Solved: Help needed for VPN IPSEC configuration.

Fabio Francisco · ‎09-04-2011

Hi There,

I'm trying to set up a IPSEC VPN connection in my GNS3 lab and all the show commands and debugs does not seem to give me any clues of what is wrong or missing...can someone please help me in troubleshooting my VPN config. Below is the config of router 1

R1#sh run

crypto isakmp policy 1

authentication pre-share

group 2

crypto isakmp key 6 cisco123 address 200.20.1.1

!

crypto ipsec transform-set CISCO_SET esp-des esp-sha-hmac

!

crypto map VPN_map 10 ipsec-isakmp

! Incomplete

set peer 200.20.1.1

set security-association lifetime seconds 190

set transform-set CISCO_SET

match address INT_TRAFFIC

!

interface Loopback1

ip address 172.16.1.1 255.255.255.255

!

interface Loopback2

ip address 172.16.1.2 255.255.255.255

!

interface FastEthernet0/0

ip address 200.11.1.1 255.255.255.252

ip ospf 1 area 0

duplex auto

speed auto

crypto map VPN_map

!

router ospf 1

log-adjacency-changes

network 172.16.0.0 0.0.255.255 area 0

!

router bgp 65001

no synchronization

bgp log-neighbor-changes

network 200.11.1.0 mask 255.255.255.252

neighbor 200.11.1.2 remote-as 65030

no auto-summary

!

ip forward-protocol nd

!

ip http server

no ip http secure-server

!

ip access-list extended INT_TRAFFFIC

permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255

permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255 log

end

R1#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

IPv6 Crypto ISAKMP SA

R1#show crypto ipsec sa

nill.......

R1#sh debugging

Cryptographic Subsystem:

Crypto ISAKMP debugging is on

Crypto Engine debugging is on

Crypto IPSEC debugging is on

settlement:

memory tracing is on

R1#sh ip route

Gateway of last resort is not set

200.20.1.0/30 is subnetted, 1 subnets

B 200.20.1.0 [20/0] via 200.11.1.2, 01:28:21

200.11.1.0/30 is subnetted, 1 subnets

C 200.11.1.0 is directly connected, FastEthernet0/0

172.16.0.0/32 is subnetted, 2 subnets

C 172.16.1.1 is directly connected, Loopback1

C 172.16.1.2 is directly connected, Loopback2

R1#ping 200.20.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 200.20.1.1, timeout is 2 seconds:

!!!!!

Cheers,

Fabio

ugot2nome · ‎09-05-2011

Nice Catch. The keyword "Incomplete!" should have flagged it.

Please close the issue as resolved - User error

Thanks,
Brian

View solution in original post

Lee Valentin · ‎09-04-2011

The issue could be the second router. maybe you should post that as well.

Link below explains using CLI to set up Site to Site VPN on IOS.

http://goo.gl/sYFdr

raga.fusionet · ‎09-04-2011

Fabio,

How are you trying to bring the tunnel up?

Remember that if you are trying to initiate the tunnel from the router itself you have to do an extended ping:

ping ip 192.168.0.1 so Loopback1

If you are still having problems please post the config of the other router too.

Thanks.

Raga

ugot2nome · ‎09-04-2011

Hi Fabio:

Raga's point is valid. The trigger is when the packet is leaving the interface where the Crypto Map is applied at and only if the parameters in the ACE of the ACL match, will the packet qualify for encryption. In this case, you are merely pinging the far end and since it does not match the ACE, it does not qualify for encryption, thus Phase I is not initiated.

On a side bar, in a real scenario, you would never wanna run an IGP over the same WAN link where BGP is running. Although, this a lab scenario, develop good implementation habits will eventually reflect in real scenarios. (No pun intended)

“Bad habits are like chains that are too light to feel until they are too heavy to carry.” ~Warren Buffet

Cheers,

Brian

PS: Also, remove the redundant ACE in the ACL.

Fabio Francisco · ‎09-05-2011

Thanks guys for getting back to me.

I found one problem!!!! The ACL spelling it's been fixed....

crypto map VPN_map 10 ipsec-isakmp

! Incomplete

set peer 200.20.1.1

set security-association lifetime seconds 190

set transform-set CISCO_SET

match address INT_TRAFFIC

p access-list extended INT_TRAFFFIC

permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255

permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255 log

now when I do "sh crypto ipsec sa" sure enough I can see the VPN putput

interface: FastEthernet0/0

Crypto map tag: VPN_map, local addr 200.20.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)

current_peer 200.11.1.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 200.20.1.1, remote crypto endpt.: 200.11.1.1

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

sh isa

and

R1#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

200.20.1.1 200.11.1.1 QM_IDLE 1001 0 ACTIVE

IPv6 Crypto ISAKMP SA

and for the last

R1#ping 192.168.1.1 source 172.16.1.1 repeat 10

Type escape sequence to abort.

Sending 10, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

Packet sent with a source address of 172.16.1.1

!!!!!!!!!!

Success rate is 100 percent (10/10), round-trip min/avg/max = 36/62/80 ms

Hey Brian I put that OSPF to run for troubleshooting purposes but I confess it was very silly....

Thanks guys all fixed and it's so good every now and then to brush up your cisco skills... don't you reckon??

Cheers,

Fabio

ugot2nome · ‎09-05-2011

Nice Catch. The keyword "Incomplete!" should have flagged it.

Please close the issue as resolved - User error

Thanks,
Brian