Site to Site ipsec VPN lab setup not working

david.santel · ‎07-09-2011

I can't seem to get a ipsec site to site lab VPN tunnel started or any packets to cross the VPN tunnel....

Can you take a look and see what I am doing wrong? Any ideas on how to troubleshoot this would be great!

More info needed?

===============================================================

CCC#sh crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt De
crypt

CCC#

===============================================================

CCC#sh crypto map
Crypto Map "aesmap" 10 ipsec-isakmp
        Peer = 100.0.0.2
        Extended IP access list acl_vpn
            access-list acl_vpn permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.
0.255
        Current peer: 100.0.0.2
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={ aes-sha-transform, }
        Interfaces using crypto map aesmap:
                Serial0/0

CCC#

================================================================

CCC#sh crypto ipsec sa

interface: Serial0/0
Crypto map tag: aesmap, local addr. 100.0.0.1

   local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer: 100.0.0.2
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 100.0.0.1, remote crypto endpt.: 100.0.0.2
     path mtu 1500, ip mtu 1500
     current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

====================================================

CCC#sh crypto isakmp sa
dst src state conn-id slot

CCC#

==========================================================

CCC#sh ip route

Gateway of last resort is not set

     100.0.0.0/24 is subnetted, 1 subnets
C       100.0.0.0 is directly connected, Serial0/0
C    192.168.1.0/24 is directly connected, FastEthernet0/0
R    192.168.2.0/24 [120/1] via 100.0.0.2, 00:00:04, Serial0/0

==========================================================

Router 1: 2651XM

CCC#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IK8S-M), Version 12.2(24), RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Wed 28-Apr-04 15:30 by kellmill
Image text-base: 0x8000808C, data-base: 0x8128C7D8

ROM: System Bootstrap, Version 12.2(7r) [cmong 7r], RELEASE SOFTWARE (fc1)

CCC uptime is 1 hour, 48 minutes
System returned to ROM by reload
System image file is "flash:flash[A"

Building configuration...

Current configuration : 1001 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname CCC
!
!
ip subnet-zero
!
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key testkey123 address 100.0.0.2
!
!
crypto ipsec transform-set aes-sha-transform esp-des esp-sha-hmac
!

!

crypto map aesmap 10 ipsec-isakmp

set peer 100.0.0.2

set transform-set aes-sha-transform

match address acl_vpn

!

call rsvp-sync

!

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

ip address 100.0.0.1 255.255.255.0

clockrate 250000

crypto map aesmap

!

interface FastEthernet0/1

ip address 10.10.10.10 255.0.0.0

duplex auto

speed auto

!

router rip

network 100.0.0.0

network 192.168.1.0

!

ip classless

no ip http server

!

ip access-list extended acl_vpn

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

!

dial-peer cor custom

!

line con 0

line aux 0

line vty 0 4

login

!

end

!
crypto map aesmap 10 ipsec-isakmp
set peer 100.0.0.2
set transform-set aes-sha-transform
match address acl_vpn
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
ip address 100.0.0.1 255.255.255.0
clockrate 250000
crypto map aesmap

!
interface FastEthernet0/1
ip address 10.10.10.10 255.0.0.0
duplex auto
speed auto
!
router rip
network 100.0.0.0
network 192.168.1.0
!
ip classless
no ip http server
!
!
ip access-list extended acl_vpn
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
dial-peer cor custom
!
!
!
!
!

line con 0
line aux 0
line vty 0 4
login
!
end

===================================================

Router 2 - 2502

outoffice#sh run
Building configuration...

Current configuration : 1404 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname outoffice
!
logging rate-limit console 10 except errors
!
ip subnet-zero
no ip finger
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key testkey123 address 100.0.0.1
!
!
crypto ipsec transform-set aes-sha-transform esp-des esp-sha-hmac
!
crypto map aesmap 10 ipsec-isakmp
set peer 100.0.0.1
set transform-set aes-sha-transform
match address acl_vpn
!
!
!
!
interface Ethernet0
ip address 192.168.2.1 255.255.255.0
no ip route-cache
no ip mroute-cache
!
interface Serial0
ip address 100.0.0.2 255.255.255.0
no ip route-cache
no ip mroute-cache
crypto map aesmap
!

!

interface Serial1

no ip address

no ip route-cache

no ip mroute-cache

shutdown

!

interface BRI0

no ip address

no ip route-cache

no ip mroute-cache

shutdown

isdn x25 static-tei 0

cdapi buffers regular 0

cdapi buffers raw 0

cdapi buffers large 0

!

router rip

network 100.0.0.0

network 192.168.2.0

!

ip kerberos source-interface any

ip classless

no ip http server

!

ip access-list extended acl_vpn

permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

!

line con 0

transport input none

line aux 0

transport input all

line vty 0 4

login

!

end

!
interface Serial1
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
interface BRI0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
isdn x25 static-tei 0
cdapi buffers regular 0
cdapi buffers raw 0
cdapi buffers large 0
!
router rip
network 100.0.0.0
network 192.168.2.0
!
ip kerberos source-interface any
ip classless
no ip http server

!

ip access-list extended acl_vpn

permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

!

line con 0

transport input none

line aux 0

transport input all

line vty 0 4

login

!

end

Reza Sharifi · ‎07-09-2011

Is the serial interface between the routers in up and up mode?

can you ping from 192.168.1.1 to 192.168.2.1 and vice versa?

david.santel · ‎07-09-2011

As you can see I full ping from 192.168.1.1 to 192.168.2.1 and visa versa.

Why is the tunnel not coming up?

CCC#ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/10/12 ms
CCC#

===================================

outoffice#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/10/12 ms
outoffice#

==============

outoffice#sh ip ro
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

     100.0.0.0/24 is subnetted, 1 subnets
C       100.0.0.0 is directly connected, Serial0
R    192.168.1.0/24 [120/1] via 100.0.0.1, 00:00:24, Serial0
C    192.168.2.0/24 is directly connected, Ethernet0
outoffice#

Reza Sharifi · ‎07-09-2011

under policy 10 on both routers, can you configure "group 2" and test again.

If group 2 does not work try group 1

david.santel · ‎07-09-2011

I added "Group 2" to both routers nothing somes up under.

sh crypto isakmp sa

I also rebooted routers.

I removed group 2 and added Group1. Still no VPN activity via sh crypto isakmp sa

Could this be a IOS VPN licensing caveot? I think both routers are configured correctly? Do you agree?

=====================================================

Router 1 - 2651XM

CCC#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IK8S-M), Version 12.2(24), RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Wed 28-Apr-04 15:30 by kellmill
Image text-base: 0x8000808C, data-base: 0x8128C7D8

ROM: System Bootstrap, Version 12.2(7r) [cmong 7r], RELEASE SOFTWARE (fc1)

CCC uptime is 19 minutes
System returned to ROM by reload
System image file is "flash:flash[A"

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco 2651XM (MPC860P) processor (revision 0x100) with 125952K/5120K bytes of me
mory.
Processor board ID JAD07090HR0 (1833034505)
M860 processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
2 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
32K bytes of non-volatile configuration memory.
49152K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

CCC#

============================================

Router 2 - 2502

outoffice#sh ver
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-JK8OS-L), Version 12.2(1d), RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Sun 03-Feb-02 22:01 by srani
Image text-base: 0x0307EEE0, data-base: 0x00001000

ROM: System Bootstrap, Version 11.0(10c), SOFTWARE
BOOTFLASH: 3000 Bootstrap Software (IGS-BOOT-R), Version 11.0(10c), RELEASE SOFT
WARE (fc1)

outoffice uptime is 22 minutes
System returned to ROM by reload
System image file is "flash:ios.bin"

cisco 2500 (68030) processor (revision N) with 14336K/2048K bytes of memory.
Processor board ID 11163382, with hardware revision 00000001
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
Basic Rate ISDN software, Version 1.1.
1 Ethernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
1 ISDN Basic Rate interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read ONLY)

Configuration register is 0x2102

outoffice#

Reza Sharifi · ‎07-09-2011

I agree. Couple of things, the IOS for both routers need to have "K9" in the IOS name to support VPN/security.

So, if you can fine an IOS for both routers with K9 in it, we cam eliminate the IOS issue. The problem is that you have a 2502 that is very very old and not sure if you can find an IOS for it that supports VPN. However you should be able to fine one for the 2600 on CCO, as they are not as old as the 2500 series. The other things is that I am not sure if 2500 series support VPN at all.

Reza Sharifi · ‎07-09-2011

one more thing, can you change the encryption to aes on both sides and test?