08-14-2012 12:45 PM - edited 02-21-2020 06:16 PM
one site to one site VPN works no problem, but when I add the second peer in the hub router it does not connect. There is no routing in place all routers are connected to the same switch and with no crypto map they can both ping 192.168.2.1. With crypto map only 192.168.2.2 can ping 192.168.2.1. I am at a loss as to what I am doing wrong this seems simple I just add the entry to Test with a different number, but it will not work.
Please ask any other question you can think of. I followed the same commands on both spoke routers so it seem like it would be in the hub router, but it has me beat as to why.
Thanks for the help.
Hub router:
----------------------------------------------------------------------------------------------------------------------------------------------
r1#sh crypto map
Crypto Map Test 1 ipsec-isakmp
Peer = 192.168.2.2
Extended IP access list 110
access-list 110 permit ip any any
Current peer: 192.168.2.2
Security association lifetime: 4608000 kilobytes/86400 seconds
PFS (Y/N): N
Transform sets={
Test,
}
Interfaces using crypto map Test:
FastEthernet0/0
Crypto Map Test 2 ipsec-isakmp
Peer = 192.168.2.3
Extended IP access list 110
access-list 110 permit ip any any
Current peer: 192.168.2.3
Security association lifetime: 4608000 kilobytes/86400 seconds
PFS (Y/N): N
Transform sets={
Test,
}
Interfaces using crypto map Test:
FastEthernet0/0
---------------------------------------------------------------------------------------------------------------------------------------------
r2#sh crypto map
Crypto Map Test 1 ipsec-isakmp
Peer = 192.168.2.1
Extended IP access list 110
access-list 110 permit ip any any
Current peer: 192.168.2.1
Security association lifetime: 4608000 kilobytes/86400 seconds
PFS (Y/N): N
Transform sets={
Test,
}
Interfaces using crypto map Test:
FastEthernet0/0
----------------------------------------------------------------------------------------------------------------------------------------------
r3#sh crypto map
Crypto Map Test 1 ipsec-isakmp
Peer = 192.168.2.1
Extended IP access list 110
access-list 110 permit ip any any
Current peer: 192.168.2.1
Security association lifetime: 4608000 kilobytes/86400 seconds
PFS (Y/N): N
Transform sets={
Test,
}
Interfaces using crypto map Test:
FastEthernet0/0
Solved! Go to Solution.
08-20-2012 01:05 PM
There is a typo in the ip-address for the PSK on R3.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-14-2012 01:29 PM
You crypto-ACLs are wrong. As a rule of thumb: "never use 'any' in a crypto ACL unless you really know what you do ..."
What do you need:
1) On R1 (your hub) you need two crypto-ACLs. One for the connection to R2, one for the connection to R3. In these ACLs you permit the ip-traffic from your local LAN to the remote Network.
2) On R2 and R3 you use an ACL that is exactly the mirror to the ACL of R1.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-14-2012 01:40 PM
I thought for sure I could use any any, does the router get confused? The whole reason I used any any was to eliminate any access list problems to make sure the VPN config worked.
So I need to have these on the HUB? they are in the same subnet. :
access-list 101 permit ip 192.168.2.1 0.0.0.1 192.168.2.2 0.0.0.1access-list 101 permit ip 192.168.2.1 0.0.0.1 192.168.2.3 0.0.0.1
then the the remote router? That seems very strange.:access-list 101 permit ip 192.168.2.2 0.0.0.1 192.168.2.1 0.0.0.1
08-14-2012 01:47 PM
I thought for sure I could use any any, does the router get confused? The whole reason I used any any was to eliminate any access list problems to make sure the VPN config worked.
one reason the router is confused is that with the first "ip any any" all traffic has to be processed with that first VPN. Then there is no more traffic for the second VPN.
You need *two* ACLs on the Hub (the IP and mask wouldn't work):
access-list 101 permit ip host 192.168.2.1 host 192.168.2.2
access-list 102 permit ip host 192.168.2.1 host 192.168.2.3
The ACL for R2 is correct if you change the mask. Traffic from his IP to the Hub-IP should be encrypted.
BTW: normally the crypto-definition is your local LAN to the remote-LAN. With your definition you only encrypt the router-2-router-communication
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-15-2012 08:32 AM
Ok I cannot ping anything now. Can you see any other obvious problems? Seems like I should be close and must be missing something simple.
Thanks for the help by the way.
hostname r1
!
!
!
!
!
!
!
!
crypto isakmp policy 9
authentication pre-share
!
crypto isakmp key Test1234 address 192.168.2.2
crypto isakmp key Test1234 address 192.168.2.3
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set Test esp-3des esp-sha-hmac
!
crypto map Test 1 ipsec-isakmp
set peer 192.168.2.2
set security-association lifetime seconds 86400
set transform-set Test
match address 110
!
crypto map Test 2 ipsec-isakmp
set peer 192.168.2.3
set security-association lifetime seconds 86400
set transform-set Test
match address 111
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
crypto map Test
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
!
access-list 111 permit ip host 192.168.2.1 host 192.168.2.3
access-list 110 permit ip host 192.168.2.1 host 192.168.2.2
!
!
!
!
!
line con 0
line vty 0 4
login
!
!
!
end
-------------------------------------------------------------------------------------------------------------
hostname r2
!
!
!
!
!
!
!
!
crypto isakmp policy 9
authentication pre-share
!
crypto isakmp key Test1234 address 192.168.2.1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set Test esp-3des esp-sha-hmac
!
crypto map Test 1 ipsec-isakmp
set peer 192.168.2.1
set security-association lifetime seconds 86400
set transform-set Test
match address 110
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
ip address 192.168.2.2 255.255.255.0
duplex auto
speed auto
crypto map Test
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
!
access-list 110 permit ip host 192.168.2.2 host 192.168.2.1
!
!
!
!
!
line con 0
line vty 0 4
login
!
!
!
end
-------------------------------------------------------------------------------------------------------------
hostname r2
!
!
!
!
!
!
!
!
crypto isakmp policy 9
authentication pre-share
!
crypto isakmp key Test1234 address 192.168.2.1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set Test esp-3des esp-sha-hmac
!
crypto map Test 1 ipsec-isakmp
set peer 192.168.2.1
set security-association lifetime seconds 86400
set transform-set Test
match address 110
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
ip address 192.168.2.2 255.255.255.0
duplex auto
speed auto
crypto map Test
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
!
access-list 110 permit ip host 192.168.2.2 host 192.168.2.1
!
!
!
!
!
line con 0
line vty 0 4
login
!
!
!
end
08-16-2012 02:11 PM
you pasted two times the R2-config.
How did you test it? And for Ping-tests, enable "debug ip icmp" on all devices to see if you have a problem in sending or in recieving.
After pinging, do the counters in "show crypto ipsec sa" increment?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-20-2012 09:02 AM
Sorry about that. Yeah I was trying doing ping tests between them. Thanks for the help I will try what you posted.
hostname r3
!
!
!
!
!
!
!
!
crypto isakmp policy 9
authentication pre-share
!
crypto isakmp key Test1234 address 192.168.3.1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set Test esp-3des esp-sha-hmac
!
crypto map Test 1 ipsec-isakmp
set peer 192.168.2.1
set security-association lifetime seconds 86400
set transform-set Test
match address 110
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
ip address 192.168.2.3 255.255.255.0
duplex auto
speed auto
crypto map Test
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
!
access-list 110 permit ip host 192.168.2.3 host 192.168.2.1
!
!
!
!
!
line con 0
line vty 0 4
login
!
!
!
end
08-20-2012 01:05 PM
There is a typo in the ip-address for the PSK on R3.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-23-2012 08:31 AM
Ahhh geez man I cannot beleive I did that always something simple getting me. Thank you for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide