04-10-2019 05:05 AM - edited 02-21-2020 09:37 PM
I an trying to lab up the IPSEC Tunnel using legacy crypto map method on CSR ROuter. But unable to figure out why my ISAKMP Tunnel won't come up
R1
==
crypto isakmp policy 10
encr 3des
hash sha256
authentication pre-share
group 14
lifetime 3000
crypto isakmp key ENCRYPT address 2.0.0.1
crypto ipsec transform-set IPSEC-TSET esp-3des esp-sha256-hmac
mode tunnel
crypto map CRY-MAP 1 ipsec-isakmp
set peer 2.0.0.1
set transform-set IPSEC-TSET
match address IPSEC_ACL
crypto map CRY-MAP
ip access-list extended IPSEC_ACL
permit ip any any
permit ip 10.1.1.0 0.0.0.255 20.1.1.0 0.0.0.255
VG-OMAN1#sh running-config interface gigabitEthernet 1
Building configuration...
Current configuration : 106 bytes
!
interface GigabitEthernet1
ip address 1.0.0.1 255.255.255.0
negotiation auto
crypto map CRY-MAP
end
VG-OMAN1#sh ip int b
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 1.0.0.1 YES NVRAM up up
GigabitEthernet2 unassigned YES NVRAM administratively down down
GigabitEthernet3 unassigned YES NVRAM administratively down down
GigabitEthernet4 unassigned YES NVRAM administratively down down
Loopback0 10.1.1.1 YES NVRAM up up
R2
===
VG-OMAN2#sh running-config | s crypto
crypto isakmp policy 1
encr 3des
hash sha256
authentication pre-share
group 14
lifetime 3000
crypto isakmp key ENCRYPT address 1.0.0.1
crypto ipsec transform-set IPSEC-TSET esp-3des esp-sha256-hmac
mode tunnel
crypto map MY_MAP 1 ipsec-isakmp
set peer 1.0.0.1
set transform-set IPSEC-TSET
match address CRY-ACL
crypto map MY_MAP
ip access-list extended CRY-ACL
permit ip 20.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
VG-OMAN2#sh ip int b
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 2.0.0.1 YES NVRAM up up
GigabitEthernet2 unassigned YES NVRAM administratively down down
GigabitEthernet3 unassigned YES NVRAM administratively down down
GigabitEthernet4 unassigned YES NVRAM administratively down down
Loopback0 20.1.1.1 YES NVRAM up up
TEST
R2
===
VG-OMAN2#ping 10.1.1.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 20.1.1.1
*Apr 10 12:03:40.400: %SYS-5-CONFIG_I: Configured from console by console.....
Success rate is 0 percent (0/5)
R1
==
VG-OMAN1#ping 20.1.1.1 source loo
VG-OMAN1#ping 20.1.1.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
.....
Success rate is 0 percent (0/5)
04-10-2019 05:15 AM
04-10-2019 06:49 AM
Tried the debugs but nothing comes up. I think it is not triggering the traffic? Is this support on CSR Routers?
VG-OMAN1#sh run | s route
ip route 0.0.0.0 0.0.0.0 GigabitEthernet1
VG-OMAN1#ping 20.1.1.1 so
VG-OMAN1#ping 20.1.1.1 source 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
.....
Success rate is 0 percent (0/5)
04-10-2019 06:58 AM
04-12-2019 11:29 AM
Have you try changing your static route statement from "ip route 0.0.0.0 0.0.0.0 GigabitEthernet1" to "ip route 0.0.0.0 0.0.0.0 x.x.x.x" on both routers?
04-14-2019 05:09 AM
04-14-2019 11:56 PM
04-17-2019 02:56 AM
04-17-2019 09:55 AM
In my experience I encountered the same issue as you. I can't say with confidence but my guess that the answer is found on the links below. I think its software logic is probably causing confusing to itself.
04-10-2019 05:51 AM
Config looks same onboth ends. I assume you checked the psk s? Plz add isakmp debugs
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: