Need Help with IPsec Between Two Routers

andrea112 · ‎11-07-2023

Hello Cisco Community,

I am currently working on a project that involves setting up an IPsec VPN tunnel between two routers: one in Aarhus and another in Odense. Both routers are connected to the same subnet over the internet.

I've configured both routers with ISAKMP policies, IPsec transform sets, and crypto maps. The interesting traffic has been defined in an access list and applied to the respective crypto maps. However, I'm facing an issue where the VPN tunnel is not getting established.

Here's a brief overview of the configuration:

- Aarhus Router:
- Outside Interface IP: 192.168.132.10
- Inside Interface IP: 192.168.0.1
- ISAKMP Policy: AES encryption, SHA hashing, Pre-shared key authentication, DH group 2
- IPsec Transform Set: `TS` with `esp-aes` and `esp-sha-hmac`
- Crypto Map: `MyMap`

- Odense Router:
- Outside Interface IP: 192.168.132.11
- Inside Interface IP: 172.168.0.1
- ISAKMP Policy: AES encryption, SHA hashing, Pre-shared key authentication, DH group 2
- IPsec Transform Set: `TS` with `esp-aes` and `esp-sha-hmac`
- Crypto Map: `MyMap`

Both routers are able to ping each other, and the pre-shared keys match. Despite this, when I run the `show crypto isakmp sa` and `show crypto ipsec sa` commands, they do not show any active SAs.

Is it because I need GRE in my IPsec setup?

I am looking for advice or troubleshooting tips to resolve this issue and successfully establish the VPN tunnel.

Thank you in advance for your assistance!

Joseph W. Doherty · ‎11-07-2023

Crypto maps? Do the routers support VTIs?

andrea112 · ‎11-08-2023

Yes, both routers are Cisco 1841s and support VPN functionalities.

akhilntt · ‎11-07-2023

Can you share the router configuration...

andrea112 · ‎11-08-2023

Here are my current configurations.

MHM Cisco World · ‎11-08-2023

no need to see version.
you use DHCP to assign IP to interface under it you config Crypto
that not work you need at least one side have manual IP
https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14131-ios-804.html

there is solution for dynamic-dynamic IPsec Peer but it hard and need DNS.
https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-architecture-implementation/118048-technote-ipsec-00.html

Georg Pauwen · ‎11-07-2023

Hello,

I agree with @Joseph W. Doherty that crypto maps are very much legacy. Either way, make sure your config looks similar to what is posted below:

Aarhus

crypto isakmp policy 1
encr aes
hash sha
authentication pre-share
group 2
lifetime 86400
!
crypto isakmp key vpnkey address 192.168.132.11
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
!
crypto map C_MAP 10 ipsec-isakmp
set peer 192.168.132.11
set transform-set TS
match address VPN-TRAFFIC
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.0.0 0.0.0.255 172.168.0.0 0.0.0.255
!
interface GigabitEthernet0/0
description INSIDE
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/1
description OUTSIDE
ip address 192.168.132.10 255.255.255.0
crypto map C_MAP
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1

Odense

crypto isakmp policy 1
encr aes
hash sha
authentication pre-share
group 2
lifetime 86400
!
crypto isakmp key vpnkey address 192.168.132.10
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
!
crypto map C_MAP 10 ipsec-isakmp
set peer 192.168.132.10
set transform-set TS
match address VPN-TRAFFIC
!
ip access-list extended VPN-TRAFFIC
permit ip 172.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
!
interface GigabitEthernet0/0
description INSIDE
ip address 172.168.0.1 255.255.255.0
!
interface GigabitEthernet0/1
description OUTSIDE
ip address 192.168.132.11 255.255.255.0
crypto map C_MAP
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1

andrea112 · ‎11-08-2023

Thank you for the configuration guide! I've adjusted it for our setup and attached the configs for both routers. I have attached the configuration files for both the Aarhus and Odense router.

Edson A. Hernandez · ‎11-07-2023

Check Connectivity: Verify that each router's outside interface can reach the other. You mentioned they can ping each other, which is good. Make sure the pings are sourced from the outside interfaces.

Verify ISAKMP/IKE Phase 1:
Ensure that the crypto isakmp key statement is correctly configured with the same pre-shared key on both sides.

Check IPsec Phase 2:
Check the access list defining interesting traffic should be a mirror image on both sides (considering the source and destination).

Examine Access Lists:
The access lists should define the local and remote subnets accurately. Any misconfiguration in the ACL can prevent the establishment of the tunnel.

Inspect NAT Traversal:
If there is any NAT device in between, make sure you have NAT-T configured or the appropriate NAT exemptions.

Firewall/ACL Blocking:
Ensure that there is no firewall rule or ACL blocking IPsec traffic (UDP/500, UDP/4500 for NAT-T, and IP protocol 50 for ESP).

Can you share the router configuration

MHM Cisco World · ‎11-07-2023

both routers is same model ??

Thanks A Lot
MHM

andrea112 · ‎11-08-2023

Yes, both routers are the same model: Cisco 1841.

MHM Cisco World · ‎11-08-2023

@andrea112 wrote:

Yes, both routers are the same model: Cisco 1841.

Can I see show version

Thanks A Lot
MHM

andrea112 · ‎11-08-2023

Cisco 1841 (revision 6.0) with 239616K/22528K bytes of memory.
Processor board ID FHK103122PT
4 FastEthernet interfaces
2 Virtual Private Network (VPN) Modules
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62720K bytes of ATA CompactFlash (Read/Write)

License Info:

License UDI:

-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO1841 FHK103122PT

mirarautio · ‎11-08-2023

It's great that you've provided such a detailed overview of your configuration. Troubleshooting VPN issues can be a bit tricky, but let's try to resolve this together.

Based on the information you've shared, it appears that you have configured your routers correctly, and they can ping each other. The absence of active SAs (Security Associations) might indicate a few potential issues. Here are some troubleshooting tips to help you identify and resolve the problem:

Check ACLs and NAT Rules: Make sure that the access list (ACL) you defined for the interesting traffic is correctly permitting the traffic you want to protect. Also, ensure that no NAT (Network Address Translation) rules are interfering with the traffic.
Verify Crypto Maps: Double-check the crypto maps on both routers. Ensure that they match exactly, including the order of the entries, and that they are correctly applied to the correct interfaces.
Check Pre-Shared Keys: Although you mentioned that the pre-shared keys match, verify them once more to be absolutely certain. A small typo can prevent the tunnel from establishing.
DH Group Matching: Ensure that the DH (Diffie-Hellman) group used in your ISAKMP policies is identical on both routers. In your case, it's DH group 2, so make sure this is consistent.
Logs and Debugging: Review the logs and enable debugging on both routers to get more detailed information about the negotiation process. This can be invaluable in identifying where the issue lies.
Compatibility Mode: Some devices require compatibility mode to establish a VPN tunnel with Cisco devices. Check if there's a compatibility or vendor-specific setting in your router's configuration.

Regarding GRE (Generic Routing Encapsulation), it's not typically required for a basic IPsec VPN tunnel. However, if you have specific routing requirements that necessitate GRE, you can certainly add it to your setup.

By systematically checking these points and comparing configurations on both routers, you should be able to pinpoint the issue causing the VPN tunnel not to establish. If you're still having trouble, please share any error messages or logs you encounter during the troubleshooting process. This additional information will help the community provide more precise assistance.

Best of luck with your project, and I hope you can resolve the issue soon!