02-07-2019 11:33 AM
Hi,
Below is the R1 VPN Configuration:
crypto ikev2 proposal PHASE1PROPOSAL
encryption aes-cbc-256
integrity sha512
group 14
!
crypto ikev2 policy PHASE1POLICY
proposal PHASE1PROPOSAL
!
crypto ikev2 keyring VPNKEY
peer R3
address 172.16.17.2
pre-shared-key cisco?123
!
!
!
crypto ikev2 profile PHASE1PROFILE
match identity remote fqdn r3.lab
identity local fqdn r1.lab
authentication remote pre-share
authentication local pre-share
keyring local VPNKEY
!
!
!
crypto ipsec transform-set TSET ah-sha256-hmac esp-aes 256
mode tunnel
!
crypto map vpn 10 ipsec-isakmp
set peer 172.16.17.2
set transform-set TSET
set ikev2-profile PHASE1PROFILE
match address 111
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex full
!
interface FastEthernet1/0
ip address 172.16.16.1 255.255.255.0
ip ospf 1 area 0
speed auto
duplex auto
crypto map vpn
!
!
router ospf 1
router-id 1.1.1.1
!
ip route 0.0.0.0 0.0.0.0 FastEthernet1/0
!
access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
And Below is the R3 VPN Configuration:
crypto ikev2 proposal PHASE1PROPOSAL
encryption aes-cbc-256
integrity sha512
group 14
!
crypto ikev2 policy PHASE1POLICY
proposal PHASE1PROPOSAL
!
crypto ikev2 keyring VPNKEY
peer R3
address 172.16.16.1
pre-shared-key cisco?123
!
!
!
crypto ikev2 profile PHASE1PROFILE
match identity remote fqdn r1.lab
identity local fqdn r3.lab
authentication remote pre-share
authentication local pre-share
keyring local VPNKEY
!
!
!
crypto ipsec transform-set TSET ah-sha256-hmac esp-aes 256
mode tunnel
!
crypto map vpn 10 ipsec-isakmp
set peer 172.16.16.1
set transform-set TSET
set ikev2-profile PHASE1PROFILE
match address 111
!
interface FastEthernet0/0
ip address 172.16.17.2 255.255.255.0
ip ospf 1 area 0
duplex full
crypto map vpn
!
interface FastEthernet1/1
ip address 192.168.2.1 255.255.255.0
speed auto
duplex auto
!
!
router ospf 1
router-id 3.3.3.3
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
access-list 111 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
VPN is connecting and I can ping from R1 LAN interface (192.168.1.1) to R3 LAN interface(192.168.2.1) and packet encapsulation and decapsulation are happing without any issue.
facing below issue::
My LAN hosts are not reachable IPSec.
Solved! Go to Solution.
02-07-2019 11:45 AM
Hi,
1. First, try to ping the router LAN interface. If it is not reachable then check your ACL, Route and VPN configuration as Phase 1 and Phase 2.
2. If router LAN to LAN interface reachable but host not reachable then verify that Host subnet must be allowed in VPN ACL. If yes then turned of CEF and turned on again (This is as per my experience).
Regards,
Deepak Kumar
02-07-2019 11:45 AM
Hi,
1. First, try to ping the router LAN interface. If it is not reachable then check your ACL, Route and VPN configuration as Phase 1 and Phase 2.
2. If router LAN to LAN interface reachable but host not reachable then verify that Host subnet must be allowed in VPN ACL. If yes then turned of CEF and turned on again (This is as per my experience).
Regards,
Deepak Kumar
02-20-2019 10:41 AM
Hi,
Thanks. I am working on LAB in GNS3 and turned off CEF and Turned On back is resolved my issue.
02-08-2019 05:26 PM
As a first step can you verify that each router can successfully ping the peer address of the remote peer?
As a second step, you tell us that " I can ping from R1 LAN interface (192.168.1.1) to R3 LAN interface(192.168.2.1)" . This is good. Can you tell us whether there is any possibility that hosts in one of the LANs have a default gateway that is different from the router you tell us about at that site? (a traceroute from a host in one LAN to a host in the remote LAN might be helpful for this)
As a third step can you post the output of show crypto ipsec sa from both routers?
HTH
Rick
02-20-2019 10:43 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide