Options
Ipsec vpn issues
Bl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
Greetings:
Would someone take a look at this config and tell me what I have configured wrong? I am trying to get a simple IPSEC vpn tunnel to come up and it is giving me problems.
I have 3 routes Configured back to back to back (stacked). The Middle router is acting as the "Internet" and the top and bottom routers are my ipsec peers. Here are the configs
From My Top Router
Would someone take a look at this config and tell me what I have configured wrong? I am trying to get a simple IPSEC vpn tunnel to come up and it is giving me problems.
I have 3 routes Configured back to back to back (stacked). The Middle router is acting as the "Internet" and the top and bottom routers are my ipsec peers. Here are the configs
From My Top Router
! ! ! crypto isakmp policy 50 encr aes 192 authentication pre-share group 2 lifetime 86000 crypto isakmp key qwerty123456790!!!!! address 11.1.1.2 no-xauth ! ! crypto ipsec transform-set TESTVPN esp-aes esp-sha-hmac ! crypto map VPNTEST 10 ipsec-isakmp set peer 11.1.1.2 set transform-set TESTVPN match address VPNTEST ! ! ! ! interface FastEthernet0 ip address dhcp speed auto crypto map VPNTEST ! interface Serial0 description connection to the Internet router ip address 11.0.1.2 255.255.255.252 no fair-queue ! router eigrp 1 network 11.0.1.0 0.0.0.255 no auto-summary ! ! ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ! ip access-list extended VPNTEST permit ip 11.1.1.0 0.0.0.255 11.1.0.0 0.0.0.255 log ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! line con 0 password password logging synchronous loginFrom my "Internet Router"
INTERNET-SIM#sh run Building configuration... Current configuration : 2993 bytes ! ! Last configuration change at 09:20:55 UTC Mon Jan 4 2010 ! NVRAM config last updated at 07:56:47 UTC Mon Jan 4 2010 ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname INTERNET-SIM ! boot-start-marker boot-end-marker ! ! no aaa new-model ip cef ! ! ! ! no ip domain lookup ip domain name ENOC.com ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto pki trustpoint TP-self-signed-4122571931 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-4122571931 revocation-check none rsakeypair TP-self-signed-4122571931 ! ! crypto pki certificate chain TP-self-signed-4122571931 certificate self-signed 01 30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 34313232 35373139 3331301E 170D3032 30333031 30383431 35365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31323235 37313933 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100BCBC F5E97D55 DF95E6E3 BC85AEEB 1ED41ED0 6309CCFB 5B54AE9E DA30B780 A3F90B17 F0AA19F3 982E6C7C 8E1325FC 4ECFA449 DD38713F 9025E8F4 C67A5892 47C4C1FF B0E52FAC 44F4062F 5C825BE8 B59C6447 E4C7172F 2999A2B9 E7234081 708A172C 0CCD7EB2 A9981B4E A4077379 17890188 AE4043D3 4258F407 30152B23 E35F0203 010001A3 6B306930 0F060355 1D130101 FF040530 030101FF 30160603 551D1104 0F300D82 0B52322E 454E4F43 2E636F6D 301F0603 551D2304 18301680 14311658 A75A199A B0788104 46AF00D0 D8E3B233 4E301D06 03551D0E 04160414 311658A7 5A199AB0 78810446 AF00D0D8 E3B2334E 300D0609 2A864886 F70D0101 04050003 818100B0 81689319 637BA9E9 FD6857BD B0AE11CC 8E8347A5 2ED1908E C929AFF3 D7816349 E68EFFFA 5CB69985 70A6EDE1 714957DE 6C50DE7A 5912FD62 37AD7347 ECED3E3F 2FD9244C A2811BAC ACF42164 E0BD09EF 9EA14709 D561A11D 587C44BA 40FDFD8E 30BB33A4 EF6BE9CF 5192D979 CA144BC4 F9C58B19 8663A0AC 95A0728D 810F35 quit username username privilege 15 secret 5 $1$P72T$8LlIEyPweGCXuQ20YSJpq1 username USER privilege 15 password 0 PASSWORD ! ! ! ! ! ! ! interface FastEthernet0 description connection to the outside world (the real outside world) ip address dhcp speed auto ! interface Serial0 description conn ip address 11.1.1.1 255.255.255.252 no fair-queue clock rate 64000 ! interface Serial1 ip address 11.0.1.1 255.255.255.252 clock rate 64000 ! router eigrp 1 network 11.0.1.0 0.0.0.255 network 11.1.1.0 0.0.0.255 network 11.0.0.0 no auto-summary ! ! ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! line con 0 password password logging synchronous login line aux 0 line vty 0 4 password password logging synchronous login transport input telnet ssh ! ntp clock-period 17179973 ntp server 173.45.238.221 endFrom My bottom Router
username username privilege 15 secret 5 $1$XFjF$q93xoFK1xndEeWuiBDj8O/ username USER privilege 15 password 0 PASSWORD ! ! ! crypto isakmp policy 50 encr aes 192 authentication pre-share group 2 lifetime 86000 crypto isakmp key qwerty1234567890!!!!! address 11.0.1.2 no-xauth ! ! crypto ipsec transform-set TESTVPN esp-aes esp-sha-hmac ! crypto map VPNTEST 10 ipsec-isakmp set peer 11.0.1.2 set transform-set TESTVPN match address VPNTEST ! ! ! ! interface FastEthernet0 ip address dhcp speed auto crypto map VPNTEST
Comments
-
Options
luke_bibby
Member Posts: 162
PSK values are different
Top router:
crypto isakmp key qwerty123456790!!!!! address 11.1.1.2 no-xauth
Bottom router:
crypto isakmp key qwerty1234567890!!!!! address 11.0.1.2 no-xauth
HTH
-
OptionsBl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
luke_bibby wrote: »PSK values are different
Top router:
crypto isakmp key qwerty123456790!!!!! address 11.1.1.2 no-xauth
Bottom router:
crypto isakmp key qwerty1234567890!!!!! address 11.0.1.2 no-xauth
HTH
Dude I am so pissed.
.
Let me change this and see if this helps. -
OptionsBl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
Well I feel like a deuce*
This is the new config from the top routercrypto isakmp policy 50 encr aes 192 authentication pre-share group 2 lifetime 86000 crypto isakmp key qwerty1234567890!!!!! address 11.0.1.2 no-xauth ! ! crypto ipsec transform-set TESTVPN esp-aes esp-sha-hmac ! crypto map VPNTEST 10 ipsec-isakmp set peer 11.0.1.2 set transform-set TESTVPN match address VPNTEST ! ! ! ! interface FastEthernet0 ip address dhcp speed auto ! interface Serial0 description connection to the Internet router ip address 11.1.1.2 255.255.255.252 no fair-queue crypto map VPNTEST
This is the new config from the bottom routercrypto isakmp key qwerty1234567890!!!!! address 11.0.1.2 no-xauth ! ! crypto ipsec transform-set TESTVPN esp-aes esp-sha-hmac ! crypto map VPNTEST 10 ipsec-isakmp set peer 11.0.1.2 set transform-set TESTVPN match address VPNTEST ! ! ! ! interface FastEthernet0 ip address dhcp speed auto ! interface Serial0 description connection to the Internet router ip address 11.1.1.2 255.255.255.252 no fair-queue crypto map VPNTEST
I am not sure what I am doing wrong at this point. I might nuke the crypto configs and start over. I think the issue is I should the ip address of my FE interfaces and not the Serial ones. Oh and earlier I did have a crypto map applied to the wrong interface which I have fixed now....
*That's kind of an inside joke that started with this song
http://www.youtube.com/watch?v=lcWVL4B-4pI -
Options
captobvious
Member Posts: 648
I would suggest setting it up through SDM and having the preview commands before sending to router checked so you can see the correct syntax. It can be daunting using the CLI. Just a thought.... -
Options
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
Cut and paste for PSK is your friendThe only easy day was yesterday! -
OptionsBl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
I think I figured out another issue.
crypto map VPNTEST 10 ipsec-isakmp
set peer 11.0.1.2
set transform-set TESTVPN
match address VPNTEST
My set peer is wrong This should be 11.1.1.2 not 11.0.1.2. I will change this in a minute to see if it turns up. -
OptionsBl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
luke_bibby wrote: »Did it work?
Lol Nope. I nuked the config and I will start again in a day or two. I started working on AAA stuff and I got side tracked. Also I set up a ubuntu syslog server. I still cannot figure out what I am doing wrong. When I get to chapter 8 of this lab manual I will pay extra attention to what I am doing. -
Options
APA
Member Posts: 959
Your crypto ACL is setup like you have GRE tunnels as endpoints... When the traffic passes through the serial interfaces the source and destination IP address do not change... Unless using IPSec tunnel mode and only when traffic matches the crypto ACL applied to the IPSec profile.
Unless your LAN clients hanging off Fa interfaces are on the 11.1.1.0/24 & 11.1.0.0/24 networks then none of their traffic will be encrypted.. Highly unlikely as you would have overlapping networks on your serial and fastethernet interfaces......
If you want to encrypt traffic from the networks hanging off the FA interfaces, then put those networks in the crypto ACL (Make sure they are mirrored ACLs on each VPN endpoint).
CCNA | CCNA:Security | CCNP | CCIP
JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
JNCIS:SP | JNCIP:SP -
OptionsBl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
Your crypto ACL is setup like you have GRE tunnels as endpoints... When the traffic passes through the serial interfaces the source and destination IP address do not change... Unless using IPSec tunnel mode and only when traffic matches the crypto ACL applied to the IPSec profile.
Unless your LAN clients hanging off Fa interfaces are on the 11.1.1.0/24 & 11.1.0.0/24 networks then none of their traffic will be encrypted.. Highly unlikely as you would have overlapping networks on your serial and fastethernet interfaces......
If you want to encrypt traffic from the networks hanging off the FA interfaces, then put those networks in the crypto ACL (Make sure they are mirrored ACLs on each VPN endpoint).
Ok. So maybe that is my issue.
So ACLs should look something like this
Router 1:
FA: 192.168.1.1/24
S0: 11.1.0.2/30
ACL:ip access-list Extended VPNTEST permit IP 192.168.2.1 0.0.0.255 192.168.1.0 0.0.0.255
Router 2:
FA: 192.168.2.1/24
SO: 11.1.1.2/30
ACL: ip access-list Extended VPNTEST permit ip 192.168.1.0 0.0.0.255 192.168.2.0.0.0.255
I think I was messing up the ACL the entire time. That is probably the issue. I was thinking that you would need to specify the traffic the interface that the traffic was coming from but I see that doesn't make any sense. Ok I think I got this now!!! Thanks APA and everyone else. -
Optionsjason_lunde
Member Posts: 567
Ok. So maybe that is my issue.
So ACLs should look something like this
Router 1:
FA: 192.168.1.1/24
S0: 11.1.0.2/30
ACL:ip access-list Extended VPNTEST permit IP 192.168.2.1 0.0.0.255 192.168.1.0 0.0.0.255
Router 2:
FA: 192.168.2.1/24
SO: 11.1.1.2/30
ACL: ip access-list Extended VPNTEST permit ip 192.168.1.0 0.0.0.255 192.168.2.0.0.0.255
I think I was messing up the ACL the entire time. That is probably the issue. I was thinking that you would need to specify the traffic the interface that the traffic was coming from but I see that doesn't make any sense. Ok I think I got this now!!! Thanks APA and everyone else.
You almost have it...reverse those acl's. They DO have to be mirrored and you have it that way, but what you are wanting to say with the acl is basically this:
permit traffic from here <source> to here <destination> to traverse the ipsec tunnel.
So if your lan on R1 is 192.168.1.0/24 your acl will read:
ip access-list Extended VPNTEST permit ip 192.168.1.0 0.0.0.255 192.168.2.0.0.0.255
so that traffic sourced from .1 and destined for .2 will be sent through the tunnel.
It will be exactly the opposite for the other router.
HTH's man. -
OptionsBl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
jason_lunde wrote: »You almost have it...reverse those acl's. They DO have to be mirrored and you have it that way, but what you are wanting to say with the acl is basically this:
permit traffic from here <source> to here <destination> to traverse the ipsec tunnel.
So if your lan on R1 is 192.168.1.0/24 your acl will read:
ip access-list Extended VPNTEST permit ip 192.168.1.0 0.0.0.255 192.168.2.0.0.0.255
so that traffic sourced from .1 and destined for .2 will be sent through the tunnel.
It will be exactly the opposite for the other router.
HTH's man.
Thanks. I will make sure to try this tonight.
Wait. I would need to add the cryptos map on the serial ints right? Just making sure.... -
OptionsBl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
Well I was able to get IPSEC running (from the CLI and the SDM) and I am doing some final review stuff but I am running into a weird issue with IPSEC again. This time I am trying to have an IPSEC tunnel run across to serial sub interfaces (mock point to point) but seems to not work. Has anyone ever done a set up in this way?
-
Optionsluke_bibby
Member Posts: 162
Can you ping over the link?Are there errors (i.e. mismatched policies, different PSKs
, etc) you can show us? -
Optionsmikem2te
Member Posts: 407
Never tried, certainly sounds much more advanced than what is need for CCNA Sec though.Well I was able to get IPSEC running (from the CLI and the SDM) and I am doing some final review stuff but I am running into a weird issue with IPSEC again. This time I am trying to have an IPSEC tunnel run across to serial sub interfaces (mock point to point) but seems to not work. Has anyone ever done a set up in this way?
Have you tried 'debug crypto isakmp' and 'debug crypto ipsec'?Blog : http://www.caerffili.co.uk/
Previous : Passed Configuring Microsoft Office SharePoint Server 2007 (70-630)
Currently : EIGRP & OSPF
Next : CCNP Route -
OptionsBl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
Never tried, certainly sounds much more advanced than what is need for CCNA Sec though.
Have you tried 'debug crypto isakmp' and 'debug crypto ipsec'?
Yea. The weird thing is that as soon as I add the crypto map to my serial ints I can no longer ping. I actually got to the point that I made the ACL permit ip any any and it still didn't work. Weird. I also had some issues doing the IDS signatures but I found out that was due to the file system on my routers....
