11-29-2019 10:01 AM - edited 02-21-2020 09:48 PM
Hello. I am very new to networking, and I am working on a school project in GNS 3 to simulate a network topology that I have created. Here is my set up so far:
Configuration for R7:
! ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R7 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 no ip icmp rate-limit unreachable ip cef ! ! ! ! no ip domain lookup ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ip tcp synwait-time 5 ! ! crypto isakmp policy 1 encr aes 256 authentication pre-share group 5 crypto isakmp key naeem_vpn address 1.1.1.1 ! ! crypto ipsec transform-set transform_set_vpn esp-aes 256 esp-sha-hmac ! crypto map crypto_map 10 ipsec-isakmp set peer 1.1.1.1 set transform-set transform_set_vpn set pfs group5 match address vpn_traffic ! ! ! ! interface FastEthernet0/0 ip address 192.168.6.1 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 192.168.7.254 255.255.255.0 duplex auto speed auto crypto map crypto_map ! interface FastEthernet1/0 ! interface FastEthernet1/1 ! interface FastEthernet1/2 ! interface FastEthernet1/3 ! interface FastEthernet1/4 ! interface FastEthernet1/5 ! interface FastEthernet1/6 ! interface FastEthernet1/7 ! interface FastEthernet1/8 ! interface FastEthernet1/9 ! interface FastEthernet1/10 ! interface FastEthernet1/11 ! interface FastEthernet1/12 ! interface FastEthernet1/13 ! interface FastEthernet1/14 ! interface FastEthernet1/15 ! interface Vlan1 no ip address ! router eigrp 1 network 192.168.6.0 network 192.168.7.0 auto-summary ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ! ip access-list extended vpn_traffic permit ip 192.168.7.0 0.0.0.255 192.168.5.0 0.0.0.255 ! no cdp log mismatch duplex ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 login ! ! end
Configuration for R5:
! ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R5 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 no ip icmp rate-limit unreachable ip cef ! ! ! ! no ip domain lookup ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ip tcp synwait-time 5 ! ! crypto isakmp policy 1 encr aes 256 authentication pre-share group 5 crypto isakmp key naeem_vpn address 1.1.1.2 ! ! crypto ipsec transform-set transform_set_vpn esp-aes 256 esp-sha-hmac ! crypto map crypto_map 10 ipsec-isakmp set peer 1.1.1.2 set transform-set transform_set_vpn set pfs group5 match address vpn_traffic ! ! ! ! interface FastEthernet0/0 ip address 192.168.4.1 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 192.168.5.254 255.255.255.0 duplex auto speed auto crypto map crypto_map ! interface FastEthernet1/0 ! interface FastEthernet1/1 ! interface FastEthernet1/2 ! interface FastEthernet1/3 ! interface FastEthernet1/4 ! interface FastEthernet1/5 ! interface FastEthernet1/6 ! interface FastEthernet1/7 ! interface FastEthernet1/8 ! interface FastEthernet1/9 ! interface FastEthernet1/10 ! interface FastEthernet1/11 ! interface FastEthernet1/12 ! interface FastEthernet1/13 ! interface FastEthernet1/14 ! interface FastEthernet1/15 ! interface Vlan1 no ip address ! router eigrp 1 network 192.168.4.0 network 192.168.5.0 auto-summary ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ! ip access-list extended vpn_traffic permit ip 192.168.5.0 0.0.0.255 192.168.7.0 0.0.0.255 ! no cdp log mismatch duplex ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 login ! ! end
Router R1, R2, and R3 are connected through OSPF routing, and the rest of the routers are connected to their respective area through eigrp. Additionally, R2 and R3 both advertise their eigpr and ospf routes to each other. Basically there a link between every node and I can reach every node from any location and all of them have internet access.
I want to establish an encrypted connection between R7 and R5. I have taken the approach to implement Site-to-Site IPSEC tunneling, but when I do show crypto session on either routers, it says the session status is DOWN. I have tried pinging both sides but still still the status is down.
What am I doing wrong here? Any help will be really appreciated!
Solved! Go to Solution.
11-29-2019 12:06 PM
11-29-2019 10:08 AM - edited 11-29-2019 10:12 AM
Hi,
It looks like you've assigned the crypto map to the Fa0/1 interface, when it needs to be assigned to the Fa0/0 interface.
You've also defined the peer IP addresses as 1.1.1.1 and 1.1.1.2, but you don't appear to have these IP addresses defined - unless you are NATTING?....but your diagram does not indicate that though. The peer IP address would need to be the Fa0/0 IP address, each router needs should be able to ping the other router's Fa0/0 IP address.
HTH
11-29-2019 11:40 AM
I do have NAT but that is only in router 1. R7 and R5 both use Eigpr to advertise their neighbors.
The peer IP address would need to be the Fa0/0 IP address, each router needs should be able to ping the other router's Fa0/0 IP address.
HTH
Is there no way to have encryption only for f0/1 of both R7 and R5?
11-29-2019 11:54 AM
@Rob Ingram wrote:You've also defined the peer IP addresses as 1.1.1.1 and 1.1.1.2, but you don't appear to have these IP addresses defined
That is correct. I do not have those addresses. I misunderstood what those IPs are. I thought that would be a new IP created for traffic between these two interfaces.
If I want to tunnel the traffic of 192.168.7.1-254 from R7, and 192.168.5.1-254 between each other, what should I do?
I'm sorry if I'm not making any sense. I'm still very new to all this.
11-29-2019 12:06 PM
11-29-2019 12:23 PM
I understand now, and it works. Thank you so much!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: