IPSec Tunnel not working.. please help
JohnnyBiggles
Member Posts: 273
in CCNA & CCENT
Not sure if this is the right forum to post this in but it is Cisco and I'm using a 2911 ISR for this so maybe it is. I've been fighting back & forth with a company trying to establish an IPSec tunnel to allows us to move to the next step and I keep telling them we have followed their every direction in configuring our end but the tunnel refuses to come up and everyone seems stumped and we're all delayed. They will not show their configs and they only have about 2 windows per week to check it on their Cisco device anyway, so I just want to verify with you guys if my end seems to be set up properly and/or if anything is missing. My configs are below, slightly edited for security's sake but even with the edits it pretty much is matched up with how it actually is. Any assistance would be great.
Router2911#show run
Building configuration...
Current configuration : 5992 bytes
!
! Last configuration change at 22:26:55 GMT Fri Dec 21 2012 by admin
version 15.2
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname Router2911
!
boot-start-marker
boot system flash c2900-universalk9-mz.SPA.152-4.M1.bin
boot-end-marker
!
!
card type t1 0 0
logging buffered 51200 warnings
enable secret 4 EeSCvvUJ/zWuj8nFfZgeNW0C6LfvoZIWGJL8Q3gs4Bo
!
no aaa new-model
clock timezone GMT 0 0
network-clock-participate wic 0
network-clock-select 1 T1 0/0/0
network-clock-select 2 T1 0/0/1
!
!
!
!
!
!
!
ip domain name XXXXX.NET
ip name-server 192.168.1.10
ip name-server ##.###.##.##
ip name-server ##.###.###.##
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
voice-card 0
!
!
!
!
!
!
!
!
license udi pid CISCO2911/K9 sn FTX1636AH3N
hw-module pvdm 0/0
!
!
!
username admin privilege 15 secret 4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
redundancy
!
!
!
!
!
controller T1 0/0/0
cablelength long 0db
channel-group 0 timeslots 1-24
!
controller T1 0/0/1
cablelength long 0db
channel-group 0 timeslots 1-24
!
!
class-map match-any voip
class-map match-any Voip
match ip dscp ef
match ip precedence 5
!
policy-map voip
policy-map Voip
class Voip
priority percent 90
police cir percent 90 bc 25 ms be 25 ms
conform-action transmit
exceed-action drop
class class-default
bandwidth percent 10
random-detect
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXXXXXXX address 152.###.##.212
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ipcom ah-md5-hmac
!
!
!
crypto map sip local-address GigabitEthernet0/0
crypto map sip 7 ipsec-isakmp
description RCN 1
set peer 152.###.##.212
set transform-set ipcom
set pfs group2
match address 126
!
!
!
!
!
interface MFR1001
no ip address
no ip redirects
no ip proxy-arp
no arp frame-relay
frame-relay multilink bid 1001
frame-relay lmi-type ansi
service-policy output Voip
!
interface MFR1001.500 point-to-point
bandwidth 3072
ip address 157.###.#.194 255.255.255.252
no ip redirects
no ip proxy-arp
ip virtual-reassembly in
snmp trap link-status
no cdp enable
no arp frame-relay
frame-relay class Advantage
frame-relay interface-dlci 500 IETF
crypto map sip
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description InsideIF
ip address 63.###.###.46 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0:0
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR1001
no arp frame-relay
!
interface Serial0/0/1:0
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR1001
no arp frame-relay
!
ip default-gateway 192.168.1.1
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 MFR1001.500
ip route 192.168.1.0 255.255.255.0 192.168.2.1
!
!
map-class frame-relay Advantage
access-list 126 permit ip 63.###.###.44 0.0.0.3 152.###.##.128 0.0.0.31
!
!
!
control-plane
!
!
!
!
!
!
!
mgcp profile default
!
!
!
!
!
gatekeeper
shutdown
!
!
!
line con 0
exec-timeout 30 0
password 7 xxxxxxxxxxxxxxxxxxxxxxx
logging synchronous
login
line aux 0
password 7 xxxxxxxxxxxxxxxxxxxxxxxxxx
login
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
session-timeout 10
access-class 11 in
privilege level 15
password 7 xxxxxxxxxxxxxxxxxxxxxxxxxx
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
login local
transport preferred ssh
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
Router2911#
Router2911#show run
Building configuration...
Current configuration : 5992 bytes
!
! Last configuration change at 22:26:55 GMT Fri Dec 21 2012 by admin
version 15.2
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname Router2911
!
boot-start-marker
boot system flash c2900-universalk9-mz.SPA.152-4.M1.bin
boot-end-marker
!
!
card type t1 0 0
logging buffered 51200 warnings
enable secret 4 EeSCvvUJ/zWuj8nFfZgeNW0C6LfvoZIWGJL8Q3gs4Bo
!
no aaa new-model
clock timezone GMT 0 0
network-clock-participate wic 0
network-clock-select 1 T1 0/0/0
network-clock-select 2 T1 0/0/1
!
!
!
!
!
!
!
ip domain name XXXXX.NET
ip name-server 192.168.1.10
ip name-server ##.###.##.##
ip name-server ##.###.###.##
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
voice-card 0
!
!
!
!
!
!
!
!
license udi pid CISCO2911/K9 sn FTX1636AH3N
hw-module pvdm 0/0
!
!
!
username admin privilege 15 secret 4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
redundancy
!
!
!
!
!
controller T1 0/0/0
cablelength long 0db
channel-group 0 timeslots 1-24
!
controller T1 0/0/1
cablelength long 0db
channel-group 0 timeslots 1-24
!
!
class-map match-any voip
class-map match-any Voip
match ip dscp ef
match ip precedence 5
!
policy-map voip
policy-map Voip
class Voip
priority percent 90
police cir percent 90 bc 25 ms be 25 ms
conform-action transmit
exceed-action drop
class class-default
bandwidth percent 10
random-detect
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXXXXXXX address 152.###.##.212
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ipcom ah-md5-hmac
!
!
!
crypto map sip local-address GigabitEthernet0/0
crypto map sip 7 ipsec-isakmp
description RCN 1
set peer 152.###.##.212
set transform-set ipcom
set pfs group2
match address 126
!
!
!
!
!
interface MFR1001
no ip address
no ip redirects
no ip proxy-arp
no arp frame-relay
frame-relay multilink bid 1001
frame-relay lmi-type ansi
service-policy output Voip
!
interface MFR1001.500 point-to-point
bandwidth 3072
ip address 157.###.#.194 255.255.255.252
no ip redirects
no ip proxy-arp
ip virtual-reassembly in
snmp trap link-status
no cdp enable
no arp frame-relay
frame-relay class Advantage
frame-relay interface-dlci 500 IETF
crypto map sip
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description InsideIF
ip address 63.###.###.46 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0:0
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR1001
no arp frame-relay
!
interface Serial0/0/1:0
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR1001
no arp frame-relay
!
ip default-gateway 192.168.1.1
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 MFR1001.500
ip route 192.168.1.0 255.255.255.0 192.168.2.1
!
!
map-class frame-relay Advantage
access-list 126 permit ip 63.###.###.44 0.0.0.3 152.###.##.128 0.0.0.31
!
!
!
control-plane
!
!
!
!
!
!
!
mgcp profile default
!
!
!
!
!
gatekeeper
shutdown
!
!
!
line con 0
exec-timeout 30 0
password 7 xxxxxxxxxxxxxxxxxxxxxxx
logging synchronous
login
line aux 0
password 7 xxxxxxxxxxxxxxxxxxxxxxxxxx
login
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
session-timeout 10
access-class 11 in
privilege level 15
password 7 xxxxxxxxxxxxxxxxxxxxxxxxxx
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
login local
transport preferred ssh
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
Router2911#
Comments
-
Hondabuff Member Posts: 667 ■■■□□□□□□□AAA is not enabled. Are you setting it up by CLI or CCP? I have been using Cisco Configuration Pro to do VPN setups because of the built in Test Settings. Enabling AAA is always the first step.“The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
-
JohnnyBiggles Member Posts: 273AAA is not enabled. Are you setting it up by CLI or CCP?
CLI. AAA must be enabled for an IPSec tunnel to work?? -
Hondabuff Member Posts: 667 ■■■□□□□□□□Here is some old notes I had from a web site.
[*]When would you need this: When you want to create a secure tunnel to transfer data between two sites without the use of VPN concentrator or other security devices.
SpecialRequirements: The routers used must supportIPSec. Most of Cisco routers do. Another need is that both sides use a staticpublic IP address to connect to the Internet.
We will gothrough the steps to be done on one side and the same steps must be repeated onthe other side too. The encryption of data will depend on a shared-key. Thisway, we will not need specialized CAs or RSA methodologies. If you have ahub-and-spoke topology, refer to the note in the bottom.
1. CreateInternet Key Exchange (IKE) key policy. The policy used for our case is policynumber 9, because this policy requires a pre-shared key.
Router(config)#cryptoisakmp policy 9
Router(config-isakmp)#hashmd5
Router(config-isakmp)#authenticationpre-share
2. Setupthe shared key that would be used in the VPN,
Router(config)#cryptoisakmp key VPNKEY address XXX.XXX.XXX.XXX
where,
VPNKEY is the shared key that you will use for the VPN, and rememberto set the same key on the other end.
XXX.XXX.XXX.XXX the static public IP address of the other end.
3. Now weset lifetime for the IPSec security associations,
Router(config)#cryptoipsec security-association lifetime seconds YYYYY
where YYYYY is the associations lifetime in seconds. It is usually usedas 86400, which is one day.
4.Configure an extended access-list to define the traffic that is allowed to bedirected through the VPN link,
Router(config)#access-listAAA permit ip SSS.SSS.SSS.SSS WIL.DCA.RDM.ASK DDD.DDD.DDD.DDD WIL.DCA.RDM.ASK
where,
AAA is the access-list number
SSS.SSS.SSS.SSSWIL.DCA.RDM.ASK is the source of the data allowedto use the VPN link.
DDD.DDD.DDD.DDDWIL.DCA.RDM.ASK is the destination of the data thatneed to pass though the VPN link.
5. Definethe transformations set that will be used for this VPN connection,
Router(config)#cryptoipsec transform-set SETNAME BBBB CCCCC
where,
SETNAME is the name of the transformations set. You can choose anyname you like.
BBBB and CCCCCis the transformation set. I recommend the use of “esp-3desesp-md5-hmac”. You can also use “esp-3desesp-sha-hmac”. Any one of these two will do thejob.
[*]6. After defining all the previous things, we need to create a cypto-map that associates the access-list to the other site and the transform set.
Router(config)#cryptomap MAPNAME PRIORITY ipsec-isakmp
Router(config-crypto-map)#setpeer XXX.XXX.XXX.XXX
Router(config-crypto-map)#settransform-set SETNAME
Router(config-crypto-map)#matchaddress AAA
where,
MAPNAME is a name of your choice to the crypto-map
PRIORITY is the priority of this map over other maps to the samedestination. If this is your only crypto-map give it any number, for example10.
XXX.XXX.XXX.XXX the static public IP address of the other end
SETNAME is the name of the transformations set that we configuredin step 5
AAA is the number of the access-list that we created to definethe traffic in step 4
7. Thelast step is to bind the crypto-map to the interface that connects the routerto the other end.
Router(config-if)#cryptomap MAPNAME
whereMAPNAME is the name of the crypto-map that we defined in step 6.
Now,repeat these steps on the other end, and remember to use the same key alongwith the same authentication and transform set.
Note: If you want to implement multiple VPN connections tomultiple sites (i.e. Hub-and-Spoke topology), you can do this by repeating thesteps 2 to 7 (except step 3) for each VPN connection. The different crypto-mapsand their assignments differentiate between the different VPN connections. Usethe same map name for all the connections to the same interface, and usedifferent priority for each connection.
Fortroubleshooting purposes, you can use the following commands,
show crypto isakmp sa
show crypto ipsec sa
show crypto engineconnections active
and showcrypto map
“The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln -
eten Member Posts: 67 ■■□□□□□□□□Not a security expert by any means, but is it currently failing at phase 1 or 2? Do you have reachability to 152.###.##.212?
What are the results of below? Are you capable of running debugs of which phase it is failing at?
show crypto isakmp sa
show crypto ipsec sa -
docrice Member Posts: 1,706 ■■■■■■■■■■Did you define a tunnel interface like Tunnel1?Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/