09-25-2013 12:26 AM
I am working on GNS3. ASA to ASA VPN is working fine without any issue. When I try to establish IOS to IOS VPN it is not working. Phase1 itself not coming up. Anybody worked on this issue. Your reply highly appreciated
09-25-2013 04:44 AM
Hi,
Please provide more information. running config, show crypto output, so people can help.
HTH,
Lei Tian
09-27-2013 04:18 AM
Hi Here is the configuration
Router1#sh run
Building configuration...
Current configuration : 1398 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username user1 password 0 cisco
archive
log config
hidekeys
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 10.1.12.2
!
!
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 10.1.12.2
set transform-set TSET
match address 120
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.1.12.1 255.255.255.0
duplex auto
speed auto
crypto map CMAP
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
access-list 120 permit ip host 1.1.1.1 host 2.2.2.2
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
Router1#
------------------------------------------
Router2 Configuration
---------------------------------------
Router2#sh run
Building configuration...
Current configuration : 1398 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username user2 password 0 cisco
archive
log config
hidekeys
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 10.1.12.1
!
!
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 10.1.12.1
set transform-set TSET
match address 120
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
ip address 10.1.12.2 255.255.255.0
duplex auto
speed auto
crypto map CMAP
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
access-list 120 permit ip host 2.2.2.2 host 1.1.1.1
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
Router2#
------------------------------------------------------------------------
Router1#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: CMAP, local addr 10.1.12.1
protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
current_peer 10.1.12.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.12.1, remote crypto endpt.: 10.1.12.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Router1#
09-27-2013 05:00 AM
Hi,
Crypto should be working, but you dont have routing. How do you route traffic from 2.2.2.2 to 1.1.1.1?
HTH,
Lei Tian
09-25-2013 05:16 AM
hello Muthukaruooasamy,
currently I applyed a demo on the same case, I have a active tunnel between the two peers, can you provide more inforamtion?
Thanks,
09-28-2013 09:42 AM
Hi Ramasamy,
please refer to the below I did some change in your configuration and you can apply it on your both routers, in the meantime you need to connected the VPCs to your routers through using VM, and also the IP addresses from both ends show be assign to the hosts statically.
Solution:
for routing:
ip route 0.0.0.0 0.0.0.0 intface fastEthernet 0/0 (on both ends).
or you can make as below:
ip route 0.0.0.0 0.0.0.0 10.1.12.2 ...... apply on R1.
ip route 0.0.0.0 0.0.0.0 10.1.12.1 ...... apply on R2 .
for the VPN access-list you can apply below ACL.
access-list 120 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 (this is for router 1).
access-list 120 permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255 (this is for router 2).
please let me know about the result.
best regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide