Arghh IPSEC what am i doing wrong.

Ok im really struggling configuring IPSEC between 2 cisco's. Ive put it down to a very basic lab scenario and still cant get it working i have two routers connecting to each other R3 and R2

192.168.1.0/24 --- R3

CONNECT TO

172.16.1.0/24

And a ipsec so lan can speak to lan. I think its something simple im missing but just dont know what, if anyone can help that would be great.

Config R3

!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 10
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
no ip domain lookup
ip domain name lab.local
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key password1 address 82.0.0.1
!
!
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
!
crypto map MYMAP 1 ipsec-isakmp
set peer 82.0.0.2
set transform-set MYSET
set pfs group2
match address 100
!
!
!
interface FastEthernet0/0
ip address 82.0.0.1 255.255.255.252
duplex auto
speed auto
crypto map MYMAP
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
!
!
control-plane
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

Config R2

hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 10
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
no ip domain lookup
ip domain name lab.local
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key password1 address 82.0.0.1
!
!
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
!
crypto map MYMAP 1 ipsec-isakmp
set peer 82.0.0.1
set transform-set MYSET
set pfs group2
match address 101
!
!
!
interface FastEthernet0/0
ip address 82.0.0.2 255.255.255.252
duplex auto
speed auto
crypto map MYMAP
!
interface FastEthernet0/1
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
no ip http server
no ip http secure-server
!
access-list 101 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
control-plane
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

If someone has the time can you please let me know, whats wrong.

cheers

Find more posts tagged with

Comments

DANMOH009

Please ignore the IP route 0.0.0.0 im not sure if this has to be there, i just added it to test and see if it worked, with it.

networker050184

What isn't working? How are you testing?

DANMOH009

im testing via a ping

from R3

ping 172.16.1.1 source fa0/1

from r3 i get the following outputs on show commands

R3#show crypto isakmp sa
dst src state conn-id slot status

R3#

R3#sh crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: MYMAP, local addr 82.0.0.1

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
current_peer 82.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 82.0.0.1, remote crypto endpt.: 82.0.0.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

so i dont think the ipsec tunnel is up, but i dont know why

networker050184

On R3 - crypto isakmp key password1 address 82.0.0.1.

DANMOH009

is that wrong ?

i thought i need to create a crypo key and address it to that peer ?

networker050184

R3's peer is 82.0.0.2 not 82.0.0.1.

DANMOH009

Arghhhh your right!!

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key password1 address 82.0.0.2

change it and guess what...........

R3#show crypto isakmp sa
dst src state conn-id slot status
82.0.0.2 82.0.0.1 QM_IDLE 1 0 ACTIVE

thanks networker you are a legend!!!!

do i need the default route out fa 0/0 for the ipsec to work? or can i get rid of them

----

I just checked it without default routes didn't work, so take it i do need them !

networker050184

In this scenario no you do not as it is a directly connected address so you will still have a route. You do need a route (usually a default route as it will be over the internet) to the peer though.

One unrelated note, a default route pointing out a multiaccess interface like ethernet is not a good practice. You can end up with ARP exhaustion.