IKE1 noth working? help!
itdaddy
Member Posts: 2,089 ■■■■□□□□□□
Help I am at a loss. I cannot see where I went wrong.
I have 2 routers 1760s. They are connected via ethernet e1/0 on both sides. The public address for R3 is 192.168.7.3 and for R4 it is 192.168.7.4. I use loopbacks for the inside lan address range.
3.3.3.1 for R3 and 4.4.4.1 for R4. I can ping both ways no problem.
I can see show cryptpo ipsec sa no problem but show no traffic stats.
But when I run a show crypto isakmp sa absoultely nothing?
what is wrong IKE phase I looks good to me. I cannot get IKE phase 1
to work according to the show crypto isakmp sa command nothing shows up? I rebooted routers I pinged both ends. What is wrong? thanks guys
I have 2 routers 1760s. They are connected via ethernet e1/0 on both sides. The public address for R3 is 192.168.7.3 and for R4 it is 192.168.7.4. I use loopbacks for the inside lan address range.
3.3.3.1 for R3 and 4.4.4.1 for R4. I can ping both ways no problem.
I can see show cryptpo ipsec sa no problem but show no traffic stats.
But when I run a show crypto isakmp sa absoultely nothing?
what is wrong IKE phase I looks good to me. I cannot get IKE phase 1
to work according to the show crypto isakmp sa command nothing shows up? I rebooted routers I pinged both ends. What is wrong? thanks guys
run show crypto isakmp sa
R4_BB2# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
R4_BB2#
R3_BB1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
R3_BB1#
R4_BB2#sh config
Using 2395 out of 29688 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4_BB2
!
boot-start-marker
boot system flash
boot system flash c1700-adventerprisek9-mz.124-15.T10.bin
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
no ip domain lookup
ip multicast-routing
ipv6 unicast-routing
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-4041131646
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4041131646
revocation-check none
rsakeypair TP-self-signed-4041131646
!
!
crypto pki certificate chain TP-self-signed-4041131646
certificate self-signed 01 nvram:IOS-Self-Sig#D.cer
!
!
username robert privilege 15 password 0 ccie
archive
log config
hidekeys
!
!
crypto isakmp policy 100
encr aes
authentication pre-share
group 2
crypto isakmp key cbtkey address 192.168.7.3
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set R4vpnR3T esp-aes esp-sha-hmac
!
crypto map R4R3MAP 100 ipsec-isakmp
set peer 192.168.7.3
set transform-set R4vpnR3T
set pfs group2
match address R4vpnR3TRAFFIC
!
!
!
!
!
!
!
interface Loopback0
ip address 4.4.4.1 255.255.255.0
!
interface Loopback1
no ip address
!
interface FastEthernet0/0
ip address 192.168.1.4 255.255.255.0
shutdown
speed auto
!
interface Serial0/0
no ip address
encapsulation frame-relay IETF
no frame-relay inverse-arp
!
interface Serial0/0.1 point-to-point
description direction to R3-BB1
ip address 10.1.1.2 255.255.255.252
ip pim sparse-dense-mode
snmp trap link-status
frame-relay interface-dlci 882
!
interface Serial0/0.2 point-to-point
description direction to R1
ip address 172.16.2.2 255.255.255.252
snmp trap link-status
frame-relay interface-dlci 821
!
interface Ethernet1/0
ip address 192.168.7.4 255.255.255.0
half-duplex
crypto map R4R3MAP
!
ip forward-protocol nd
ip route 3.3.3.0 255.255.255.0 192.168.7.3
!
!
ip http server
ip http authentication local
ip http secure-server
!
ip access-list extended R4vpnR3TRAFFIC
permit ip 3.3.3.0 0.0.0.255 4.4.4.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
alias exec b sh ip int brief
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
privilege level 15
password ccie
logging synchronous
login
!
end
R4_BB2#
=========================== Router 3 below ============
R3_BB1#sh config
Using 2550 out of 29688 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3_BB1
!
boot-start-marker
boot system flash c1700-adventerprisek9-mz.124-15.T10.bin
boot-end-marker
!
enable secret 5 $1$x4Lx$iUCBV1F8UatTrJRQJhGji/
!
no aaa new-model
ip cef
!
!
!
!
no ip domain lookup
ip multicast-routing
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-4115050265
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4115050265
revocation-check none
rsakeypair TP-self-signed-4115050265
!
!
crypto pki certificate chain TP-self-signed-4115050265
certificate self-signed 01 nvram:IOS-Self-Sig#A.cer
!
!
username robert privilege 15 password 0 ccie
archive
log config
hidekeys
!
!
crypto isakmp policy 100
encr aes
authentication pre-share
group 2
crypto isakmp key cbtkey address 192.168.7.4
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set R3vpnR4T esp-aes esp-sha-hmac
!
crypto map R3R4MAP 100 ipsec-isakmp
set peer 192.168.7.4
set transform-set R3vpnR4T
set pfs group2
match address R3vpnR4TRAFFIC
!
!
!
!
!
!
!
interface Loopback0
ip address 3.3.3.1 255.255.255.0
!
interface Loopback1
no ip address
!
interface FastEthernet0/0
ip address 192.168.1.3 255.255.255.0
shutdown
speed auto
!
interface Serial0/0
no ip address
encapsulation frame-relay IETF
no frame-relay inverse-arp
!
interface Serial0/0.1 point-to-point
description direction to R4-BB2
ip address 10.1.1.1 255.255.255.252
snmp trap link-status
frame-relay interface-dlci 881
!
interface Serial0/0.2 point-to-point
description direction to R1
ip address 172.16.1.2 255.255.255.252
snmp trap link-status
frame-relay interface-dlci 811
!
interface Ethernet1/0
ip address 192.168.7.3 255.255.255.0
half-duplex
crypto map R3R4MAP
!
ip forward-protocol nd
ip route 4.4.4.0 255.255.255.0 192.168.7.4
!
!
ip http server
ip http authentication local
ip http secure-server
!
ip access-list extended R3vpnR4TRAFFIC
permit ip 4.4.4.0 0.0.0.255 3.3.3.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
banner motd ^CC
Authorized Users can Access this router only ^C
alias exec fr frame-relay map ip 10.2.2.1 203 broadcaste (static mapping)
alias exec b sh ip int brief
!
line con 0
exec-timeout 0 0
privilege level 15
password ccie
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
password tuco
logging synchronous
login
!
ntp server 192.168.1.1
ntp peer 172.16.2.2
end
R3_BB1#
Comments
-
ConstantlyLearning
Member Posts: 445
Only glanced over the config but a couple of things popped out.
You should initiate the VPN by passing traffic THROUGH the router. So, don't use a loopback as the LAN, use a physial interface and source traffic from a device off of that interface.
Your crypto ACL's are backwards:
R4_BB2#
interface Loopback0
ip address 4.4.4.1 255.255.255.0
ip access-list extended R4vpnR3TRAFFIC
permit ip 3.3.3.0 0.0.0.255 4.4.4.0 0.0.0.255
R3_BB1#
interface Loopback0
ip address 3.3.3.1 255.255.255.0
ip access-list extended R3vpnR4TRAFFIC
permit ip 4.4.4.0 0.0.0.255 3.3.3.0 0.0.0.255"There are 3 types of people in this world, those who can count and those who can't" -
itdaddy
Member Posts: 2,089 ■■■■□□□□□□
SOLVED:
what I did is reverse the ACLs like you said. I can see what I did wrong now.
I applied them and then I did what you said. It does depend on the Interesting traffic
where it is sourced from to trip vpn on! yep as soon as I did a ping command and sourced it from the public ip side BAM show crypto isakmp sa ACTIVE super
boy did I learn a load of stuff. The network lab book is great it did help me on page 189 show how to source and generate interesting traffic sweeeet!
thanks brother!