoeneous wrote: »
    Wait, you're saying 192.168.2.1/24 and 192.168.2.2/24 are not in the same subnet?

    If you look at the configs in the OP he is using 192.168.5.1/24 on one side and 192.168.1.1/24 on the other for the link between the routers.
    An expert is a man who has made all the mistakes which can be made.
  • phoeneousphoeneous Go ping yourself... Member Posts: 2,333 ■■■■■■■□□□
    If you look at the configs in the OP he is using 192.168.5.1/24 on one side and 192.168.1.1/24 on the other for the link between the routers.

    Ah, I was looking at reply #17 which seems to be correct as far as the subnet between R2 and R3.

    I also noticed that he doesnt have any routes configured, is this not necessary in a s2s vpn?
  • networker050184networker050184 Went to the dark side.... Mod Posts: 11,962 Mod
    phoeneous wrote: »
    Ah, I was looking at reply #17 which seems to be correct as far as the subnet between R2 and R3.

    I also noticed that he doesnt have any routes configured, is this not necessary in a s2s vpn?

    You would need some sort of route to get to the peer address. Which in this case happens to be a directly connected address so there is no need to add a route manually.
    An expert is a man who has made all the mistakes which can be made.
  • phoeneousphoeneous Go ping yourself... Member Posts: 2,333 ■■■■■■■□□□
    You would need some sort of route to get to the peer address. Which in this case happens to be a directly connected address so there is no need to add a route manually.

    Gotcha. I'm studying with the same cbt as him and ironically I'm doing both the vpn videos tonight.
  • williamsimardwilliamsimard Junior Member Registered Users Posts: 1 ■□□□□□□□□□
    I have 2 cisco router set up with a VPN and I get an UP status showing they are connected and the VPN is working.

    From network A, I have the router set to 10.23.1.150 for 0/0, and a static IP from our ISP for 0/1.

    On Network B I have the router set to 192.168.1.1 for 0/0, and 0/1 has a static IP from our ISP.

    If I am working on Network A and want to send data over the VPN, do I send it to 10.23.1.150 ? The main Gateway is another router with an address of 10.23.1.1

    Thanks for the help.

    Bill
Sign In or Register to comment.