Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1307
Views
5
Helpful
2
Replies

IPSec SA not initializing (L2L Tunnel)

Go to solution
RicardoSN
Level 1
Level 1

‎10-12-2019 10:39 AM - edited ‎02-21-2020 09:46 PM

Hello guys.

I'm practicing IKEv1 tunnels and trying to set up an IPSec Tunnel to pass LAN traffic thru the tunnel between the 2 sites, and i also want the LAN network on each side to be able to reach "the internet", (i'm using nat overload for this).

The PCs on site 1 and site 2 are able to reach the internet but they cannot communicating between each other LAN networks.

I left the packet tracer file attached, please try to help me finding out what i'm missing.

Note: By "Internet" i mean IP 8.8.8.8 which is configured on the Internet Cloud.

Ping from Site1PC1 to Site2PC1

Packet Tracer PC Command Line 1.0 

C:\>ping 192.168.20.1

Pinging 192.168.20.1 with 32 bytes of data:

Reply from 10.5.50.1: Destination host unreachable.

Reply from 10.5.50.1: Destination host unreachable.

Reply from 10.5.50.1: Destination host unreachable.

Reply from 10.5.50.1: Destination host unreachable.

Ping statistics for 192.168.20.1:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

HERE ARE MY CONFIGS:

Router Site 1

crypto isakmp policy 10

hash md5

authentication pre-share

!

crypto isakmp key MYKEY address 200.200.20.2

!

crypto ipsec transform-set MYTS esp-aes 256 esp-sha-hmac

!

crypto map MYCRYMAP 10 ipsec-isakmp

set peer 200.200.20.2

set transform-set MYTS

match address 100

!

interface GigabitEthernet0/0/0

ip address 192.168.10.254 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface GigabitEthernet0/0/1

ip address 189.150.50.2 255.255.255.252

ip nat outside

duplex auto

speed auto

crypto map MYCRYMAP

!

ip nat inside source list 1 interface GigabitEthernet0/0/1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 189.150.50.1

!

access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 1 permit 192.168.10.0 0.0.0.255

Router Site 2

crypto isakmp policy 10

hash md5

authentication pre-share

!

crypto isakmp key MYKEY address 189.150.50.2

!

crypto ipsec transform-set MYTS esp-aes 256 esp-sha-hmac

!

crypto map MYCRYMAP 10 ipsec-isakmp

set peer 189.150.50.2

set transform-set MYTS

match address 100

!

interface GigabitEthernet0/0/0

ip address 200.200.20.2 255.255.255.252

ip nat outside

duplex auto

speed auto

crypto map MYCRYMAP

!

interface GigabitEthernet0/0/1

ip address 192.168.20.254 255.255.255.0

ip nat inside

duplex auto

speed auto

!

ip nat inside source list 1 interface GigabitEthernet0/0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 200.200.20.1

!

access-list 1 permit 192.168.20.0 0.0.0.255

access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

Thanks in advance!

-Ricardo S.N., Regards!
LAB - Tunnel IPSec LAN to LAN over Internet - IKEv1.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎10-12-2019 12:30 PM

Hi,
I cannot access your attachment. My guess is that the traffic betweens Site 1 and Site 2 is being natted, you should replace the nat ACL (1) and deny traffic between the Site 1 and Site 2 networks, permitting all other traffic. Replace the ACL on both routers (change the source/destination as appropriate).

E.g:-
access-list 101 deny 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit 192.168.20.0 0.0.0.255 any

ip nat inside source list 101 interface GigabitEthernet0/0/0 overload

Testing without NAT configured would confirm whether it's actually a nat issue, if not then please provide some debugs of ikev1/isakmp.

HTH

View solution in original post

2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎10-12-2019 12:30 PM

Hi,
I cannot access your attachment. My guess is that the traffic betweens Site 1 and Site 2 is being natted, you should replace the nat ACL (1) and deny traffic between the Site 1 and Site 2 networks, permitting all other traffic. Replace the ACL on both routers (change the source/destination as appropriate).

E.g:-
access-list 101 deny 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit 192.168.20.0 0.0.0.255 any

ip nat inside source list 101 interface GigabitEthernet0/0/0 overload

Testing without NAT configured would confirm whether it's actually a nat issue, if not then please provide some debugs of ikev1/isakmp.

HTH

Go to solution
RicardoSN
Level 1
Level 1
In response to Rob Ingram

‎10-12-2019 12:49 PM - edited ‎10-12-2019 12:51 PM

Hello RJI,

Your guess was right.

Site's 1 LAN traffic was being natted to reach the Internet even when trarffic wasn't ment to that, but the other Site's LAN.

I was able to figure it out like 30 min ago by inspecting the packets with the "simulation" packet tracer tool.

What also gave me a clue was that by enabling "debug crypto isakmp" on both Routers, i wasn't getting anything at all, which indicated that probably the ACL on the Cryptomap wasn't even matching.

Your response helped me a lot tho, i was still trying to figure out how to correct the NAT ACL! :)

-Ricardo S.N., Regards!
0 Helpful
Customers Also Viewed These Support Documents