Ipsec vpn issues

Greetings:

Would someone take a look at this config and tell me what I have configured wrong? I am trying to get a simple IPSEC vpn tunnel to come up and it is giving me problems.

I have 3 routes Configured back to back to back (stacked). The Middle router is acting as the "Internet" and the top and bottom routers are my ipsec peers. Here are the configs

From My Top Router

!
! 
!
crypto isakmp policy 50
 encr aes 192
 authentication pre-share
 group 2
 lifetime 86000
crypto isakmp key qwerty123456790!!!!! address 11.1.1.2 no-xauth
!
!
crypto ipsec transform-set TESTVPN esp-aes esp-sha-hmac 
!
crypto map VPNTEST 10 ipsec-isakmp 
 set peer 11.1.1.2
 set transform-set TESTVPN 
 match address VPNTEST
!
!
!
!
interface FastEthernet0
 ip address dhcp
 speed auto
 crypto map VPNTEST
!
interface Serial0
 description connection to the Internet router
 ip address 11.0.1.2 255.255.255.252
 no fair-queue
!
router eigrp 1
 network 11.0.1.0 0.0.0.255
 no auto-summary
!
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip access-list extended VPNTEST
 permit ip 11.1.1.0 0.0.0.255 11.1.0.0 0.0.0.255 log
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
 password password
 logging synchronous
 login

From my "Internet Router"

INTERNET-SIM#sh run
Building configuration...

Current configuration : 2993 bytes
!
! Last configuration change at 09:20:55 UTC Mon Jan 4 2010
! NVRAM config last updated at 07:56:47 UTC Mon Jan 4 2010
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname INTERNET-SIM
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
no ip domain lookup
ip domain name ENOC.com
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-4122571931
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4122571931
 revocation-check none
 rsakeypair TP-self-signed-4122571931
!
!
crypto pki certificate chain TP-self-signed-4122571931
 certificate self-signed 01
  30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 34313232 35373139 3331301E 170D3032 30333031 30383431 
  35365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31323235 
  37313933 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100BCBC F5E97D55 DF95E6E3 BC85AEEB 1ED41ED0 6309CCFB 5B54AE9E DA30B780 
  A3F90B17 F0AA19F3 982E6C7C 8E1325FC 4ECFA449 DD38713F 9025E8F4 C67A5892 
  47C4C1FF B0E52FAC 44F4062F 5C825BE8 B59C6447 E4C7172F 2999A2B9 E7234081 
  708A172C 0CCD7EB2 A9981B4E A4077379 17890188 AE4043D3 4258F407 30152B23 
  E35F0203 010001A3 6B306930 0F060355 1D130101 FF040530 030101FF 30160603 
  551D1104 0F300D82 0B52322E 454E4F43 2E636F6D 301F0603 551D2304 18301680 
  14311658 A75A199A B0788104 46AF00D0 D8E3B233 4E301D06 03551D0E 04160414 
  311658A7 5A199AB0 78810446 AF00D0D8 E3B2334E 300D0609 2A864886 F70D0101 
  04050003 818100B0 81689319 637BA9E9 FD6857BD B0AE11CC 8E8347A5 2ED1908E 
  C929AFF3 D7816349 E68EFFFA 5CB69985 70A6EDE1 714957DE 6C50DE7A 5912FD62 
  37AD7347 ECED3E3F 2FD9244C A2811BAC ACF42164 E0BD09EF 9EA14709 D561A11D 
  587C44BA 40FDFD8E 30BB33A4 EF6BE9CF 5192D979 CA144BC4 F9C58B19 8663A0AC 
  95A0728D 810F35
  quit
username username privilege 15 secret 5 $1$P72T$8LlIEyPweGCXuQ20YSJpq1
username USER privilege 15 password 0 PASSWORD
!
!
! 
!
!
!
!
interface FastEthernet0
 description connection to the outside world (the real outside world)
 ip address dhcp
 speed auto
!
interface Serial0
 description conn
 ip address 11.1.1.1 255.255.255.252
 no fair-queue
 clock rate 64000
!
interface Serial1
 ip address 11.0.1.1 255.255.255.252
 clock rate 64000
!
router eigrp 1
 network 11.0.1.0 0.0.0.255
 network 11.1.1.0 0.0.0.255
 network 11.0.0.0
 no auto-summary
!
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
!
!
!
control-plane
!
!
!
!
!
!
!         
!
!
line con 0
 password password
 logging synchronous
 login
line aux 0
line vty 0 4
 password password
 logging synchronous
 login
 transport input telnet ssh
!
ntp clock-period 17179973
ntp server 173.45.238.221
end

From My bottom Router

username username privilege 15 secret 5 $1$XFjF$q93xoFK1xndEeWuiBDj8O/
username USER privilege 15 password 0 PASSWORD
!
! 
!
crypto isakmp policy 50
 encr aes 192
 authentication pre-share
 group 2
 lifetime 86000
crypto isakmp key qwerty1234567890!!!!! address 11.0.1.2 no-xauth
!
!
crypto ipsec transform-set TESTVPN esp-aes esp-sha-hmac 
!
crypto map VPNTEST 10 ipsec-isakmp 
 set peer 11.0.1.2
 set transform-set TESTVPN 
 match address VPNTEST
!
!
!
!
interface FastEthernet0
 ip address dhcp
 speed auto
 crypto map VPNTEST

Find more posts tagged with

Comments

luke_bibby

PSK values are different

Top router:
crypto isakmp key qwerty123456790!!!!! address 11.1.1.2 no-xauth

Bottom router:
crypto isakmp key qwerty1234567890!!!!! address 11.0.1.2 no-xauth

HTH

Bl8ckr0uter

luke_bibby wrote: »

PSK values are different

Top router:
crypto isakmp key qwerty123456790!!!!! address 11.1.1.2 no-xauth

Bottom router:
crypto isakmp key qwerty1234567890!!!!! address 11.0.1.2 no-xauth

HTH

Dude I am so pissed.

.

Let me change this and see if this helps.

Bl8ckr0uter

Well I feel like a deuce*

This is the new config from the top router

crypto isakmp policy 50
 encr aes 192
 authentication pre-share
 group 2
 lifetime 86000
crypto isakmp key qwerty1234567890!!!!! address 11.0.1.2 no-xauth
!
!
crypto ipsec transform-set TESTVPN esp-aes esp-sha-hmac 
!
crypto map VPNTEST 10 ipsec-isakmp 
 set peer 11.0.1.2
 set transform-set TESTVPN 
 match address VPNTEST
!
!
!
!
interface FastEthernet0
 ip address dhcp
 speed auto
!
interface Serial0
 description connection to the Internet router
 ip address 11.1.1.2 255.255.255.252
 no fair-queue
 crypto map VPNTEST

This is the new config from the bottom router

crypto isakmp key qwerty1234567890!!!!! address 11.0.1.2 no-xauth
!
!
crypto ipsec transform-set TESTVPN esp-aes esp-sha-hmac 
!
crypto map VPNTEST 10 ipsec-isakmp 
 set peer 11.0.1.2
 set transform-set TESTVPN 
 match address VPNTEST
!
!
!
!
interface FastEthernet0
 ip address dhcp
 speed auto
!
interface Serial0
 description connection to the Internet router
 ip address 11.1.1.2 255.255.255.252
 no fair-queue
 crypto map VPNTEST

I am not sure what I am doing wrong at this point. I might nuke the crypto configs and start over. I think the issue is I should the ip address of my FE interfaces and not the Serial ones. Oh and earlier I did have a crypto map applied to the wrong interface which I have fixed now....

*That's kind of an inside joke that started with this song
http://www.youtube.com/watch?v=lcWVL4B-4pI

captobvious

I would suggest setting it up through SDM and having the preview commands before sending to router checked so you can see the correct syntax. It can be daunting using the CLI. Just a thought....

dtlokee

Cut and paste for PSK is your friend

Bl8ckr0uter

I think I figured out another issue.

crypto map VPNTEST 10 ipsec-isakmp
set peer 11.0.1.2
set transform-set TESTVPN
match address VPNTEST

My set peer is wrong This should be 11.1.1.2 not 11.0.1.2. I will change this in a minute to see if it turns up.

luke_bibby

Did it work?

Bl8ckr0uter

luke_bibby wrote: »

Did it work?

Lol Nope. I nuked the config and I will start again in a day or two. I started working on AAA stuff and I got side tracked. Also I set up a ubuntu syslog server. I still cannot figure out what I am doing wrong. When I get to chapter 8 of this lab manual I will pay extra attention to what I am doing.

APA

Your crypto ACL is setup like you have GRE tunnels as endpoints... When the traffic passes through the serial interfaces the source and destination IP address do not change... Unless using IPSec tunnel mode and only when traffic matches the crypto ACL applied to the IPSec profile.

Unless your LAN clients hanging off Fa interfaces are on the 11.1.1.0/24 & 11.1.0.0/24 networks then none of their traffic will be encrypted.. Highly unlikely as you would have overlapping networks on your serial and fastethernet interfaces......

If you want to encrypt traffic from the networks hanging off the FA interfaces, then put those networks in the crypto ACL (Make sure they are mirrored ACLs on each VPN endpoint).

Bl8ckr0uter

APA wrote: »

Your crypto ACL is setup like you have GRE tunnels as endpoints... When the traffic passes through the serial interfaces the source and destination IP address do not change... Unless using IPSec tunnel mode and only when traffic matches the crypto ACL applied to the IPSec profile.

Unless your LAN clients hanging off Fa interfaces are on the 11.1.1.0/24 & 11.1.0.0/24 networks then none of their traffic will be encrypted.. Highly unlikely as you would have overlapping networks on your serial and fastethernet interfaces......

If you want to encrypt traffic from the networks hanging off the FA interfaces, then put those networks in the crypto ACL (Make sure they are mirrored ACLs on each VPN endpoint).

Ok. So maybe that is my issue.

So ACLs should look something like this

Router 1:
FA: 192.168.1.1/24
S0: 11.1.0.2/30

ACL:ip access-list Extended VPNTEST permit IP 192.168.2.1 0.0.0.255 192.168.1.0 0.0.0.255

Router 2:
FA: 192.168.2.1/24
SO: 11.1.1.2/30
ACL: ip access-list Extended VPNTEST permit ip 192.168.1.0 0.0.0.255 192.168.2.0.0.0.255

I think I was messing up the ACL the entire time. That is probably the issue. I was thinking that you would need to specify the traffic the interface that the traffic was coming from but I see that doesn't make any sense. Ok I think I got this now!!! Thanks APA and everyone else.

jason_lunde

knwminus wrote: »

Ok. So maybe that is my issue.

So ACLs should look something like this

Router 1:
FA: 192.168.1.1/24
S0: 11.1.0.2/30

ACL:ip access-list Extended VPNTEST permit IP 192.168.2.1 0.0.0.255 192.168.1.0 0.0.0.255

Router 2:
FA: 192.168.2.1/24
SO: 11.1.1.2/30
ACL: ip access-list Extended VPNTEST permit ip 192.168.1.0 0.0.0.255 192.168.2.0.0.0.255

I think I was messing up the ACL the entire time. That is probably the issue. I was thinking that you would need to specify the traffic the interface that the traffic was coming from but I see that doesn't make any sense. Ok I think I got this now!!! Thanks APA and everyone else.

You almost have it...reverse those acl's. They DO have to be mirrored and you have it that way, but what you are wanting to say with the acl is basically this:

permit traffic from here <source> to here <destination> to traverse the ipsec tunnel.

So if your lan on R1 is 192.168.1.0/24 your acl will read:
ip access-list Extended VPNTEST permit ip 192.168.1.0 0.0.0.255 192.168.2.0.0.0.255

so that traffic sourced from .1 and destined for .2 will be sent through the tunnel.

It will be exactly the opposite for the other router.

HTH's man.

Bl8ckr0uter

jason_lunde wrote: »

You almost have it...reverse those acl's. They DO have to be mirrored and you have it that way, but what you are wanting to say with the acl is basically this:

permit traffic from here <source> to here <destination> to traverse the ipsec tunnel.

So if your lan on R1 is 192.168.1.0/24 your acl will read:
ip access-list Extended VPNTEST permit ip 192.168.1.0 0.0.0.255 192.168.2.0.0.0.255

so that traffic sourced from .1 and destined for .2 will be sent through the tunnel.

It will be exactly the opposite for the other router.

HTH's man.

Thanks. I will make sure to try this tonight.

Wait. I would need to add the cryptos map on the serial ints right? Just making sure....

Stotic

Yes, you apply the map on the serial interfaces.

Bl8ckr0uter

Well I was able to get IPSEC running (from the CLI and the SDM) and I am doing some final review stuff but I am running into a weird issue with IPSEC again. This time I am trying to have an IPSEC tunnel run across to serial sub interfaces (mock point to point) but seems to not work. Has anyone ever done a set up in this way?

luke_bibby

Can you ping over the link?Are there errors (i.e. mismatched policies, different PSKs

, etc) you can show us?

mikem2te

knwminus wrote: »

Well I was able to get IPSEC running (from the CLI and the SDM) and I am doing some final review stuff but I am running into a weird issue with IPSEC again. This time I am trying to have an IPSEC tunnel run across to serial sub interfaces (mock point to point) but seems to not work. Has anyone ever done a set up in this way?

Never tried, certainly sounds much more advanced than what is need for CCNA Sec though.

Have you tried 'debug crypto isakmp' and 'debug crypto ipsec'?

Bl8ckr0uter

mikem2te wrote: »

Never tried, certainly sounds much more advanced than what is need for CCNA Sec though.

Have you tried 'debug crypto isakmp' and 'debug crypto ipsec'?

Yea. The weird thing is that as soon as I add the crypto map to my serial ints I can no longer ping. I actually got to the point that I made the ACL permit ip any any and it still didn't work. Weird. I also had some issues doing the IDS signatures but I found out that was due to the file system on my routers....