IPsec Tunnel Help

Everyone -

I was just doing a little lab work involving creating an IPsec tunnels. However, I cannot get the tunnel to come up. I went over the basic configs and cant figure out what I am missing. Would you all please take a look?

Router 1 is a Cisco 2811 with IOS 15.1.4M7
Router 2 is a Cisco 1841 with IOS 15.1.4M7

Router 1 Config:

!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXX address 50.172.198.122
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 50.172.198.122
set transform-set TS
match address VPN-TRAFFIC
!
interface FastEthernet0/1
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
crypto map CMAP
!
!
ip nat inside source list 100 interface FastEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 50.172.198.1 100
!
ip access-list extended VPN-TRAFFIC
permit ip 10.0.0.0 0.0.0.255 10.42.42.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 10.42.42.0 0.0.0.255
!
access-list 100 remark [Define NAT Service]
access-list 100 deny ip 10.0.0.0 0.0.0.255 10.42.42.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.0.255 10.42.42.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!
!
!

Router 2 Config:
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXX address 50.172.198.59
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 50.172.198.59
set transform-set TS
match address VPN-TRAFFIC
!
!
!
!
interface FastEthernet0/1
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-dense-mode
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
crypto map CMAP
!
ip nat inside source list 100 interface FastEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 50.172.198.1 100
!
ip access-list extended VPN-TRAFFIC
permit ip 10.42.42.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 10.42.42.0 0.0.0.255 192.168.0.0 0.0.0.255
!
access-list 100 remark [Define NAT Service]
access-list 100 deny ip 10.42.42.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny ip 10.42.42.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 10.42.42.0 0.0.0.255 any

Router 1 Show Crypto Map / Show Crypto Session:
Crypto Map IPv4 "CMAP" 10 ipsec-isakmp
Peer = 50.172.198.122
Extended IP access list VPN-TRAFFIC
access-list VPN-TRAFFIC permit ip 10.0.0.0 0.0.0.255 10.42.42.0 0.0.0.255
access-list VPN-TRAFFIC permit ip 192.168.0.0 0.0.0.255 10.42.42.0 0.0.0.255
Current peer: 50.172.198.122
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TS: { esp-3des esp-md5-hmac } ,
}
Interfaces using crypto map CMAP:
FastEthernet0/1

Crypto session current status
Interface: FastEthernet0/1
Session status: DOWN
Peer: 50.172.198.122 port 500
IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0 10.42.42.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.0.0/255.255.255.0 10.42.42.0/255.255.255.0
Active SAs: 0, origin: crypto map

Router 2 Show Crypto Map / Show Crypto Session:
Crypto Map IPv4 "CMAP" 10 ipsec-isakmp
Peer = 50.172.198.59
Extended IP access list VPN-TRAFFIC
access-list VPN-TRAFFIC permit ip 10.42.42.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list VPN-TRAFFIC permit ip 10.42.42.0 0.0.0.255 192.168.0.0 0.0.0.255
Current peer: 50.172.198.59
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TS: { esp-3des esp-md5-hmac } ,
}
Interfaces using crypto map CMAP:
FastEthernet0/1

Crypto session current status
Interface: FastEthernet0/1
Session status: DOWN
Peer: 50.172.198.59 port 500
IPSEC FLOW: permit ip 10.42.42.0/255.255.255.0 10.0.0.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 10.42.42.0/255.255.255.0 192.168.0.0/255.255.255.0
Active SAs: 0, origin: crypto map

Thoughts?

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

networker050184

How are you testing? Have you initiated any interesting traffic?

Corndork2

Ive tried sending sourced pings to the peers with no luck bringing up the tunnel yet.

Router 1:
ping 10.42.42.1 source fa0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.42.42.1, timeout is 2 seconds:
Packet sent with a source address of 50.172.198.59
.....
Success rate is 0 percent (0/5)

Router 2:
ping 10.0.0.1 source fa0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 50.172.198.122
.....
Success rate is 0 percent (0/5)

networker050184

Corndork2 wrote: »

ip access-list extended VPN-TRAFFIC
permit ip 10.0.0.0 0.0.0.255 10.42.42.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 10.42.42.0 0.0.0.255
!

Corndork2 wrote: »

Packet sent with a source address of 50.172.198.59

This traffic is not interesting.

Corndork2

Yep....you're right. And there was my mistake.

Properly sourced Pings, and tunnel is up.

Thanks!!

Corndork2

Session status: UP-ACTIVE
Peer: 50.172.198.59 port 500
IKEv1 SA: local 50.172.198.122/500 remote 50.172.198.59/500 Active
IPSEC FLOW: permit ip 10.42.42.0/255.255.255.0 10.0.0.0/255.255.255.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip 10.42.42.0/255.255.255.0 192.168.0.0/255.255.255.0
Active SAs: 2, origin: crypto map

darkerz

I spent 7 hours my first time bashing my head in when I began the world of IPSec tunnels.

...

...

Exact same fix, but you'll never forget now!