Thought i knew IPSEC :(

DANMOH009

Im struggling a little here wondering if you guys can help, not sure if its something ive missed but i cant get this IPSEC tunnel to come up. (its just a lab environment im practicing with.

Router3 > Route1 > Router 2

The tunnel runs from R3 to R2, which can both ping each other fine.

Router 3 Config

hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key DANIEL address 10.0.0.2
no crypto isakmp ccm
!
!
crypto ipsec transform-set PHASE2_ENCRYP esp-3des esp-md5-hmac
!
crypto map OUT1 10 ipsec-isakmp
set peer 10.0.0.2
set transform-set PHASE2_ENCRYP
match address 110
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 20.0.0.2 255.255.255.252
duplex auto
speed auto
crypto map OUT1
!
ip classless
ip route 10.0.0.0 255.255.255.0 FastEthernet0/1
!
ip http server
no ip http secure-server
!
access-list 110 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 log
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end


Router 2 config

hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key DANIEL address 20.0.0.2
no crypto isakmp ccm
!
!
crypto ipsec transform-set ENCRYPTION esp-3des esp-md5-hmac
!
crypto map OUT2 10 ipsec-isakmp
set peer 20.0.0.2
set transform-set ENCRYPTION
match address 120
!
!
!
interface FastEthernet0/0
ip address 10.0.0.2 255.255.255.252
duplex auto
speed auto
crypto map OUT2
!
interface FastEthernet0/1
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 20.0.0.0 255.255.255.0 FastEthernet0/0
!
ip http server
no ip http secure-server
!
access-list 120 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255 log
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

Any help would be great on this one please.

Thanks

elderkai

Are you initiating interesting traffic?

Ping 172.16.1.1 from R3 and source it from the 192.168.1.1 interface.

R3# ping 172.26.1.1 source fa0/0

and do that once or twice.


An IPSec tunnel only goes up when you have interesting traffic going through. That's the reason for your access-list in the crypto map.

SteveO86

Looks like a good opportunity to run some debugs.

I did a few write for IPSec VPNs might find some good info there.
IPSec | CCIE or Null!

DANMOH009

Thanks guys,

I know about thee interesting traffic elderkai mate, and ye it doesn't work when i try. Will run the debugs tomorrow, damn GNS didn't save my configs so will need to start from scratch will let you guys know how i get on. Cheers

MosGuy

If you're running on GNS3, some images are known to be buggy with tunnels, particularly the 3745. A different model fixes things. If a debug doesn't show anything obvious, I'd double check the model/image used.

DANMOH009

REMOVED UNNECESSARY QUOTED REPLY FROM PREVIOUS POST

I was using the 3745 in GNS. Thanks MosGuy i'll try again different model, cheers.

MosGuy

REMOVED UNNECESSARY QUOTED REPLY FROM PREVIOUS POST

The recommendation is using the 3725 instead, that usually cures it.

DANMOH009

REMOVED UNNECESSARY QUOTED REPLY FROM PREVIOUS POST

Im going to have to try that now, i just used a 2600 and the same happens? it looks as though P1 just doesnt come up. I get no debug outputs even when im trying to initiate traffic.

Im going to try 3725 now, but just while im doing that can anyone see anything worng with this?


R4#sh crypto map
Crypto Map "OUTMAP" 10 ipsec-isakmp
Peer = 20.0.0.2
Extended IP access list 110
access-list 110 permit ip 50.0.0.0 0.0.0.255 172.16.1.0 0.0.0.255
Current peer: 20.0.0.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
TRANSFORM,
}
Interfaces using crypto map OUTMAP:
FastEthernet0/0

!
!
!
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key DANIEL address 20.0.0.2
!
!
crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac
!
crypto map OUTMAP 10 ipsec-isakmp
set peer 20.0.0.2
set transform-set TRANSFORM
match address 110
!
!
!
interface FastEthernet0/0
ip address 10.0.0.2 255.255.255.252
duplex auto
speed auto
crypto map OUTMAP
!
interface FastEthernet0/1
ip address 50.0.0.1 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 20.0.0.0 255.255.255.0 FastEthernet0/0
!
no ip http server
no ip http secure-server
!
access-list 110 permit ip 50.0.0.0 0.0.0.255 172.16.1.0 0.0.0.255
!
!
control-plane
!
!
!

Thanks in advance

Monkerz

So it seems your problem is not with the IPSec tunnel, but with the routing from LAN to LAN. From your config I assume you are using static routes because I see no evidence of dynamic routing protocols. I see a static route for the WAN connection from R3->R1 in R2's config, as well as, R2->R1 in R3's config which would allow WAN to WAN connectivity but not LAN to LAN connectivity.

As stated earlier, you need to initiate the setting up of the tunnel by sending interesting traffic through the crypto interface. The problem here is R3 doesn't know where to send traffic destined for 192.168.1.0/24 and vice versa R2 doesn't know where to send traffic destined for 172.16.1.0/24. So in essence interesting traffic never hit's the WAN interface and does not get encrypted.

Set IPSec on the back burner for now. Get full IP connectivity established LAN to LAN, then move forward with IPSec. Either setup NAT (taking into account your IPSec config) or add static routes for 172.16.1.0/24 and 192.168.1.0/24 in the appropriate places.



P.S. - I am referring to your first post, seems the last post you change out the 192.168.1.0/24 for the 50.0.0.0/24 network.

vishaw1986

Hey ,

The problem is with the routing .

Put the default route at both the ends .

At router 3

ip route 0.0.0.0 0.0.0.0 Fe0/1

At router 2

IP route 0.0.0.0 0.0.0.0 Fa0/0


This is because when request is generated from your LAN for remote network from the inside interface , then in packet flow process route lookup is done . As such there is no route for the interesting traffic so the packet is dropped at the inside interface.

Hope this helps you.

Thanks

DANMOH009

Ahh ok, I thought that the the ACL would do the work here, i thought it would notice that the traffic is being initiated from a lan and destined to the remote subnet and pick the route.

Now while im writing it i feel like an idiot, the ACL is not for routing so it wont do this,

Thanks for your help

DANMOH009

AND IT WORKED!!!!!!!!

thanks

Monkerz

We've all been there brother. Don't sweat it, keep calm and press on. Glad to help.

RouteMyPacket

Monkerz wrote: »

We've all been there brother. Don't sweat it, keep calm and press on. Glad to help.

We have? Not me..never! I tend to forget to plug things in though..does that count? lol

Glad to see you learned something here, good stuff OP! Still got to direct that traffic