Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
697
Views
0
Helpful
8
Replies

Unable to get tunnel configured

Go to solution
Bobby Mazzotti
Level 1
Level 1

‎03-30-2015 03:43 PM - last edited on ‎03-25-2019 03:44 PM by Community Manager

I have a 2911 that has a few existing IPSec tunnels and I'm looking to add one in except the encryptio is a little different. I will be using AES vs DES like the other transform sets. - This what I have configured except I still don't see the tunnel when I do sh crypto isakmp sa... What could I be doing wrong?

note: I also added the peer address to access-list 101, do I need to allow it through outgoing_to_source?

 

Configure ISKAMP Policy

   crypto isakmp policy 3

   encr aes 256

   authentication pre-share

   hash sha

   lifetime 86400

   group 2

 

Configure IPsec Transform Set

  crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac
 

Specifies the interesting traffic to be encrypted

ip access-list extended outgoing_to_source

 permit ip 192.168.18.0 0.0.0.255 host 10.1.1.198
 permit ip 192.168.18.0 0.0.0.255 host 10.1.1.197
 permit ip 192.168.18.0 0.0.0.255 host 10.1.1.226
 permit ip 192.168.18.0 0.0.0.255 host 10.1.10.20
 permit ip 192.168.18.0 0.0.0.255 host 10.1.10.21
 permit ip 192.168.18.0 0.0.0.255 host 10.1.10.22
 permit ip 192.168.18.0 0.0.0.255 host 10.1.10.24
 permit ip 192.168.18.0 0.0.0.255 host 10.1.10.121
 permit ip 192.168.18.0 0.0.0.255 host 10.1.10.122
!
 

Specifies the pre-shared key "secretkey" which should be identical at both peers

 crypto isakmp key "secret-key" address 65.x.x.x no-xauth
 

Configure the Ipsec-isakmp

 crypto map vpn-map 1 ipsec-isakmp

set peer 66.x.x.x

set transform-set ESP-AES-SHA

match address outgoing_to_source
 

Apply the Ipsec-isakmp to interface

 

interface GigabitEthernet0/1

description ** Connection to internet **

ip address 174.x.x.x 255.255.255.248

ip access-group 101 in

ip access-group 131 out

ip flow ingress

ip nat outside

ip inspect standard in

ip virtual-reassembly
duplex auto
speed auto
crypto map vpn-map

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-30-2015 03:50 PM

Have you excluded the IPSEC traffic from NAT ?

NAT happens before IPSEC so unless you have specifically excluded that traffic from NAT then the 192.168.18.x source IPs will be translated to 174.x.x.x before your crypto map is checked and so won't match.

Edit - if you don't want to exclude it from NAT then you can modify your crypto map to have the source IP of 174.x.x.x but you would also need to modify the crypto map on the other device as well.

Jon

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-30-2015 03:50 PM

Have you excluded the IPSEC traffic from NAT ?

NAT happens before IPSEC so unless you have specifically excluded that traffic from NAT then the 192.168.18.x source IPs will be translated to 174.x.x.x before your crypto map is checked and so won't match.

Edit - if you don't want to exclude it from NAT then you can modify your crypto map to have the source IP of 174.x.x.x but you would also need to modify the crypto map on the other device as well.

Jon

0 Helpful

Go to solution
Bobby Mazzotti
Level 1
Level 1
In response to Jon Marshall

‎03-30-2015 03:58 PM

I do not believe so, and might be green to what you are asking. Would I need to create a deny ACL in order to prevent the NAT process?

These are the remote hosts I'm trying to reach -

 

Remote Hosts:  10.1.1.198
10.1.1.197
10.1.1.226
10.1.10.20
10.1.10.21
10.1.10.22
10.1.10.24
10.1.10.121
10.1.10.122
 
Security Profile: ESP-AES-256-SHA
                                Group 2
                                SHA
                                86400 Lifetime

 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Bobby Mazzotti

‎03-31-2015 03:49 AM

edited

0 Helpful

Go to solution
mattp0002
Level 1
Level 1
In response to Jon Marshall

‎03-31-2015 10:15 AM

I'm a big fan now of VTI interfaces to do the site-to-site crypto stuff, added bonus of easily running ospf inside the tunnel etc.

0 Helpful

Go to solution
Bobby Mazzotti
Level 1
Level 1
In response to Jon Marshall

‎04-01-2015 11:33 AM

Hey John,

I was able to get phase 1 going by denying nat to the host object-group. Phase 2 is not initiating so I'm waiting for the vendor to send me their config.

 

-B

0 Helpful

Go to solution
syed kazim abbas
Level 3
Level 3
In response to Bobby Mazzotti

‎04-01-2015 11:53 AM

Hi Bobby,

you are configuring the wrong ip in set peer command or pre-shared key. both should be same, please review it.

 crypto isakmp key "secret-key" address 65.x.x.x no-xauth

set peer 66.x.x.x

 

HTH

kazim abbas

0 Helpful

Go to solution
Bobby Mazzotti
Level 1
Level 1
In response to Jon Marshall

‎03-30-2015 08:42 PM

Do I need to somehow deny the local subnet to the remote local lan I'm trying to access? If so, what would be the command for that?

 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Bobby Mazzotti

‎03-31-2015 02:27 AM

Yes, you need to deny the traffic.

Can you post the current router configuration so I can see what your existing NAT configuration is as I don't want to break anything currently working.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card