Solved: Re: Cisco ipsec site to site vpn not showing results ? - Page 2

Hazem123 · ‎05-13-2019

Hello , the last 3 days i have been struggling with ipsec configuration on cisco routers here is my topology on gns 3

both sites can ping with each other but without encryption

this is the ipsec configuration

and whech i chek the ecryption i always got nothing with
#R2 show crypto isakmp sa
neither with
#R2 show crypto ipsec sa
( 0 pkt enc/dec )

by the way when i try
#R2 debug crypto isakmp
or
#R2 debug crypto isakmp

i got
"debugging is on" with no results too

Rob Ingram · ‎05-13-2019

That configuration looks ok, no nat configured. What about the configuration of the other router?

Are you definitely pinging from the correct source interface?

On R3 router > ping 192.168.10.1 source fas 0/1

Hazem123 · ‎05-13-2019

Rob Ingram · ‎05-13-2019

Wrong IP address, on R3 router > ping 172.16.1.1 source fas 0/1

Enable debugs, check isakmp sa output ping.

Hazem123 · ‎05-13-2019

R3# ping 172.16.1.1 source fas 0/1 ==> fail
R3# ping 172.16.1.1 source fas 0/0 ==> responded

R2# ping 192.168.10.1 source fas 0/1 ==> fail
R2# ping 192.168.10.1 source fas 0/0 ==> responded
Thanks for taking time and helping me out with this , so please what should i do in this case ?

Rob Ingram · ‎05-13-2019

Is there anything in the debugs when the pings fail?

Can you provide the full configuration of the other router?

What firmware and license is on those routers?

Hazem123 · ‎05-13-2019

the 3 routers R2 , R1 and R3 used are Cisco 3725 124-25.T14
---------------------------------------------------------------
full config of R3

R3#show run
Building configuration...

Current configuration : 1277 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
crypto isakmp key cisco123 address 10.10.10.1
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map mymap 20 ipsec-isakmp
! Incomplete
set peer 10.10.10.1
set transform-set myset
match address 100
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface FastEthernet0/0
ip address 11.11.11.1 255.255.255.0
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet0/1
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 11.11.11.2
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

R3#
R3#

-----------------------------------------------------------------------------------------

full configuration of R1

R1#show run
Building configuration...

Current configuration : 1018 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface FastEthernet0/0
ip address 10.10.10.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 11.11.11.2 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 172.16.1.0 255.255.255.0 10.10.10.1
ip route 192.168.10.0 255.255.255.0 11.11.11.1
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

R1#
R1#

-------------------------------------------------------------

and concerning the debug what command should i type , i already tryed "debug crypto isakmp" and "debug crypto ipsec" so i get this

--------------------------------------------------------------

and now tryed again "show crypto isakmp sa" and "show crypto ipsec sa" commands so i get this

R2

ipsec shows results but no encryption yet

on R3

ipsec sa showing nothing in R3

Hazem123 · ‎05-13-2019

here is the failed ping btw how can i debug it

Rob Ingram · ‎05-13-2019

From the output above, R3 does not have ACL 100 defined, which is probably why the Crypto Map has the message "! Incomplete"

Add it and try again:-

access-list 100 permit ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255

Hazem123 · ‎05-13-2019

same issue persist and now " show crypto isakmp sa" shows nothing again

Hazem123 · ‎05-13-2019

I dont know what just happened this is kinda strange but it worked !!

--> before i close gns3 i wanted to ping the other router and test the "show crypto ipsec sa" command for a last time and it didn't work again...

so i tryed to ping again
but this time while pinging instead of typing
R2# ping 192.168.10.1 source f0/1

i typed

R2# ping 192.168.10.1 source f0/1 repeat 1000

then i waited for the 1000 pings to occur and tryed again

R2# show crypto ipsec sa

and it worked :)
Thanks for your time and your assistance .