cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2904
Views
0
Helpful
7
Replies
Highlighted
Beginner

GNS3 Router to Router IPsec VPn not working

I tried to lab up a IPsec VPN between to IOS routers on GNS3.

The VPN is not working and tried a few VPN tutorial guides with no luck.

 

Phase 1 seems to work but my encrypt counters for phase two does not increment. I'm I missing a command?

 

Site_1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
2.2.2.2 1.1.1.2 QM_IDLE 1001 ACTIVE

 

Site_2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
2.2.2.2 1.1.1.2 QM_IDLE 1001 ACTIVE

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

BGP has knowledge about public IP and that's it. When you're trying to ping the remote site private IP, the router needs to know where to forward traffic for unknown subnets (ones not in BGP table), as soon as this traffic hits the outside interface on which crypto is attached to, the crypto isakmp and ipsec will catch the traffic and come up. a quick and dirty way to explain why.

If you don't want to setup a default route on both routers, you can just send the default route through BGP and it will be ok as well

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

7 REPLIES 7
Highlighted
VIP Mentor

Hi

Can you replace your default route like that please:
Site_1:
no ip route 0.0.0.0 0.0.0.0 Ethernet1/0
ip route 0.0.0.0 0.0.0.0 1.1.1.1
Site_2:
no ip route 0.0.0.0 0.0.0.0 Ethernet1/1
ip route 0.0.0.0 0.0.0.0 2.2.2.1

Which IOS are you using in GNS3?

I've done that multiple times to traine people and used IOU images and it works perfectly well.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted

I changed the routes/removed them and that did not help.

My bgp route table does see site 1 and 2 on both routers (Only Public IPs). 

 

as for version I used the 

(C7200-ADVENTERPRISEK9-M), Version 15.2(4)S3,

 

The GNS3 image used was the 

c7200-adventerprisek9-mz.152-4.S3.bin

Highlighted

Ok tested it with Version 15.2(4)M5 and works like a charm.
Can you share your GNS3 project? I would like to check the config of your internet router as well in addition to your your site 1 and 2 router config.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted

I attached a Tar of the Project folder.

 

In the project I imported a different router to see if it was a gns3 or IOS bug.

I still had the same luck. Phase one will not start until I put a permit ip any any in the VPN ACL.

 

 

my most recent export files are under the \VPN\Policy Based VPN\7200

I did not export a config for the 3725 router.

Highlighted

I tested your project and it works.
Let me clarify, on Site1 and Site2, you're missing a default route. As soon as I add the default route ipsec is coming UP.
I don't have your IOS file and use mine as described before.

Can you add these default route and test it again?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted

Why would I need a default route on the site routers when my bgp tables are complete.

I’ll try that tomorrow when I have access to the computer.
PRIVILEGE & CONFIDENTIALITY NOTICE: This e-mail and any attachments or links contained herein may contain information that is privileged, confidential, or proprietary. Any review, disclosure, copying, distribution, or use of the contents of this e-mail or any attachments is strictly prohibited. If you are not the intended recipient, or received this in error, please delete it immediately and contact the sender. Thank you.
Highlighted

BGP has knowledge about public IP and that's it. When you're trying to ping the remote site private IP, the router needs to know where to forward traffic for unknown subnets (ones not in BGP table), as soon as this traffic hits the outside interface on which crypto is attached to, the crypto isakmp and ipsec will catch the traffic and come up. a quick and dirty way to explain why.

If you don't want to setup a default route on both routers, you can just send the default route through BGP and it will be ok as well

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Content for Community-Ad