IPSec - 881 routers

Forcefield · ‎10-05-2012

Hello

I am trying to build an IPSec between two 881 routers in my lab.

This is my first time doing one and I dont seem to be having much luck.

Any advice would be gratefully received.

Here are the configs I used:

---------------------------------------

hostname R1

int loopback 0

ip add 192.168.1.1 255.255.255.0

no shut

int f4

ip add 10.1.1.1 255.255.255.0

no shut

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

lifetime 3600

crypto isakmp key *******sh cry address 10.2.2.1

crypto ipsec security-association lifetime seconds 1800

crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac

crypto map CMAP 10 ipsec-isakmp

set peer 10.2.2.1

set security-assoc lifetime sec 900

set transform-set 50

set pfs group5

match address 101

int f4

crypto map CMAP

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

ip route 0.0.0.0 0.0.0.0 10.1.1.2

.......................

R1#sh crypto map

Crypto Map IPv4 "CMAP" 10 ipsec-isakmp

Peer = 10.2.2.1

Extended IP access list 101

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

Current peer: 10.2.2.1

Security association lifetime: 4608000 kilobytes/900 seconds

Responder-Only (Y/N): N

PFS (Y/N): Y

DH group: group5

Transform sets={

50: { esp-256-aes esp-sha-hmac } ,

}

Interfaces using crypto map CMAP:

FastEthernet4

..............................

R1#sh crypto session

Crypto session current status

Interface: FastEthernet4

Session status: DOWN

Peer: 10.2.2.1 port 500

IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.3.0/255.255.255.0

Active SAs: 0, origin: crypto map

--------------------------------

hostname R2

int loopback 0

ip add 192.168.3.1 255.255.255.0

no shut

int f4

ip add 10.2.2.1 255.255.255.0

no shut

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

lifetime 3600

crypto isakmp key cisco123 address 10.1.1.1

crypto ipsec security-association lifetime seconds 1800

crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac

crypto map CMAP 10 ipsec-isakmp

set peer 10.1.1.1

set security-assoc lifetime sec 900

set transform-set 50

set pfs group5

match address 101

int f4

crypto map CMAP

access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

ip route 0.0.0.0 0.0.0.0 10.2.2.2

..........................

R2#sh crypto map

Crypto Map IPv4 "CMAP" 10 ipsec-isakmp

Peer = 10.1.1.1

Extended IP access list 101

access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

Current peer: 10.1.1.1

Security association lifetime: 4608000 kilobytes/900 seconds

Responder-Only (Y/N): N

PFS (Y/N): Y

DH group: group5

Transform sets={

50: { esp-256-aes esp-sha-hmac } ,

}

Interfaces using crypto map CMAP:

FastEthernet4

..............................

R2#sh cry session

Crypto session current status

Interface: FastEthernet4

Session status: DOWN

Peer: 10.1.1.1 port 500

IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 192.168.1.0/255.255.255.0

Active SAs: 0, origin: crypto map

Jennifer Halim · ‎10-05-2012

How did you try to establish the VPN?

Did you try to ping between the 2 loopback interfaces?

From the router, you would need to ping the loopback of the peer router, sourcing the ping from the local router where you test the ping.

Also pls share the output of the following if it still doesn't work after testing ping from both directions:

show cry isa sa

show cry ipsec sa