06-28-2018 09:17 AM - edited 03-12-2019 05:25 AM
I'm trying to configure an Ipsec vpn gateway to gateway between Cisco 891-24X (using Cisco CP Express 3.5.2) and Cisco RV325 (firmware v1.3.2.02) routers.
I'm trying to setup on Cisco 891 a static site-to-site VPN selecting IKEv1 key exchange model and follow the next steps: when i save the configuration i receive an error of "invalid input".
I can't understand the reason of the error. Has someone succeded in setting up a VPN between these 2 devices?
Thanks!
06-28-2018 09:33 AM
06-29-2018 08:30 AM
Hi, on local side i have
and on remote side
On the Vodafone Stations the udp 500 and 4500 port forwarding is set. I chose the ikev1 protocol for compatibility with the gateway to gateway configuration on RV325.
Vpn configuration on remote side: files C891.pdf; vpn configuration on remote side: files RV325.jpg.
Thank you.
06-28-2018 04:22 PM
Have you tried doing the config thru CLI?
if so send config and do sh cry ikev1 sa
06-29-2018 08:40 AM
Hi, although I am not an expert in this field, I tried to load the following script:
*************************************************************************
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto keyring isakmp-keyring
local-address Vlan1
pre-shared-key address ***.***.***.*** key ##########
crypto isakmp profile MY_PROFILE
keyring isakmp-keyring
match identity address 0.0.0.0
self-identity address
local-address Vlan1
crypto ipsec transform-set MY_SET esp-3des esp-sha-hmac
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.65.0 0.0.0.15
crypto map MY_CRYPTO_MAP 100 ipsec-isakmp
set peer ***.***.***.***
set transform-set MY_SET
set isakmp-profile MY_PROFILE
no set pfs
match address 100
interface GigabitEthernet0/0
[
description PrimaryWANDesc_
ip address dhcp hostname WAN0 [192.168.3.5]
ip nat outside
ip virtual-reassembly in
zone-member security WAN
duplex auto
speed auto
]
crypto map MY_CRYPTO_MAP
*************************************************************************
#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.3.5 ***.***.***.*** MM_NO_STATE 0 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
*************************************************************************
#show crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: MY_CRYPTO_MAP, local addr 192.168.3.5
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.65.0/255.255.255.240/0/0)
current_peer ***.***.***.*** port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.3.5, remote crypto endpt.: ***.***.***.***
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
*************************************************************************
#show crypto session
Crypto session current status
Interface: GigabitEthernet0/0
Session status: DOWN-NEGOTIATING
Peer: ***.***.***.*** port 500
Session ID: 0
IKEv1 SA: local 192.168.3.5/500 remote ***.***.***.***/500 Inactive
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 192.168.65.0/255.255.255.240
Active SAs: 0, origin: crypto map
Thank you.
06-29-2018 08:48 AM
Hi,
You have got an incorrect subnet/wildcard mask defined
On the router:- "access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.65.0 0.0.0.15"
In the screenshot of the Rv325 you have defined the subnet mask of 255.255.255.128 < which would mean the wildcard mask on the router should be 0.0.0.127. Or the wildcard mask is incorrect on the router.
Ultimately they need to be correct.
HTH
06-29-2018 09:22 AM
Thanks, I have corrected the configuration, but the vpn connection is still inactive:
#show crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: MY_CRYPTO_MAP, local addr 192.168.3.5
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.128/0/0)
remote ident (addr/mask/prot/port): (192.168.65.0/255.255.255.240/0/0)
current_peer ***.***.***.*** port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.3.5, remote crypto endpt.: ***.***.***.***
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
06-29-2018 09:29 AM
06-29-2018 10:17 AM
I set the transport mode. Now the configuration is:
crypto keyring isakmp-keyring
local-address Vlan1
pre-shared-key address ***.***.***.*** key cFl29SJ3TGbhpXyIurkt
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp profile isakmp-profile
! This profile is incomplete (no match identity statement)
crypto isakmp profile MY_PROFILE
keyring isakmp-keyring
self-identity address
match identity address 0.0.0.0
local-address Vlan1
!
!
crypto ipsec transform-set MY_SET esp-3des esp-sha-hmac
mode transport
!
!
!
!
crypto map MY_CRYPTO_MAP 100 ipsec-isakmp
set peer ***.***.***.***
set transform-set MY_SET
set isakmp-profile MY_PROFILE
match address 100
!
!
!
!
!
!
interface GigabitEthernet0/0
description PrimaryWANDesc_
ip address dhcp hostname WAN0
ip nat outside
ip virtual-reassembly in
zone-member security WAN
duplex auto
speed auto
crypto map MY_CRYPTO_MAP
**********************************************************************
The debug command doesn't show any message:
#debug crypto IKEv1
^
% Invalid input detected at '^' marker.
#debug crypto IKE
IKEv2 default debugging is on
06-29-2018 10:26 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide