Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
691
Views
5
Helpful
12
Replies

Cant establish IPsecTunnel

nino.sehovic
Level 1
Level 1

‎11-20-2015 01:38 AM - edited ‎03-08-2019 02:46 AM

Hi everyone i can not establish a tunnel to a remote peer 77.77.88.88

The other end 77.77.88.88 works fine and has several tunnels running.This is a new site configured.

Do any of zou see the problem here? The tunnel is not getting up at ALL!

Thank you in advance!


hostname TEST
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login AUTHENTICATION-LOCAL local
aaa authorization exec default local
aaa authorization network AUTHORIZATION-LOCAL local
!
aaa session-id common
!
resource policy
!
network-clock-participate wic 0
ip cef
!
!
!
!
ip name-server 77.77.77.20
ip name-server 77.77.77.10
!
!
!
voice-card 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username RAdmin privilege 15 secret 5 $1$/XRe$ahDFZKBfYuPgLyrRLCL/Z1
!
!
!
crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 2
encr aes
hash md5
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 3
encr aes
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key TEST address 77.77.88.88 no-xauth
!
!
crypto ipsec transform-set test_set1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to Tunnel
set peer 77.77.88.88
set transform-set test_set
match address 101
!
!
!
!
!
interface FastEthernet0/0
ip address 77.77.77.78 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
ip address 10.10.99.254 255.255.254.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface BRI0/0/0
no ip address
!
interface BRI0/0/1
no ip address
!
interface Serial0/1/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface BRI0/2/0
no ip address
encapsulation hdlc
shutdown
!
ip local pool VPN-POOL 10.10.99.201 10.10.99.206
ip route 0.0.0.0 0.0.0.0 77.77.77.77
!
!
ip http server
no ip http secure-server
ip nat inside source list NAT-ACL interface FastEthernet0/0 overload
!
ip access-list extended NAT-ACL
deny ip 10.10.98.0 0.0.1.255 192.168.104.0 0.0.0.255
deny ip 10.10.98.0 0.0.1.255 10.10.0.0 0.0.15.255
deny ip 10.10.98.0 0.0.1.255 192.168.1.0 0.0.0.255
deny ip 10.10.98.0 0.0.1.255 192.168.109.0 0.0.0.255
deny ip 10.10.98.0 0.0.1.255 192.168.117.0 0.0.0.255
deny ip 10.10.98.0 0.0.1.255 192.168.101.0 0.0.0.255
deny ip 10.10.98.0 0.0.1.255 10.10.16.0 0.0.15.255
permit ip 10.10.98.0 0.0.1.255 any
!
access-list 101 permit ip 10.10.98.0 0.0.1.255 192.168.104.0 0.0.0.255
access-list 101 permit ip 10.10.98.0 0.0.1.255 10.10.0.0 0.0.15.255
access-list 102 permit ip 10.10.98.0 0.0.1.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 10.10.98.0 0.0.1.255 192.168.117.0 0.0.0.255
access-list 102 permit ip 10.10.98.0 0.0.1.255 192.168.109.0 0.0.0.255
access-list 103 permit ip 10.10.98.0 0.0.1.255 192.168.101.0 0.0.0.255
access-list 103 permit ip 10.10.98.0 0.0.1.255 10.10.16.0 0.0.15.255
!
!
!
!
!
!
control-plane
!
!
!
voice-port 0/0/0
!
voice-port 0/0/1
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
end

Labels:
0 Helpful
12 Replies 12

paul driver
VIP
VIP

‎11-20-2015 01:53 AM

Hello


Your transform set is different

crypto ipsec transform-set ilijas_set1 esp-3des esp-sha-hmac

crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to Tunnel
set peer 77.77.88.88
set transform-set test_set


res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

nino.sehovic
Level 1
Level 1
In response to paul driver

‎11-20-2015 02:04 AM

Actually i forgot to rename it for the forum here :) Thanks for pointing that out but in the real configuration that isnt really the issue.It really feels to me that im missing something important...

0 Helpful

paul driver
VIP
VIP
In response to nino.sehovic

‎11-20-2015 02:35 AM

Hello

The above misconfiguration I highlighted  would result in a issue but I dont understand the "Real configuration that isnt really the issue.It really feels to me that im missing something important"

Without seeing you real configuration It would be hard to establish the reason the isnt working.

Do you have all the crypto configuration correct?
Do you have connection to 77.77.88.88?
What are the debugs showing?

Is this a phase1 issue - ISAKMP
Is this a Phase 2 issue - IPSEC

show crypto isakmp sa
show crypto ipsec sa

debug crypto isakmp
debug crypto ipsec


res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

nino.sehovic
Level 1
Level 1
In response to paul driver

‎11-20-2015 02:42 AM

What i meant i had to change the IP Addresses because of security issues and that is all i changed.NOW...

The problem is im not sure if its a phase 1 or 2 issue the debug commands dont show me anything...which is weird...

0 Helpful

johnlloyd_13
Level 9
Level 9
In response to nino.sehovic

‎11-20-2015 06:25 AM

hi,

it's difficult to troubleshoot if don't give the config (or snippet) on the other VPN peer 77.77.88.88.

i've noticed you're LAN IP is different on your ACL 101. make sure there's a 'mirrored' ACL on both VPN peers in order to form an IPsec SA.

interface FastEthernet0/1
ip address 10.10.99.254 255.255.254.0

access-list 101 permit ip 10.10.98.0 0.0.1.255 192.168.104.0 0.0.0.255
access-list 101 permit ip 10.10.98.0 0.0.1.255 10.10.0.0 0.0.15.255

perform the debug suggested and do a ping on an active IP on the remote peer network using LAN source IP.

0 Helpful

nino.sehovic
Level 1
Level 1
In response to johnlloyd_13

‎11-20-2015 06:32 AM

Its the same Subnet John 10.10.98.0 0.0.1.255 = 255.255.254.0 which means its 10.10.98.1 - 10.10.99.254 thats the range of ip addresses it has...
anyways the #sh crypto isakmp sa 

shows no connections 

#do sh crypto isakmp sa

IPv4 Crypto ISAKMP SA
dst src state conn-id slot status

IPv6 Crypto ISAKMP SA

so its definetly a phase1 conenction issue. I checked the policies and they match. Hmmmmm.....

0 Helpful

johnlloyd_13
Level 9
Level 9
In response to nino.sehovic

‎11-20-2015 06:41 AM

hi,

sorry i've overlooked your ACL.

can you ping 77.77.77.77 and 77.77.88.88?

i'm still curious on the config on the other side though.

0 Helpful

nino.sehovic
Level 1
Level 1
In response to johnlloyd_13

‎11-20-2015 07:10 AM

Yes i can ping the outside interfaces from both sides...

Output from the other router (IP Addresses have been changed).


crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 4
encr aes 256
authentication pre-share
group 5
lifetime 7800
!
crypto isakmp policy 5
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 6
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 7
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 8
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 9
encr aes
hash md5
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 10
encr aes
authentication pre-share
!
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 12
encr 3des
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 2

!

crypto isakmp key TEST address 77.77.77.77 no-xauth
!
!
crypto ipsec transform-set test_set1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 12 ipsec-isakmp
description Tunnel to xxxx
set peer 77.77.77.77
set transform-set test_set1
match address 198

!


access-list 198 permit ip 192.168.104.0 0.0.0.255 10.10.98.0 0.0.1.255
access-list 198 permit ip 10.10.0.0 0.0.15.255 10.10.98.0 0.0.1.255

0 Helpful

johnlloyd_13
Level 9
Level 9
In response to nino.sehovic

‎11-20-2015 07:25 AM

hi,

can you remove the 'no-xauth' keyword on both VPN peers and perform debug and ping again?

0 Helpful

nino.sehovic
Level 1
Level 1
In response to johnlloyd_13

‎11-20-2015 08:37 AM

It didnt change anything i removed the no-xauth command and nothing changed...still wont establish a tunnel...

0 Helpful

nino.sehovic
Level 1
Level 1
In response to nino.sehovic

‎11-23-2015 03:55 AM

I tried everything...i reconfigured the crypto maps and policies etc.
I am really stuck any help would be appreciated...

0 Helpful

victor melo
Level 1
Level 1

‎12-14-2015 03:21 PM

Hello Nino..

I am not an expert in IPsec Tunnel...But if the configuration is too long and complicated ...Why dont you go for a more simple configuration like a GRE Tunnel?

I have an easy GRE tunnel configuration in my blog in case that you need it..  http://ccnp300-101.blogspot.com/

I hope it would be useful!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card