Options

IPsec Tunnel Help

Corndork2Corndork2 Member Posts: 266
in CCNA & CCENT
Everyone -

I was just doing a little lab work involving creating an IPsec tunnels. However, I cannot get the tunnel to come up. I went over the basic configs and cant figure out what I am missing. Would you all please take a look?

Router 1 is a Cisco 2811 with IOS 15.1.4M7
Router 2 is a Cisco 1841 with IOS 15.1.4M7

Router 1 Config:


!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXX address 50.172.198.122
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 50.172.198.122
set transform-set TS
match address VPN-TRAFFIC
!
interface FastEthernet0/1
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
crypto map CMAP
!
!
ip nat inside source list 100 interface FastEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 50.172.198.1 100
!
ip access-list extended VPN-TRAFFIC
permit ip 10.0.0.0 0.0.0.255 10.42.42.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 10.42.42.0 0.0.0.255
!
access-list 100 remark [Define NAT Service]
access-list 100 deny ip 10.0.0.0 0.0.0.255 10.42.42.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.0.255 10.42.42.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!
!
!


Router 2 Config:
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXX address 50.172.198.59
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 50.172.198.59
set transform-set TS
match address VPN-TRAFFIC
!
!
!
!
interface FastEthernet0/1
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-dense-mode
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
crypto map CMAP
!
ip nat inside source list 100 interface FastEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 50.172.198.1 100
!
ip access-list extended VPN-TRAFFIC
permit ip 10.42.42.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 10.42.42.0 0.0.0.255 192.168.0.0 0.0.0.255
!
access-list 100 remark [Define NAT Service]
access-list 100 deny ip 10.42.42.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny ip 10.42.42.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 10.42.42.0 0.0.0.255 any


Router 1 Show Crypto Map / Show Crypto Session:
Crypto Map IPv4 "CMAP" 10 ipsec-isakmp
Peer = 50.172.198.122
Extended IP access list VPN-TRAFFIC
access-list VPN-TRAFFIC permit ip 10.0.0.0 0.0.0.255 10.42.42.0 0.0.0.255
access-list VPN-TRAFFIC permit ip 192.168.0.0 0.0.0.255 10.42.42.0 0.0.0.255
Current peer: 50.172.198.122
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TS: { esp-3des esp-md5-hmac } ,
}
Interfaces using crypto map CMAP:
FastEthernet0/1

Crypto session current status
Interface: FastEthernet0/1
Session status: DOWN
Peer: 50.172.198.122 port 500
IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0 10.42.42.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.0.0/255.255.255.0 10.42.42.0/255.255.255.0
Active SAs: 0, origin: crypto map




Router 2 Show Crypto Map / Show Crypto Session:
Crypto Map IPv4 "CMAP" 10 ipsec-isakmp
Peer = 50.172.198.59
Extended IP access list VPN-TRAFFIC
access-list VPN-TRAFFIC permit ip 10.42.42.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list VPN-TRAFFIC permit ip 10.42.42.0 0.0.0.255 192.168.0.0 0.0.0.255
Current peer: 50.172.198.59
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TS: { esp-3des esp-md5-hmac } ,
}
Interfaces using crypto map CMAP:
FastEthernet0/1

Crypto session current status
Interface: FastEthernet0/1
Session status: DOWN
Peer: 50.172.198.59 port 500
IPSEC FLOW: permit ip 10.42.42.0/255.255.255.0 10.0.0.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 10.42.42.0/255.255.255.0 192.168.0.0/255.255.255.0
Active SAs: 0, origin: crypto map




Thoughts?
Brocade: BAIS, BACNS, BAEFS Cisco: CCENT, CCNA R&S CWNP: CWTS Juniper: JNCIA-JUNOS
CompTIA: A+ (2009), Network+ (2009), A+ CE, Network+ CE, Security+ CE, CDIA+
Mikrotik: MTCNA, MTCRE, MTCWE, MTCTCE VMware: VCA-DV Rackspace: CloudU
· Share on FacebookShare on Twitter

Comments

  • Options
    networker050184networker050184 Mod Posts: 11,962 Mod
    How are you testing? Have you initiated any interesting traffic?
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • Options
    Corndork2Corndork2 Member Posts: 266
    Ive tried sending sourced pings to the peers with no luck bringing up the tunnel yet.

    Router 1:
    ping 10.42.42.1 source fa0/1
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.42.42.1, timeout is 2 seconds:
    Packet sent with a source address of 50.172.198.59
    .....
    Success rate is 0 percent (0/5)





    Router 2:
    ping 10.0.0.1 source fa0/1
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
    Packet sent with a source address of 50.172.198.122
    .....
    Success rate is 0 percent (0/5)
    Brocade: BAIS, BACNS, BAEFS Cisco: CCENT, CCNA R&S CWNP: CWTS Juniper: JNCIA-JUNOS
    CompTIA: A+ (2009), Network+ (2009), A+ CE, Network+ CE, Security+ CE, CDIA+
    Mikrotik: MTCNA, MTCRE, MTCWE, MTCTCE VMware: VCA-DV Rackspace: CloudU
    · Share on FacebookShare on Twitter
  • Options
    networker050184networker050184 Mod Posts: 11,962 Mod
    Corndork2 wrote: »
    ip access-list extended VPN-TRAFFIC
    permit ip 10.0.0.0 0.0.0.255 10.42.42.0 0.0.0.255
    permit ip 192.168.0.0 0.0.0.255 10.42.42.0 0.0.0.255
    !

    Corndork2 wrote: »
    Packet sent with a source address of 50.172.198.59

    This traffic is not interesting.
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • Options
    Corndork2Corndork2 Member Posts: 266
    Yep....you're right. And there was my mistake.

    Properly sourced Pings, and tunnel is up.

    Thanks!!
    Brocade: BAIS, BACNS, BAEFS Cisco: CCENT, CCNA R&S CWNP: CWTS Juniper: JNCIA-JUNOS
    CompTIA: A+ (2009), Network+ (2009), A+ CE, Network+ CE, Security+ CE, CDIA+
    Mikrotik: MTCNA, MTCRE, MTCWE, MTCTCE VMware: VCA-DV Rackspace: CloudU
    · Share on FacebookShare on Twitter
  • Options
    Corndork2Corndork2 Member Posts: 266
    Session status: UP-ACTIVE
    Peer: 50.172.198.59 port 500
    IKEv1 SA: local 50.172.198.122/500 remote 50.172.198.59/500 Active
    IPSEC FLOW: permit ip 10.42.42.0/255.255.255.0 10.0.0.0/255.255.255.0
    Active SAs: 2, origin: crypto map
    IPSEC FLOW: permit ip 10.42.42.0/255.255.255.0 192.168.0.0/255.255.255.0
    Active SAs: 2, origin: crypto map
    Brocade: BAIS, BACNS, BAEFS Cisco: CCENT, CCNA R&S CWNP: CWTS Juniper: JNCIA-JUNOS
    CompTIA: A+ (2009), Network+ (2009), A+ CE, Network+ CE, Security+ CE, CDIA+
    Mikrotik: MTCNA, MTCRE, MTCWE, MTCTCE VMware: VCA-DV Rackspace: CloudU
    · Share on FacebookShare on Twitter
  • Options
    darkerzdarkerz Member Posts: 431 ■■■■□□□□□□
    I spent 7 hours my first time bashing my head in when I began the world of IPSec tunnels.

    ...

    ...

    Exact same fix, but you'll never forget now!
    :twisted:
    · Share on FacebookShare on Twitter
Sign In or Register to comment.