Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
479
Views
5
Helpful
4
Replies

IPsec Site to site VPN

deepakkatote
Level 1
Level 1

‎03-29-2020 03:08 AM

Hello,

I have configured Ipsec site to site VPN between two routers all policy parameters and reachability seems ok but tunnel is not getting up i have tried all things nothing is working so pleave have a look

 

R1-------------R2-----------------R3

 

 

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2020.03.29 14:14:42 =~=~=~=~=~=~=~=~=~=~=~=
 
R1#  ter
R1#terminal len
R1#terminal length 0
R1#sh run
R1#sh running-config
Building configuration...

Current configuration : 1635 bytes
!
! Last configuration change at 14:06:34 UTC Sun Mar 29 2020
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key pass@123 address 20.0.0.2
!
!
crypto ipsec transform-set SET esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map MAP 1 ipsec-isakmp
set peer 20.0.0.2
set transform-set SET
match address 101
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex full
!
interface GigabitEthernet1/0
ip address 192.168.1.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface Serial3/0
ip address 10.0.0.1 255.0.0.0
serial restart-delay 0
crypto map MAP
!
interface Serial3/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/3
no ip address
shutdown
serial restart-delay 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.0.0.2
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R1#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 120/156/196 ms
R1#sh cr
R1#sh crypto is
R1#sh crypto isakmp s
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status

IPv6 Crypto ISAKMP SA

R1#

 

 

 

 

 

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2020.03.29 15:05:29 =~=~=~=~=~=~=~=~=~=~=~=
ter
R3#terminal le
R3#terminal length 0
R3#sh run
R3#sh running-config
Building configuration...

Current configuration : 1635 bytes
!
! Last configuration change at 14:06:06 UTC Sun Mar 29 2020
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key pass@123 address 10.0.0.1
!
!
crypto ipsec transform-set SET esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map MAP 1 ipsec-isakmp
set peer 10.0.0.1
set transform-set SET
match address 101
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex full
!
interface GigabitEthernet1/0
ip address 192.168.2.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface Serial3/0
ip address 20.0.0.2 255.0.0.0
serial restart-delay 0
crypto map MAP
!
interface Serial3/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/3
no ip address
shutdown
serial restart-delay 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 20.0.0.1
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R3#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 136/176/216 ms
R3#sh cr
R3#sh crypto is
R3#sh crypto isakmp s
R3#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status

IPv6 Crypto ISAKMP SA

R3#exit

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

R3 con0 is now available

 

 

Press RETURN to get started.

 

 

 

 

 

 

0 Helpful
4 Replies 4

Georg Pauwen
VIP
VIP

‎03-29-2020 03:53 AM

Hello,

 

the configs look by the book. Can you post the output of:

 

debug crypto isakmp
debug crypto ipsec

 

You might want to try and set the pfs group in both crypto maps:

 

crypto map MAP 1 ipsec-isakmp
set peer 20.0.0.2
set transform-set SET

--> set pfs group2
match address 101

 

crypto map MAP 1 ipsec-isakmp
set peer 10.0.0.1
set transform-set SET

--> set pfs group2
match address 101

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎03-29-2020 03:55 AM

On high level are you sure you want to use serial inteface that biggest subnet 255.0.0.0  (not matter but good to use /32 always to make simpler)

 

On the Phase 1 i did not see hashing algoritham and lifetime for the tunnel

 

here is the simple way easy config for reference :

 

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to balaji.bandi

‎03-29-2020 10:50 AM - edited ‎03-29-2020 10:53 AM

The posted output showed the crypto isakmp sa but no crypto ipsec sa. Can you send interesting traffic and then show crypto ipsec sa and post that output?

[edit] Note that the ping to the remote LAN shown in the original post is not going to be sufficient to bring up the vpn. That ping from the router itself would by default use the IP of the outgoing interface as the source address of the ping. And a ping with the serial interface address as source will not match the crypto acl. You would need to ping and specify the source interface as the Gig interface.

HTH

Rick

Georg Pauwen
VIP
VIP
In response to Richard Burts

‎03-29-2020 11:25 AM

I have a feeling that what Richard points out is the problem indeed. I tested the posted configs in GNS3 and it works fine. Pinging from the router uses the serial interface and WAN IP address as source, so that would not qualify as interesting traffic...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card