Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
5682
Views
0
Helpful
7
Replies

GNS3 Router to Router IPsec VPn not working

Go to solution
Joshuabowers
Level 1
Level 1

‎01-08-2018 02:01 PM - edited ‎03-12-2019 04:53 AM

I tried to lab up a IPsec VPN between to IOS routers on GNS3.

The VPN is not working and tried a few VPN tutorial guides with no luck.

 

Phase 1 seems to work but my encrypt counters for phase two does not increment. I'm I missing a command?

 

Site_1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
2.2.2.2 1.1.1.2 QM_IDLE 1001 ACTIVE

 

Site_2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
2.2.2.2 1.1.1.2 QM_IDLE 1001 ACTIVE

 

 

1 person had this problem
Labels:
Capture.PNG
Preview file
22 KB
Site_2_i3_startup-config (2).txt
Preview file
3 KB
Site_2_i3_startup-config.txt
Preview file
3 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Joshuabowers

‎01-09-2018 02:38 PM

BGP has knowledge about public IP and that's it. When you're trying to ping the remote site private IP, the router needs to know where to forward traffic for unknown subnets (ones not in BGP table), as soon as this traffic hits the outside interface on which crypto is attached to, the crypto isakmp and ipsec will catch the traffic and come up. a quick and dirty way to explain why.

If you don't want to setup a default route on both routers, you can just send the default route through BGP and it will be ok as well

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎01-08-2018 03:51 PM

Hi

Can you replace your default route like that please:
Site_1:
no ip route 0.0.0.0 0.0.0.0 Ethernet1/0
ip route 0.0.0.0 0.0.0.0 1.1.1.1
Site_2:
no ip route 0.0.0.0 0.0.0.0 Ethernet1/1
ip route 0.0.0.0 0.0.0.0 2.2.2.1

Which IOS are you using in GNS3?

I've done that multiple times to traine people and used IOU images and it works perfectly well.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Joshuabowers
Level 1
Level 1
In response to Francesco Molino

‎01-09-2018 06:25 AM

I changed the routes/removed them and that did not help.

My bgp route table does see site 1 and 2 on both routers (Only Public IPs). 

 

as for version I used the 

(C7200-ADVENTERPRISEK9-M), Version 15.2(4)S3,

 

The GNS3 image used was the 

c7200-adventerprisek9-mz.152-4.S3.bin

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Joshuabowers

‎01-09-2018 01:37 PM

Ok tested it with Version 15.2(4)M5 and works like a charm.
Can you share your GNS3 project? I would like to check the config of your internet router as well in addition to your your site 1 and 2 router config.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Joshuabowers
Level 1
Level 1
In response to Francesco Molino

‎01-09-2018 01:51 PM

I attached a Tar of the Project folder.

 

In the project I imported a different router to see if it was a gns3 or IOS bug.

I still had the same luck. Phase one will not start until I put a permit ip any any in the VPN ACL.

 

 

my most recent export files are under the \VPN\Policy Based VPN\7200

I did not export a config for the 3725 router.

VPN-GNS3.tar
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Joshuabowers

‎01-09-2018 02:32 PM

I tested your project and it works.
Let me clarify, on Site1 and Site2, you're missing a default route. As soon as I add the default route ipsec is coming UP.
I don't have your IOS file and use mine as described before.

Can you add these default route and test it again?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Joshuabowers
Level 1
Level 1
In response to Francesco Molino

‎01-09-2018 02:35 PM

Why would I need a default route on the site routers when my bgp tables are complete.

I’ll try that tomorrow when I have access to the computer.
PRIVILEGE & CONFIDENTIALITY NOTICE: This e-mail and any attachments or links contained herein may contain information that is privileged, confidential, or proprietary. Any review, disclosure, copying, distribution, or use of the contents of this e-mail or any attachments is strictly prohibited. If you are not the intended recipient, or received this in error, please delete it immediately and contact the sender. Thank you.
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Joshuabowers

‎01-09-2018 02:38 PM

BGP has knowledge about public IP and that's it. When you're trying to ping the remote site private IP, the router needs to know where to forward traffic for unknown subnets (ones not in BGP table), as soon as this traffic hits the outside interface on which crypto is attached to, the crypto isakmp and ipsec will catch the traffic and come up. a quick and dirty way to explain why.

If you don't want to setup a default route on both routers, you can just send the default route through BGP and it will be ok as well

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Top