cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1032
Views
5
Helpful
5
Replies

Site-to-Site IPSEC VPN configuration not connecting

Naeem_Khan
Level 1
Level 1

Hello. I am very new to networking, and I am working on a school project in GNS 3 to simulate a network topology that I have created. Here is my set up so far:

 

cf0dc940ad879b78b682d6f9088aab25

Configuration for R7:

!

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R7
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
! 
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key naeem_vpn address 1.1.1.1
!
!
crypto ipsec transform-set transform_set_vpn esp-aes 256 esp-sha-hmac 
!
crypto map crypto_map 10 ipsec-isakmp 
 set peer 1.1.1.1
 set transform-set transform_set_vpn 
 set pfs group5
 match address vpn_traffic
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.6.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.7.254 255.255.255.0
 duplex auto
 speed auto
 crypto map crypto_map
!
interface FastEthernet1/0
!
interface FastEthernet1/1
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
!
interface FastEthernet1/10
!
interface FastEthernet1/11
!
interface FastEthernet1/12
!
interface FastEthernet1/13
!
interface FastEthernet1/14
!
interface FastEthernet1/15
!
interface Vlan1
 no ip address
!
router eigrp 1
 network 192.168.6.0
 network 192.168.7.0
 auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ip access-list extended vpn_traffic
 permit ip 192.168.7.0 0.0.0.255 192.168.5.0 0.0.0.255
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end

Configuration for R5:

!

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R5
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
! 
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key naeem_vpn address 1.1.1.2
!
!
crypto ipsec transform-set transform_set_vpn esp-aes 256 esp-sha-hmac 
!
crypto map crypto_map 10 ipsec-isakmp 
 set peer 1.1.1.2
 set transform-set transform_set_vpn 
 set pfs group5
 match address vpn_traffic
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.4.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.5.254 255.255.255.0
 duplex auto
 speed auto
 crypto map crypto_map
!
interface FastEthernet1/0
!
interface FastEthernet1/1
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
!
interface FastEthernet1/10
!
interface FastEthernet1/11
!
interface FastEthernet1/12
!
interface FastEthernet1/13
!
interface FastEthernet1/14
!
interface FastEthernet1/15
!
interface Vlan1
 no ip address
!
router eigrp 1
 network 192.168.4.0
 network 192.168.5.0
 auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ip access-list extended vpn_traffic
 permit ip 192.168.5.0 0.0.0.255 192.168.7.0 0.0.0.255
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end

Router R1, R2, and R3 are connected through OSPF routing, and the rest of the routers are connected to their respective area through eigrp. Additionally, R2 and R3 both advertise their eigpr and ospf routes to each other. Basically there a link between every node and I can reach every node from any location and all of them have internet access.

 

I want to establish an encrypted connection between R7 and R5. I have taken the approach to implement Site-to-Site IPSEC tunneling, but when I do show crypto session on either routers, it says the session status is DOWN. I have tried pinging both sides but still still the status is down.

 

What am I doing wrong here? Any help will be really appreciated!

1 Accepted Solution

Accepted Solutions

The peer IP address defined in the crypto map should be the outside interface (Fa0/0) of the other router. Check that each router can ping the other routers' Fa0/0 IP address.

The crypto map needs to be assigned to the Fa0/0 (outside interface) as the tunnel will be formed between these interfaces. Your internal networks are defined in the vpn-traffic ACL, when the source network attempts to communicate with the remote peers private network (that is defined in the vpn-traffic ACL) it should be tunneled over the VPN.

View solution in original post

5 Replies 5

Hi,
It looks like you've assigned the crypto map to the Fa0/1 interface, when it needs to be assigned to the Fa0/0 interface.

 

You've also defined the peer IP addresses as 1.1.1.1 and 1.1.1.2, but you don't appear to have these IP addresses defined - unless you are NATTING?....but your diagram does not indicate that though. The peer IP address would need to be the Fa0/0 IP address, each router needs should be able to ping the other router's Fa0/0 IP address.

HTH

I do have NAT but that is only in router 1. R7 and R5 both use Eigpr to advertise their neighbors.

 


The peer IP address would need to be the Fa0/0 IP address, each router needs should be able to ping the other router's Fa0/0 IP address.

HTH

Is there no way to have encryption only for f0/1 of both R7 and R5?


@Rob Ingram wrote:

You've also defined the peer IP addresses as 1.1.1.1 and 1.1.1.2, but you don't appear to have these IP addresses defined


That is correct. I do not have those addresses. I misunderstood what those IPs are. I thought that would be a new IP created for traffic between these two interfaces.

 

If I want to tunnel the traffic of 192.168.7.1-254 from R7, and 192.168.5.1-254 between each other, what should I do?

 

I'm sorry if I'm not making any sense. I'm still very new to all this.

The peer IP address defined in the crypto map should be the outside interface (Fa0/0) of the other router. Check that each router can ping the other routers' Fa0/0 IP address.

The crypto map needs to be assigned to the Fa0/0 (outside interface) as the tunnel will be formed between these interfaces. Your internal networks are defined in the vpn-traffic ACL, when the source network attempts to communicate with the remote peers private network (that is defined in the vpn-traffic ACL) it should be tunneled over the VPN.

I understand now, and it works. Thank you so much!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: