07-27-2021 09:10 AM
Hello everyone,
I can't seem to be able to make two routers connected over ipsec communicate and I don't understand the reason since I followed a course step by step . I probably made a typo of some kind but I don't really understand the problem. I'll put my lab here for those who want to download it and help. The routers involved are ROUTER 1 and ROUTER 2. Thank you for your help!
Solved! Go to Solution.
07-28-2021 04:09 AM
You are using a GRE tunnel over a Crypto Map. The GRE tunnel doesn't by default communicate with the remote peer, so configure a keepalive on the tunnel interfaces. That way they will generate traffic, which in turn will match the crypto map interesting traffic ACL and trigger the establishment of the VPN tunnel.
interface tunnel 1
keepalive 10 3
07-27-2021 09:14 AM
Please provide the running configuration on both routers, provide the output of "show crypto isakmp sa" and "show crypto ipsec sa" and any ike/ipsec debugs.
07-27-2021 01:54 PM
Here it is. As you can see, nothing pops up with show crypto isakmp sa.
ROUTER 1
Current configuration : 3534 bytes
!
version 15.9
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key Giuky.1993 address 0.0.0.0
!
!
crypto ipsec transform-set GIANLU esp-aes esp-sha-hmac
mode transport
!
!
!
crypto map VPN 10 ipsec-isakmp
set peer 192.0.2.2
set transform-set GIANLU
match address GRE-IN-IPSEC
!
!
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
ip ospf 1 area 0
!
interface Tunnel1
ip address 192.168.0.2 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel destination 192.0.2.2
!
interface GigabitEthernet0/0
ip address 198.51.100.1 255.255.255.252
ip ospf 1 area 0
duplex auto
speed auto
media-type rj45
crypto map VPN
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
router ospf 1
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ip access-list extended GRE-IN-IPSEC
permit gre any any
!
ipv6 ioam timestamp
Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
Router#sh crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: VPN, local addr 198.51.100.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
current_peer 192.0.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 198.51.100.1, remote crypto endpt.: 192.0.2.2
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
ROUTER 2
Current configuration : 3537 bytes
!
version 15.9
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key Giuky.1993 address 0.0.0.0
!
!
crypto ipsec transform-set GIANLU esp-aes esp-sha-hmac
mode transport
!
!
!
crypto map VPN 10 ipsec-isakmp
set peer 198.51.100.1
set transform-set GIANLU
match address GRE-IN-IPSEC
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel1
ip address 192.168.0.1 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel destination 198.51.100.1
!
interface GigabitEthernet0/0
ip address 192.0.2.2 255.255.255.252
ip ospf 1 area 0
duplex auto
speed auto
media-type rj45
crypto map VPN
!
interface GigabitEthernet0/1
no ip address
ip ospf 1 area 0
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
router ospf 1
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ip access-list extended GRE-IN-IPSEC
permit gre any any
!
ipv6 ioam timestamp
Router#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
sh crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: VPN, local addr 192.0.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
current_peer 198.51.100.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.0.2.2, remote crypto endpt.: 198.51.100.1
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
07-28-2021 04:09 AM
You are using a GRE tunnel over a Crypto Map. The GRE tunnel doesn't by default communicate with the remote peer, so configure a keepalive on the tunnel interfaces. That way they will generate traffic, which in turn will match the crypto map interesting traffic ACL and trigger the establishment of the VPN tunnel.
interface tunnel 1
keepalive 10 3
07-28-2021 06:54 AM
Thank you so much, that was the issue!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide