Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
516
Views
0
Helpful
2
Replies

how to install ipsec-isakmp between 2 routers

chirapandya
Level 1
Level 1

‎02-24-2005 11:31 AM - edited ‎02-21-2020 01:37 PM

hello sir,

i got some problems in configurig ipsec-isakmp with preshared-key.

right now i am configuring 2 1751 routers with back-to-back fastethernet so plz tell me the configuration of ipsec and other IKEs.

here i attached my configuration of both routers.

both routers is connected to back-to-back ethernet cable

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Rtr1

!

boot-start-marker

boot system flash:c1700-k9o3sy7-mz.123-12a.bin

boot-end-marker

!

logging buffered 4096 debugging

enable secret xxxxx

!

memory-size iomem 15

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

ip subnet-zero

!

!

!

ip cef

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

!

crypto isakmp policy 100

hash md5

authentication pre-share

lifetime 43200

crypto isakmp key cisco123 address 10.230.4.205

!

!

crypto ipsec transform-set MD5-DES esp-des esp-md5-hmac

crypto ipsec transform-set DES-ONLY esp-des

crypto ipsec transform-set AH-ONLY ah-sha-hmac

crypto ipsec transform-set CPU-HOG ah-md5-hmac esp-des esp-md5-hmac

!

crypto map testmap 50 ipsec-isakmp

description TUNEL TO Rtr2

set peer 10.230.4.205

set security-association lifetime seconds 43200

set transform-set CPU-HOG

match address 125

!

!

!

interface Loopback0

ip address 10.240.1.1 255.255.255.0

!

interface FastEthernet0/0

ip address 10.230.4.59 255.255.255.0

ip access-group 110 in

ip access-group 110 out

speed auto

full-duplex

crypto map testmap

!

interface Serial0/0

no ip address

shutdown

!

router eigrp 1

network 10.0.0.0

auto-summary

!

ip classless

no ip http server

no ip http secure-server

!

!

access-list 125 permit ip 10.240.1.0 0.0.0.255 10.240.2.0 0.0.0.255

!

!

line con 0

line aux 0

line vty 0 4

password xxx

Rtr1#

router2's config

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Rtr2

!

boot-start-marker

boot-end-marker

!

logging buffered 4096 debugging

enable secret xxxx

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

ip subnet-zero

!

!

!

no ip cef

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

!

crypto isakmp policy 100

hash md5

authentication pre-share

lifetime 43200

crypto isakmp key cisco123 address 10.230.4.59

!

!

crypto ipsec transform-set MD5-DES esp-des esp-md5-hmac

crypto ipsec transform-set DES-ONLY esp-des

crypto ipsec transform-set AH-ONLY ah-sha-hmac

crypto ipsec transform-set CPU-HOG ah-md5-hmac esp-des esp-md5-hmac

!

crypto map testmap 50 ipsec-isakmp

description TUNEL TO Rtr2

set peer 10.230.4.59

set security-association lifetime seconds 43200

set transform-set CPU-HOG

match address 125

!

!

!

interface Loopback0

ip address 10.240.2.1 255.255.255.0

!

interface FastEthernet0/0

ip address 10.230.4.205 255.255.255.0

ip access-group 110 in

ip access-group 110 out

speed auto

full-duplex

crypto map testmap

!

interface Serial0/0

no ip address

shutdown

!

router eigrp 1

network 10.0.0.0

auto-summary

!

ip classless

no ip http server

no ip http secure-server

!

!

access-list 125 permit ip 10.240.2.0 0.0.0.255 10.240.1.0 0.0.0.255

!

!

line con 0

line aux 0

line vty 0 4

password xxx

login

!

end

thx

Labels:
0 Helpful
2 Replies 2

balien
Level 1
Level 1

‎02-25-2005 07:57 AM

try this access-list on both routers.

access-list 125 permit ip 10.240.1.0 0.0.0.255 10.240.2.0 0.0.0.255

access-list 125 permit ip 10.240.2.0 0.0.0.255 10.240.1.0 0.0.0.255

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame

‎03-01-2005 02:27 PM

Can you tell us what is happening after you implement this config? From Rtr1 can you ping the FastEthernet address of Rtr2? From Rtr1 can you ping the Loopback of Rtr2?

With this config do the ISAKMP security associations get negotiated? If not the output from debug crypto isakmp might be very helpful.

I have a couple of observations about your config. Access list 125 which defines which traffic will be processed by IPSec only selects IP traffic with a source of one loopback interface and destination of the other loopback interface. This is not exactly invalid but is pretty unusual. About the only way to test it would be something like extended ping which can specify the source as its own loopback and the destination as the other loopback. Something that included a little more traffic might make it easier to test.

Also both of the FastEthernet interfaces have access list 110 applied both inbound and outbound. And there is no access list 110 in the configuration that you listed. If the list really does not exist why is it configured on the interrfaces? And if it does exist but you did not include it in your post it might very well be what is preventing IPSec from working and you need to post that access list as well.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents