cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1283
Views
0
Helpful
5
Replies

IPSEC misconfiguration between two routers

dibrilouD
Level 1
Level 1

Hi everybody, I have a trouble with an IPSec tunnel between two routers. When I do a ping then use the command "show crypto ipsec sa" I have 0 packet encrypted and 0 packet desyncrypted too. Here is the configuration of the two routers:

Router 1: 

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname router_outside

!

!

!

enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

!

!

!

!

!

aaa new-model

!

aaa authentication login default group radius local

!

!

!

!

!

!

!

ip cef

no ipv6 cef

!

!

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 5

lifetime 3600

!

crypto isakmp key 12345 address 192.168.60.1

!

!

!

crypto ipsec transform-set 50 esp-3des esp-md5-hmac

!

crypto map MAP_SECU 10 ipsec-isakmp

set peer 192.168.60.1

set security-association lifetime seconds 900

set transform-set 50

match address 101

!

!

!

!

ip ssh version 2

ip domain-name hddsecu.com

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface FastEthernet0/0

ip address 192.168.70.1 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.60.2 255.255.255.0

duplex auto

speed auto

crypto map MAP_SECU

!

interface Vlan1

no ip address

shutdown

!

interface Vlan70

mac-address 0060.5c7a.1c01

no ip address

!

router ospf 1

log-adjacency-changes

redistribute static metric-type 1

network 192.168.60.0 0.0.0.255 area 0

network 192.168.70.0 0.0.0.255 area 0

!

ip classless

ip route 192.168.10.0 255.255.255.0 192.168.70.240

ip route 192.168.1.0 255.255.255.0 192.168.70.240

!

ip flow-export version 9

!

!

access-list 101 permit ip 192.168.70.0 0.0.0.255 192.168.50.0 0.0.0.255

!

!

radius-server host 192.168.10.247 auth-port 1645 key 123456789

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login authentication default

transport input ssh

!

!

!

end

Router 2: 


Building configuration...

Current configuration : 1136 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
lifetime 3600
!
crypto isakmp key 12345 address 192.168.60.2
!
!
!
crypto ipsec transform-set 50 esp-3des esp-md5-hmac
!
crypto map MAP_SECU 10 ipsec-isakmp
set peer 192.168.60.2
set security-association lifetime seconds 900
set transform-set 50
match address 101
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.60.1 255.255.255.0
duplex auto
speed auto
crypto map MAP_SECU
!
interface FastEthernet0/1
ip address 192.168.50.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 192.168.50.0 0.0.0.255 area 0
network 192.168.60.0 0.0.0.255 area 0
!
ip classless
!
ip flow-export version 9
!
!
access-list 101 permit ip 192.168.70.0 0.0.0.255 192.168.50.0 0.0.0.255
!
!
!
!
!
line con 0
!

Router#
Router#sh cr
Router#sh crypto is
Router#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status

IPv6 Crypto ISAKMP SA


Router#sh cr
Router#sh crypto ip
Router#sh crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: MAP_SECU, local addr 192.168.60.1

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.70.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)
current_peer 192.168.60.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.60.1, remote crypto endpt.:192.168.60.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)

inbound esp sas:


Router#sh run
Building configuration...

Current configuration : 1136 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
lifetime 3600
!
crypto isakmp key 12345 address 192.168.60.2
!
!
!
crypto ipsec transform-set 50 esp-3des esp-md5-hmac
!
crypto map MAP_SECU 10 ipsec-isakmp
set peer 192.168.60.2
set security-association lifetime seconds 900
set transform-set 50
match address 101
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.60.1 255.255.255.0
duplex auto
speed auto
crypto map MAP_SECU
!
interface FastEthernet0/1
ip address 192.168.50.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 192.168.50.0 0.0.0.255 area 0
network 192.168.60.0 0.0.0.255 area 0
!
ip classless
!
ip flow-export version 9
!
!
access-list 101 permit ip 192.168.70.0 0.0.0.255 192.168.50.0 0.0.0.255
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end

Router#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

IPv6 Crypto ISAKMP SA

Router#sh crypto ipsec sa

interface: FastEthernet0/0

Crypto map tag: MAP_SECU, local addr 192.168.60.1

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.70.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)

current_peer 192.168.60.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 192.168.60.1, remote crypto endpt.:192.168.60.2

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Thank you for your help !!! 

5 Replies 5

gaowen
Level 1
Level 1

post

show crypto isakmp sa

what address are you pinging?

Gareth

Hi, here is the show:


Router#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

IPv6 Crypto ISAKMP SA

I'm pinging one PC in my DMZ : 

192.168.10.200

Your isakmp key address is wrong on both routers and your ping won't match your crypto map.

Thanks for your answer but I think that the adddress are correctly fixed:

Router 0:
crypto isakmp key 12345 address 192.168.60.1

Router 1: 


crypto isakmp key 12345 address 192.168.60.2

About the ping, I did an access list which matches with any host for the moment. 

yea sorry I misread the config on the isakmp addresses.

have you tried 'debug crypto isakmp'?

Gareth