cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1003
Views
0
Helpful
5
Replies

IPSEC misconfiguration between two routers

dibrilouD
Level 1
Level 1

Hi everybody, I have a trouble with an IPSec tunnel between two routers. When I do a ping then use the command "show crypto ipsec sa" I have 0 packet encrypted and 0 packet desyncrypted too. Here is the configuration of the two routers:

Router 1: 

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname router_outside

!

!

!

enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

!

!

!

!

!

aaa new-model

!

aaa authentication login default group radius local

!

!

!

!

!

!

!

ip cef

no ipv6 cef

!

!

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 5

lifetime 3600

!

crypto isakmp key 12345 address 192.168.60.1

!

!

!

crypto ipsec transform-set 50 esp-3des esp-md5-hmac

!

crypto map MAP_SECU 10 ipsec-isakmp

set peer 192.168.60.1

set security-association lifetime seconds 900

set transform-set 50

match address 101

!

!

!

!

ip ssh version 2

ip domain-name hddsecu.com

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface FastEthernet0/0

ip address 192.168.70.1 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.60.2 255.255.255.0

duplex auto

speed auto

crypto map MAP_SECU

!

interface Vlan1

no ip address

shutdown

!

interface Vlan70

mac-address 0060.5c7a.1c01

no ip address

!

router ospf 1

log-adjacency-changes

redistribute static metric-type 1

network 192.168.60.0 0.0.0.255 area 0

network 192.168.70.0 0.0.0.255 area 0

!

ip classless

ip route 192.168.10.0 255.255.255.0 192.168.70.240

ip route 192.168.1.0 255.255.255.0 192.168.70.240

!

ip flow-export version 9

!

!

access-list 101 permit ip 192.168.70.0 0.0.0.255 192.168.50.0 0.0.0.255

!

!

radius-server host 192.168.10.247 auth-port 1645 key 123456789

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login authentication default

transport input ssh

!

!

!

end

Router 2: 


Building configuration...

Current configuration : 1136 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
lifetime 3600
!
crypto isakmp key 12345 address 192.168.60.2
!
!
!
crypto ipsec transform-set 50 esp-3des esp-md5-hmac
!
crypto map MAP_SECU 10 ipsec-isakmp
set peer 192.168.60.2
set security-association lifetime seconds 900
set transform-set 50
match address 101
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.60.1 255.255.255.0
duplex auto
speed auto
crypto map MAP_SECU
!
interface FastEthernet0/1
ip address 192.168.50.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 192.168.50.0 0.0.0.255 area 0
network 192.168.60.0 0.0.0.255 area 0
!
ip classless
!
ip flow-export version 9
!
!
access-list 101 permit ip 192.168.70.0 0.0.0.255 192.168.50.0 0.0.0.255
!
!
!
!
!
line con 0
!

Router#
Router#sh cr
Router#sh crypto is
Router#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status

IPv6 Crypto ISAKMP SA


Router#sh cr
Router#sh crypto ip
Router#sh crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: MAP_SECU, local addr 192.168.60.1

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.70.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)
current_peer 192.168.60.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.60.1, remote crypto endpt.:192.168.60.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)

inbound esp sas:


Router#sh run
Building configuration...

Current configuration : 1136 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
lifetime 3600
!
crypto isakmp key 12345 address 192.168.60.2
!
!
!
crypto ipsec transform-set 50 esp-3des esp-md5-hmac
!
crypto map MAP_SECU 10 ipsec-isakmp
set peer 192.168.60.2
set security-association lifetime seconds 900
set transform-set 50
match address 101
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.60.1 255.255.255.0
duplex auto
speed auto
crypto map MAP_SECU
!
interface FastEthernet0/1
ip address 192.168.50.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 192.168.50.0 0.0.0.255 area 0
network 192.168.60.0 0.0.0.255 area 0
!
ip classless
!
ip flow-export version 9
!
!
access-list 101 permit ip 192.168.70.0 0.0.0.255 192.168.50.0 0.0.0.255
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end

Router#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

IPv6 Crypto ISAKMP SA

Router#sh crypto ipsec sa

interface: FastEthernet0/0

Crypto map tag: MAP_SECU, local addr 192.168.60.1

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.70.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)

current_peer 192.168.60.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 192.168.60.1, remote crypto endpt.:192.168.60.2

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Thank you for your help !!! 

5 Replies 5

gaowen
Level 1
Level 1

post

show crypto isakmp sa

what address are you pinging?

Gareth

Hi, here is the show:


Router#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

IPv6 Crypto ISAKMP SA

I'm pinging one PC in my DMZ : 

192.168.10.200

Your isakmp key address is wrong on both routers and your ping won't match your crypto map.

Thanks for your answer but I think that the adddress are correctly fixed:

Router 0:
crypto isakmp key 12345 address 192.168.60.1

Router 1: 


crypto isakmp key 12345 address 192.168.60.2

About the ping, I did an access list which matches with any host for the moment. 

yea sorry I misread the config on the isakmp addresses.

have you tried 'debug crypto isakmp'?

Gareth

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: