Simple IPsec tunnel will not come up- No debug info

Dennis Topo Jr · ‎08-27-2016

Hello all. I was labbing up an upcoming project...and found that I can not get a simple tunnel to come up between 2 7200 series routers. I've triple checked everything..re-wrote the config. There is no debug info either (debug crypto isakmp )...so it's almost as if something is not triggering or not capable. I can ping the peer ends...so that's fine. When I source ping the private interfaces from each router, I get nothing. No SA...nothing on the debug

Below are the pertinent config lines and attached diagram. I've done this many times in GNS3 .....but why it's not working now is a mystery. Appreciate the extra eyeballs!..as this is frustrating now!

R1

crypto isakmp policy 100
encr aes
hash sha256
authentication pre-share
lifetime 42400
crypto isakmp key CISCO address 2.2.2.2
!
!
crypto ipsec transform-set R1TRANS ah-sha256-hmac
mode tunnel
!
!
!
crypto map TUNNELMAP1 10 ipsec-isakmp
set peer 2.2.2.2
set transform-set R1TRANS
match address 123

interface GigabitEthernet0/0
ip address 192.168.10.1 255.255.255.0
media-type gbic
speed 1000
duplex full
negotiation auto
!
interface FastEthernet1/0
ip address 1.1.1.1 255.255.255.0
speed auto
duplex auto
crypto map TUNNELMAP1

ip route 0.0.0.0 0.0.0.0 1.1.1.10
!
access-list 123 permit 10 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

R2

crypto isakmp policy 100
encr aes
hash sha256
authentication pre-share
lifetime 42400
crypto isakmp key CISCO address 1.1.1.1
!
!
crypto ipsec transform-set R2TRANS ah-sha256-hmac
mode tunnel
!
!
!
crypto map TUNNELMAP1 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set R2TRANS
match address 123

interface GigabitEthernet0/0
ip address 192.168.2.2 255.255.255.0
media-type gbic
speed 1000
duplex full
negotiation auto
!
interface FastEthernet1/0
ip address 2.2.2.2 255.255.255.0
speed auto
duplex auto
crypto map TUNNELMAP1

ip route 0.0.0.0 0.0.0.0 2.2.2.10
!
access-list 123 permit 10 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255

R3- just a tie-in to represent an ISP- addressing is fine

Richard Bradfield · ‎08-27-2016

what version of IOS are the 7200s running?

I take it there is no routing to 192.168.10.0 or 192.168.2.0 on the R3 router

also I assume you are trying to bring the tunnel up by pinging the 192.168.2.0 from the 192.168.10.0 network

Dennis Topo Jr · ‎08-28-2016

Correct Richard on both counts,,,,thanks for taking a look

Version is

C7200-ADVENTERPRISEK9-M), Version 15.2(4)

I just dug up another lab with a slightly different and more complex arrangement...and that is fine. Same routers\images\version\PC\GNS3 ect.

So..I changed this here config to use a crypto keyring and isakmp profile instead. Still no joy! Same behavior. Changes are in blue. Also changed the encryption types to match the "working" lab config

Here's the updated configs....that do work in a similar lab. I've done the obvious like restart everything

R1

crypto keyring VPN
pre-shared-key address 2.2.2.2 key CISCO
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp profile ISAKMP_R1
keyring VPN
match identity address 2.2.2.2 255.255.255.255
!
!
crypto ipsec transform-set R1TRANS esp-aes esp-sha-hmac
mode tunnel
!
!
!
crypto map TUNNELMAP1 10 ipsec-isakmp
set peer 2.2.2.2
set transform-set R1TRANS
set isakmp-profile ISAKMP_R1
match address 123
!
!
!
interface GigabitEthernet0/0
ip address 192.168.10.1 255.255.255.0
media-type gbic
speed 1000
duplex full
negotiation auto
!
interface FastEthernet1/0
ip address 1.1.1.1 255.255.255.0
speed auto
duplex auto
crypto map TUNNELMAP1

ip route 0.0.0.0 0.0.0.0 1.1.1.10
!
access-list 123 permit 10 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

R2

crypto keyring VPN
pre-shared-key address 1.1.1.1 key CISCO
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp profile ISAKMP_R2
keyring VPN
match identity address 1.1.1.1 255.255.255.255
!
!
crypto ipsec transform-set R2TRANS esp-aes esp-sha-hmac
mode tunnel
!
!
!
crypto map TUNNELMAP1 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set R2TRANS
set isakmp-profile ISAKMP_R2
match address 123
!
!
!
interface GigabitEthernet0/0
ip address 192.168.2.2 255.255.255.0
media-type gbic
speed 1000
duplex full
negotiation auto
!
interface FastEthernet1/0
ip address 2.2.2.2 255.255.255.0
speed auto
duplex auto
crypto map TUNNELMAP1

ip route 0.0.0.0 0.0.0.0 2.2.2.10
!
access-list 123 permit 10 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255

Dennis Topo Jr · ‎08-28-2016

Uhhh...figured it out. My own oversight! The access-list 123...I had a 10 in there thinking it was the line sequence, when it was the specifier for an IP protocol number! Stupid!

Created a new ACL with a named format...and success ! Thanks all

Extended IP access list 123
10 permit 10 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

Extended IP access list VPN
10 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255 log (51 matches)