03-30-2015 03:43 PM - last edited on 03-25-2019 03:44 PM by ciscomoderator
I have a 2911 that has a few existing IPSec tunnels and I'm looking to add one in except the encryptio is a little different. I will be using AES vs DES like the other transform sets. - This what I have configured except I still don't see the tunnel when I do sh crypto isakmp sa... What could I be doing wrong?
note: I also added the peer address to access-list 101, do I need to allow it through outgoing_to_source?
Configure ISKAMP Policy
crypto isakmp policy 3
encr aes 256
authentication pre-share
hash sha
lifetime 86400
group 2
Configure IPsec Transform Set
Specifies the interesting traffic to be encrypted
ip access-list extended outgoing_to_source
Specifies the pre-shared key "secretkey" which should be identical at both peers
Configure the Ipsec-isakmp
crypto map vpn-map 1 ipsec-isakmp
set peer 66.x.x.x
set transform-set ESP-AES-SHA
Apply the Ipsec-isakmp to interface
interface GigabitEthernet0/1
description ** Connection to internet **
ip address 174.x.x.x 255.255.255.248
ip access-group 101 in
ip access-group 131 out
ip flow ingress
ip nat outside
ip inspect standard in
Solved! Go to Solution.
03-30-2015 03:50 PM
Have you excluded the IPSEC traffic from NAT ?
NAT happens before IPSEC so unless you have specifically excluded that traffic from NAT then the 192.168.18.x source IPs will be translated to 174.x.x.x before your crypto map is checked and so won't match.
Edit - if you don't want to exclude it from NAT then you can modify your crypto map to have the source IP of 174.x.x.x but you would also need to modify the crypto map on the other device as well.
Jon
03-30-2015 03:50 PM
Have you excluded the IPSEC traffic from NAT ?
NAT happens before IPSEC so unless you have specifically excluded that traffic from NAT then the 192.168.18.x source IPs will be translated to 174.x.x.x before your crypto map is checked and so won't match.
Edit - if you don't want to exclude it from NAT then you can modify your crypto map to have the source IP of 174.x.x.x but you would also need to modify the crypto map on the other device as well.
Jon
03-30-2015 03:58 PM
I do not believe so, and might be green to what you are asking. Would I need to create a deny ACL in order to prevent the NAT process?
These are the remote hosts I'm trying to reach -
03-31-2015 03:49 AM
edited
03-31-2015 10:15 AM
I'm a big fan now of VTI interfaces to do the site-to-site crypto stuff, added bonus of easily running ospf inside the tunnel etc.
04-01-2015 11:33 AM
Hey John,
I was able to get phase 1 going by denying nat to the host object-group. Phase 2 is not initiating so I'm waiting for the vendor to send me their config.
-B
04-01-2015 11:53 AM
Hi Bobby,
you are configuring the wrong ip in set peer command or pre-shared key. both should be same, please review it.
crypto isakmp key "secret-key" address 65.x.x.x no-xauth
set peer 66.x.x.x
HTH
kazim abbas
03-30-2015 08:42 PM
Do I need to somehow deny the local subnet to the remote local lan I'm trying to access? If so, what would be the command for that?
03-31-2015 02:27 AM
Yes, you need to deny the traffic.
Can you post the current router configuration so I can see what your existing NAT configuration is as I don't want to break anything currently working.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide