Arghh IPSEC what am i doing wrong.
DANMOH009
Member Posts: 241
Ok im really struggling configuring IPSEC between 2 cisco's. Ive put it down to a very basic lab scenario and still cant get it working i have two routers connecting to each other R3 and R2
192.168.1.0/24 --- R3
CONNECT TO
R2
172.16.1.0/24
And a ipsec so lan can speak to lan. I think its something simple im missing but just dont know what, if anyone can help that would be great.
Config R3
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 10
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
no ip domain lookup
ip domain name lab.local
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key password1 address 82.0.0.1
!
!
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
!
crypto map MYMAP 1 ipsec-isakmp
set peer 82.0.0.2
set transform-set MYSET
set pfs group2
match address 100
!
!
!
interface FastEthernet0/0
ip address 82.0.0.1 255.255.255.252
duplex auto
speed auto
crypto map MYMAP
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
!
!
control-plane
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
Config R2
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 10
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
no ip domain lookup
ip domain name lab.local
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key password1 address 82.0.0.1
!
!
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
!
crypto map MYMAP 1 ipsec-isakmp
set peer 82.0.0.1
set transform-set MYSET
set pfs group2
match address 101
!
!
!
interface FastEthernet0/0
ip address 82.0.0.2 255.255.255.252
duplex auto
speed auto
crypto map MYMAP
!
interface FastEthernet0/1
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
no ip http server
no ip http secure-server
!
access-list 101 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
control-plane
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
If someone has the time can you please let me know, whats wrong.
cheers
192.168.1.0/24 --- R3
CONNECT TO
R2
172.16.1.0/24
And a ipsec so lan can speak to lan. I think its something simple im missing but just dont know what, if anyone can help that would be great.
Config R3
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 10
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
no ip domain lookup
ip domain name lab.local
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key password1 address 82.0.0.1
!
!
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
!
crypto map MYMAP 1 ipsec-isakmp
set peer 82.0.0.2
set transform-set MYSET
set pfs group2
match address 100
!
!
!
interface FastEthernet0/0
ip address 82.0.0.1 255.255.255.252
duplex auto
speed auto
crypto map MYMAP
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
!
!
control-plane
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
Config R2
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 10
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
no ip domain lookup
ip domain name lab.local
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key password1 address 82.0.0.1
!
!
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
!
crypto map MYMAP 1 ipsec-isakmp
set peer 82.0.0.1
set transform-set MYSET
set pfs group2
match address 101
!
!
!
interface FastEthernet0/0
ip address 82.0.0.2 255.255.255.252
duplex auto
speed auto
crypto map MYMAP
!
interface FastEthernet0/1
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
no ip http server
no ip http secure-server
!
access-list 101 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
control-plane
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
If someone has the time can you please let me know, whats wrong.
cheers
Comments
-
DANMOH009
Member Posts: 241
Please ignore the IP route 0.0.0.0 im not sure if this has to be there, i just added it to test and see if it worked, with it.
-
networker050184
Mod Posts: 11,962 Mod
What isn't working? How are you testing?An expert is a man who has made all the mistakes which can be made. -
DANMOH009
Member Posts: 241
im testing via a ping
from R3
ping 172.16.1.1 source fa0/1
from r3 i get the following outputs on show commands
R3#show crypto isakmp sa
dst src state conn-id slot status
R3#
R3#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: MYMAP, local addr 82.0.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
current_peer 82.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 82.0.0.1, remote crypto endpt.: 82.0.0.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
so i dont think the ipsec tunnel is up, but i dont know why -
networker050184
Mod Posts: 11,962 Mod
On R3 - crypto isakmp key password1 address 82.0.0.1.An expert is a man who has made all the mistakes which can be made.
-
DANMOH009
Member Posts: 241
is that wrong ?
i thought i need to create a crypo key and address it to that peer ? -
networker050184
Mod Posts: 11,962 Mod
R3's peer is 82.0.0.2 not 82.0.0.1.An expert is a man who has made all the mistakes which can be made.
-
DANMOH009
Member Posts: 241
Arghhhh your right!!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key password1 address 82.0.0.2
change it and guess what...........
R3#show crypto isakmp sa
dst src state conn-id slot status
82.0.0.2 82.0.0.1 QM_IDLE 1 0 ACTIVE
thanks networker you are a legend!!!!
do i need the default route out fa 0/0 for the ipsec to work? or can i get rid of them
----
I just checked it without default routes didn't work, so take it i do need them ! -
networker050184
Mod Posts: 11,962 Mod
In this scenario no you do not as it is a directly connected address so you will still have a route. You do need a route (usually a default route as it will be over the internet) to the peer though.
One unrelated note, a default route pointing out a multiaccess interface like ethernet is not a good practice. You can end up with ARP exhaustion.An expert is a man who has made all the mistakes which can be made.
