IKE1 noth working? help!

itdaddyitdaddy Senior MemberMember Posts: 2,088 ■■■■□□□□□□
Help I am at a loss. I cannot see where I went wrong.
I have 2 routers 1760s. They are connected via ethernet e1/0 on both sides. The public address for R3 is 192.168.7.3 and for R4 it is 192.168.7.4. I use loopbacks for the inside lan address range.
3.3.3.1 for R3 and 4.4.4.1 for R4. I can ping both ways no problem.
I can see show cryptpo ipsec sa no problem but show no traffic stats.
But when I run a show crypto isakmp sa absoultely nothing?
what is wrong IKE phase I looks good to me. I cannot get IKE phase 1
to work according to the show crypto isakmp sa command nothing shows up? I rebooted routers I pinged both ends. What is wrong? thanks guysicon_redface.gif


run show crypto isakmp sa
R4_BB2# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
R4_BB2#
R3_BB1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
R3_BB1#


R4_BB2#sh config
Using 2395 out of 29688 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4_BB2
!
boot-start-marker
boot system flash
boot system flash c1700-adventerprisek9-mz.124-15.T10.bin
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
no ip domain lookup
ip multicast-routing
ipv6 unicast-routing
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-4041131646
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4041131646
revocation-check none
rsakeypair TP-self-signed-4041131646
!
!
crypto pki certificate chain TP-self-signed-4041131646
certificate self-signed 01 nvram:IOS-Self-Sig#D.cer
!
!
username robert privilege 15 password 0 ccie
archive
log config
hidekeys
!
!
crypto isakmp policy 100
encr aes
authentication pre-share
group 2
crypto isakmp key cbtkey address 192.168.7.3
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set R4vpnR3T esp-aes esp-sha-hmac
!
crypto map R4R3MAP 100 ipsec-isakmp
set peer 192.168.7.3
set transform-set R4vpnR3T
set pfs group2
match address R4vpnR3TRAFFIC
!
!
!
!
!
!
!
interface Loopback0
ip address 4.4.4.1 255.255.255.0
!
interface Loopback1
no ip address
!
interface FastEthernet0/0
ip address 192.168.1.4 255.255.255.0
shutdown
speed auto
!
interface Serial0/0
no ip address
encapsulation frame-relay IETF
no frame-relay inverse-arp
!
interface Serial0/0.1 point-to-point
description direction to R3-BB1
ip address 10.1.1.2 255.255.255.252
ip pim sparse-dense-mode
snmp trap link-status
frame-relay interface-dlci 882
!
interface Serial0/0.2 point-to-point
description direction to R1
ip address 172.16.2.2 255.255.255.252
snmp trap link-status
frame-relay interface-dlci 821
!
interface Ethernet1/0
ip address 192.168.7.4 255.255.255.0
half-duplex
crypto map R4R3MAP
!
ip forward-protocol nd
ip route 3.3.3.0 255.255.255.0 192.168.7.3
!
!
ip http server
ip http authentication local
ip http secure-server
!
ip access-list extended R4vpnR3TRAFFIC
permit ip 3.3.3.0 0.0.0.255 4.4.4.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
alias exec b sh ip int brief
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
privilege level 15
password ccie
logging synchronous
login
!
end
R4_BB2#
=========================== Router 3 below ============
R3_BB1#sh config
Using 2550 out of 29688 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3_BB1
!
boot-start-marker
boot system flash c1700-adventerprisek9-mz.124-15.T10.bin
boot-end-marker
!
enable secret 5 $1$x4Lx$iUCBV1F8UatTrJRQJhGji/
!
no aaa new-model
ip cef
!
!
!
!
no ip domain lookup
ip multicast-routing
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-4115050265
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4115050265
revocation-check none
rsakeypair TP-self-signed-4115050265
!
!
crypto pki certificate chain TP-self-signed-4115050265
certificate self-signed 01 nvram:IOS-Self-Sig#A.cer
!
!
username robert privilege 15 password 0 ccie
archive
log config
hidekeys
!
!
crypto isakmp policy 100
encr aes
authentication pre-share
group 2
crypto isakmp key cbtkey address 192.168.7.4
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set R3vpnR4T esp-aes esp-sha-hmac
!
crypto map R3R4MAP 100 ipsec-isakmp
set peer 192.168.7.4
set transform-set R3vpnR4T
set pfs group2
match address R3vpnR4TRAFFIC
!
!
!
!
!
!
!
interface Loopback0
ip address 3.3.3.1 255.255.255.0
!
interface Loopback1
no ip address
!
interface FastEthernet0/0
ip address 192.168.1.3 255.255.255.0
shutdown
speed auto
!
interface Serial0/0
no ip address
encapsulation frame-relay IETF
no frame-relay inverse-arp
!
interface Serial0/0.1 point-to-point
description direction to R4-BB2
ip address 10.1.1.1 255.255.255.252
snmp trap link-status
frame-relay interface-dlci 881
!
interface Serial0/0.2 point-to-point
description direction to R1
ip address 172.16.1.2 255.255.255.252
snmp trap link-status
frame-relay interface-dlci 811
!
interface Ethernet1/0
ip address 192.168.7.3 255.255.255.0
half-duplex
crypto map R3R4MAP
!
ip forward-protocol nd
ip route 4.4.4.0 255.255.255.0 192.168.7.4
!
!
ip http server
ip http authentication local
ip http secure-server
!
ip access-list extended R3vpnR4TRAFFIC
permit ip 4.4.4.0 0.0.0.255 3.3.3.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
banner motd ^CC
Authorized Users can Access this router only ^C
alias exec fr frame-relay map ip 10.2.2.1 203 broadcaste (static mapping)
alias exec b sh ip int brief
!
line con 0
exec-timeout 0 0
privilege level 15
password ccie
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
password tuco
logging synchronous
login
!
ntp server 192.168.1.1
ntp peer 172.16.2.2
end
R3_BB1#

Comments

  • ConstantlyLearningConstantlyLearning Member Posts: 445
    Only glanced over the config but a couple of things popped out.

    You should initiate the VPN by passing traffic THROUGH the router. So, don't use a loopback as the LAN, use a physial interface and source traffic from a device off of that interface.

    Your crypto ACL's are backwards:

    R4_BB2#
    interface Loopback0
    ip address 4.4.4.1 255.255.255.0
    ip access-list extended R4vpnR3TRAFFIC
    permit ip 3.3.3.0 0.0.0.255 4.4.4.0 0.0.0.255


    R3_BB1#
    interface Loopback0
    ip address 3.3.3.1 255.255.255.0
    ip access-list extended R3vpnR4TRAFFIC
    permit ip 4.4.4.0 0.0.0.255 3.3.3.0 0.0.0.255
    "There are 3 types of people in this world, those who can count and those who can't"
  • itdaddyitdaddy Senior Member Member Posts: 2,088 ■■■■□□□□□□
    SOLVED:

    what I did is reverse the ACLs like you said. I can see what I did wrong now.
    I applied them and then I did what you said. It does depend on the Interesting traffic
    where it is sourced from to trip vpn on! yep as soon as I did a ping command and sourced it from the public ip side BAM show crypto isakmp sa ACTIVE super
    boy did I learn a load of stuff. The network lab book is great it did help me on page 189 show how to source and generate interesting traffic sweeeet!
    thanks brother!
Sign In or Register to comment.