02-16-2019 11:30 AM - edited 02-16-2019 12:49 PM
VPNHi everyone, and sorry for my poor English :) .
We try to connect our office to an IPSec vpn, but we encounter some issues with that. Phase 1 and Phase 2 seems to be OK, the tunnel looks UP, but there is no traffic nor ping between the remote ip hosts.
In our office we have a Cisco 1900 series with IOS 15.2, we use the GE0/0 for the internet with a fixed public ip, and the GE0/1 for our local network 10.213.16.0/24, we use tunnel1 with another company, all is good here.
The IPSec we try to join needs these settings :
So, we should connect to 3 remote hosts : 10.16.1.110-10.16.1.112.
The remote device is a Fortigate firewall.
This is our Cisco router configuration (with fake public ip for posting) :
Current configuration : 2843 bytes
!
! Last configuration change at 16:14:28 UTC Fri Feb 15 2019
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$RbXY$GWpKqBnyfMgEKQhZNg94T0
!
no aaa new-model
!
ip cef
!
!
!
!
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1941/K9 sn FCZ1822918F
license boot module c1900 technology-package securityk9
!
!
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
lifetime 14400
crypto isakmp key PSKKEYHIDDEN address 100.41.221.14
!
!
crypto ipsec transform-set HQBRANCH esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile HQBRANCH
set transform-set HQBRANCH
set pfs group5
!
!
!
crypto map HQMAP 10 ipsec-isakmp
set peer 100.41.221.14
set transform-set HQBRANCH
set pfs group5
match address 120
!
!
!
!
!
interface Tunnel1
description VOC-TH2
ip address 20.30.1.254 255.255.255.252
tunnel source 90.210.32.5
tunnel destination 36.155.151.98
!
interface Tunnel2
no ip address
ip virtual-reassembly in
tunnel source 90.210.32.5
tunnel mode ipsec ipv4
tunnel destination 100.41.221.14
tunnel protection ipsec profile HQBRANCH
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 90.210.32.5 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map HQMAP
!
interface GigabitEthernet0/1
ip address 10.213.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.213.16.18 25000 90.210.32.5 25000 extendable
ip route 0.0.0.0 0.0.0.0 90.210.32.6
ip route 10.16.1.0 255.255.255.0 Tunnel2
ip route 191.162.21.65 255.255.255.255 Tunnel1
!
access-list 1 permit 10.213.16.0 0.0.0.255
access-list 100 permit ip 10.213.16.0 0.0.0.255 any
access-list 101 permit ahp host 100.41.221.14 host 90.210.32.5
access-list 101 permit esp host 100.41.221.14 host 90.210.32.5
access-list 101 permit udp host 100.41.221.14 host 90.210.32.5 eq isakmp
access-list 101 permit udp host 100.41.221.14 host 90.210.32.5 eq non500-isakmp
access-list 120 permit ip 10.213.16.0 0.0.0.255 any
!
!
!
control-plane
!
!
line con 0
password 7 071E34421A0C39071B130807
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 15031E05198F0B2624323629
login
transport input all
!
scheduler allocate 20000 1000
!
end
And this is the crypto map :
Crypto Map IPv4 "HQMAP" 10 ipsec-isakmp
Peer = 100.41.221.14
Extended IP access list 120
access-list 120 permit ip 10.213.16.0 0.0.0.255 any
Current peer: 100.41.221.14
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group5
Transform sets={
HQBRANCH: { esp-3des esp-sha-hmac } ,
}
Interfaces using crypto map HQMAP:
GigabitEthernet0/0
Crypto Map IPv4 "Tunnel2-head-0" 65536 ipsec-isakmp
Profile name: HQBRANCH
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group5
Transform sets={
HQBRANCH: { esp-3des esp-sha-hmac } ,
}
Crypto Map IPv4 "Tunnel2-head-0" 65537 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 100.41.221.14
Extended IP access list
access-list permit ip any any
Current peer: 100.41.221.14
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group5
Transform sets={
HQBRANCH: { esp-3des esp-sha-hmac } ,
}
Always create SAs
Interfaces using crypto map Tunnel2-head-0:
Tunnel2
If you need more information i will give them to you guys.
Thanks :).
02-16-2019 02:18 PM
02-16-2019 03:04 PM
02-16-2019 03:19 PM
02-16-2019 03:27 PM
02-16-2019 03:38 PM
02-16-2019 03:54 PM
02-17-2019 11:31 AM
Hello,
try the below:
1. Remove the ipsec profile:
--> no crypto ipsec profile HQBRANCH
Add the lines marked in bold:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
lifetime 14400
crypto isakmp key PSKKEYHIDDEN address 100.41.221.14
!
crypto keyring KEYRING_HQBRANCH
pre-shared-key address 100.41.221.14 key PSKKEYHIDDEN
!
crypto ipsec transform-set HQBRANCH esp-3des esp-sha-hmac
mode tunnel
!
crypto isakmp profile PROFILE_HQBRANCH
keyring KEYRING_HQBRANCH
match identity address 100.41.221.14 255.255.255.255
!
crypto map HQMAP 10 ipsec-isakmp
set peer 100.41.221.14
set transform-set HQBRANCH
set isakmp-profile PROFILE_HQBRANCH
set pfs group5
match address 120
02-16-2019 09:36 PM
Hello,
The thread is getting very long so I don't know if this has already been mentioned, but set the hash to sha1 under your crypto policy:
crypto isakmp policy 10
hash sha1
02-17-2019 09:24 AM
SHA is the default hashing algorithm, it doesn't appear in the running config. Even if you manually define SHA as the hashing algorithm it would not be displayed in the runnning config, only an algorithm other than the default would be displayed in the running config. You can confirm the actual hashing algorithm by running "show crypto isakmp policy" it would appear as Secure Hash Standard.
The errors provided still look like Phase 2 issues, confirm with 3rd party exactly what they have configured.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide