Re: VPN configuration between two routers in a same router

ashz14387 · ‎08-10-2023

R1 configuration are,

!

! Last configuration change at 06:59:12 UTC Thu Aug 10 2023

!

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

!

hostname R1

!

boot-start-marker

boot-end-marker

!

enable password Network@123

!

no aaa new-model

no ip icmp rate-limit unreachable

ip cef

!

ip flow-cache timeout active 1

ip name-server 8.8.8.8

no ipv6 cef

!

multilink bundle-name authenticated

!

username admin password 0 Network@123

!

ip tcp synwait-time 5

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key Network@123 address 172.16.1.2

crypto isakmp key Network@123 address 192.168.1.2

crypto isakmp key Network@123 address 106.198.0.26

!

crypto ipsec transform-set TS esp-3des esp-md5-hmac

mode tunnel

!

crypto map CMAP 10 ipsec-isakmp

set peer 192.168.1.2

set transform-set TS

match address VPN-TRAFFIC

!

interface Loopback0

ip address 1.1.1.1 255.255.255.255

!

interface FastEthernet0/0

ip address 10.200.200.2 255.255.255.0

duplex full

crypto map CMAP

!

interface FastEthernet1/0

ip address 168.254.1.1 255.255.255.0

ip flow ingress

duplex full

!

interface FastEthernet2/0

ip address 172.16.1.1 255.255.255.0

ip flow ingress

duplex full

crypto map CMAP

!

interface FastEthernet3/0

no ip address

ip flow ingress

shutdown

duplex full

!

interface FastEthernet4/0

no ip address

ip flow ingress

shutdown

duplex full

!

interface FastEthernet5/0

no ip address

shutdown

duplex full

!

interface FastEthernet6/0

no ip address

shutdown

duplex full

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 10.200.200.1

!

ip access-list extended VPN-TRAFFIC

permit ip 168.254.1.0 0.0.0.255 20.20.10.0 0.0.0.255

!

snmp-server community public RO

snmp-server community private RW

snmp ifmib ifindex persist

!

control-plane

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

stopbits 1

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

stopbits 1

line vty 0 4

login local

transport input telnet

line vty 5 15

login local

transport input telnet

!

end

R2 configurations are,

!

! Last configuration change at 07:00:07 UTC Thu Aug 10 2023

!

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

!

hostname R2

!

boot-start-marker

boot-end-marker

!

enable password Network@123

!

no aaa new-model

no ip icmp rate-limit unreachable

ip cef

!

ip flow-cache timeout active 1

ip name-server 8.8.8.8

no ipv6 cef

!

multilink bundle-name authenticated

!

username admin password 0 Network@123

!

ip tcp synwait-time 5

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key Network@123 address 172.16.1.1

crypto isakmp key Network@123 address 10.200.200.2

!

crypto ipsec transform-set TS esp-3des esp-md5-hmac

mode tunnel

!

crypto map CMAP 10 ipsec-isakmp

set peer 192.168.1.2

set peer 10.200.200.2

set transform-set TS

match address VPN-TRAFFIC

!

interface Loopback0

ip address 1.1.1.1 255.255.255.255

!

interface FastEthernet0/0

ip address 192.168.1.2 255.255.255.0

duplex full

crypto map CMAP

!

interface FastEthernet1/0

ip address 172.168.1.1 255.255.255.0

duplex full

!

interface FastEthernet2/0

ip address 172.16.1.2 255.255.255.0

ip flow ingress

duplex full

crypto map CMAP

!

interface FastEthernet3/0

no ip address

ip flow ingress

shutdown

duplex full

!

interface FastEthernet4/0

no ip address

ip flow ingress

shutdown

duplex full

!

interface FastEthernet5/0

no ip address

shutdown

duplex full

!

interface FastEthernet6/0

no ip address

shutdown

duplex full

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 10.200.200.1

!

ip access-list extended VPN-TRAFFIC

permit ip 20.20.10.0 0.0.0.255 168.254.1.0 0.0.0.255

!

snmp-server community public RO

snmp-server community private RW

snmp ifmib ifindex persist

!

control-plane

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

stopbits 1

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

stopbits 1

line vty 0 4

login local

transport input telnet

line vty 5 15

login local

transport input telnet

!

end

Where did i gone wrong

paul driver · ‎08-10-2023

Hello
A few things look incorrect
Your crypto map peers are incorrect, your interesting traffic ACL doesn't reflect RTR1 & RTR2 lan networks and you do not have any specific route to each others lan subnet

Try the following:

RTR1
crypto map CMAP 10 ipsec-isakmp
no set peer 192.168.1.2
set peer 172.16.1.2

ip access-list extended VPN-TRAFFIC
no permit ip 168.254.1.0 0.0.0.255 20.20.10.0 0.0.0.255
permit ip 168.254.1.0 0.0.0.255 172.168.1.0 0.0.0.255

ip route 172.168.1.0 0.0.0.255 172.16.1.2

RTR2
crypto map CMAP 10 ipsec-isakmp
no set peer 192.168.1.2
set peer 172.16.1.1

ip access-list extended VPN-TRAFFIC
no permit ip 20.20.10.0 0.0.0.255 168.254.1.0 0.0.0.255
permit ip 172.168.1 0.0.0.255 168.254.1.0 0.0.0.255

ip route 168.254.1.0 255.255.255.0 172.16.1.1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ashz14387 · ‎08-10-2023

what about crypto isakmp key command