03-29-2020 03:08 AM
Hello,
I have configured Ipsec site to site VPN between two routers all policy parameters and reachability seems ok but tunnel is not getting up i have tried all things nothing is working so pleave have a look
R1-------------R2-----------------R3
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2020.03.29 14:14:42 =~=~=~=~=~=~=~=~=~=~=~=
R1# ter
R1#terminal len
R1#terminal length 0
R1#sh run
R1#sh running-config
Building configuration...
Current configuration : 1635 bytes
!
! Last configuration change at 14:06:34 UTC Sun Mar 29 2020
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key pass@123 address 20.0.0.2
!
!
crypto ipsec transform-set SET esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map MAP 1 ipsec-isakmp
set peer 20.0.0.2
set transform-set SET
match address 101
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex full
!
interface GigabitEthernet1/0
ip address 192.168.1.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface Serial3/0
ip address 10.0.0.1 255.0.0.0
serial restart-delay 0
crypto map MAP
!
interface Serial3/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/3
no ip address
shutdown
serial restart-delay 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.0.0.2
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
R1#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 120/156/196 ms
R1#sh cr
R1#sh crypto is
R1#sh crypto isakmp s
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
R1#
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2020.03.29 15:05:29 =~=~=~=~=~=~=~=~=~=~=~=
ter
R3#terminal le
R3#terminal length 0
R3#sh run
R3#sh running-config
Building configuration...
Current configuration : 1635 bytes
!
! Last configuration change at 14:06:06 UTC Sun Mar 29 2020
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key pass@123 address 10.0.0.1
!
!
crypto ipsec transform-set SET esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map MAP 1 ipsec-isakmp
set peer 10.0.0.1
set transform-set SET
match address 101
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex full
!
interface GigabitEthernet1/0
ip address 192.168.2.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface Serial3/0
ip address 20.0.0.2 255.0.0.0
serial restart-delay 0
crypto map MAP
!
interface Serial3/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/3
no ip address
shutdown
serial restart-delay 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 20.0.0.1
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
R3#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 136/176/216 ms
R3#sh cr
R3#sh crypto is
R3#sh crypto isakmp s
R3#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
R3#exit
R3 con0 is now available
Press RETURN to get started.
03-29-2020 03:53 AM
Hello,
the configs look by the book. Can you post the output of:
debug crypto isakmp
debug crypto ipsec
You might want to try and set the pfs group in both crypto maps:
crypto map MAP 1 ipsec-isakmp
set peer 20.0.0.2
set transform-set SET
--> set pfs group2
match address 101
crypto map MAP 1 ipsec-isakmp
set peer 10.0.0.1
set transform-set SET
--> set pfs group2
match address 101
03-29-2020 03:55 AM
On high level are you sure you want to use serial inteface that biggest subnet 255.0.0.0 (not matter but good to use /32 always to make simpler)
On the Phase 1 i did not see hashing algoritham and lifetime for the tunnel
here is the simple way easy config for reference :
03-29-2020 10:50 AM - edited 03-29-2020 10:53 AM
The posted output showed the crypto isakmp sa but no crypto ipsec sa. Can you send interesting traffic and then show crypto ipsec sa and post that output?
[edit] Note that the ping to the remote LAN shown in the original post is not going to be sufficient to bring up the vpn. That ping from the router itself would by default use the IP of the outgoing interface as the source address of the ping. And a ping with the serial interface address as source will not match the crypto acl. You would need to ping and specify the source interface as the Gig interface.
03-29-2020 11:25 AM
I have a feeling that what Richard points out is the problem indeed. I tested the posted configs in GNS3 and it works fine. Pinging from the router uses the serial interface and WAN IP address as source, so that would not qualify as interesting traffic...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide