07-09-2011 01:30 PM
I can't seem to get a ipsec site to site lab VPN tunnel started or any packets to cross the VPN tunnel....
Can you take a look and see what I am doing wrong? Any ideas on how to troubleshoot this would be great!
More info needed?
===============================================================
CCC#sh crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt De
crypt
CCC#
===============================================================
CCC#sh crypto map
Crypto Map "aesmap" 10 ipsec-isakmp
Peer = 100.0.0.2
Extended IP access list acl_vpn
access-list acl_vpn permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.
0.255
Current peer: 100.0.0.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ aes-sha-transform, }
Interfaces using crypto map aesmap:
Serial0/0
CCC#
================================================================
CCC#sh crypto ipsec sa
interface: Serial0/0
Crypto map tag: aesmap, local addr. 100.0.0.1
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 100.0.0.2
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 100.0.0.1, remote crypto endpt.: 100.0.0.2
path mtu 1500, ip mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
====================================================
CCC#sh crypto isakmp sa
dst src state conn-id slot
CCC#
==========================================================
CCC#sh ip route
Gateway of last resort is not set
100.0.0.0/24 is subnetted, 1 subnets
C 100.0.0.0 is directly connected, Serial0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
R 192.168.2.0/24 [120/1] via 100.0.0.2, 00:00:04, Serial0/0
==========================================================
Router 1: 2651XM
CCC#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IK8S-M), Version 12.2(24), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Wed 28-Apr-04 15:30 by kellmill
Image text-base: 0x8000808C, data-base: 0x8128C7D8
ROM: System Bootstrap, Version 12.2(7r) [cmong 7r], RELEASE SOFTWARE (fc1)
CCC uptime is 1 hour, 48 minutes
System returned to ROM by reload
System image file is "flash:flash[A"
Building configuration...
Current configuration : 1001 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname CCC
!
!
ip subnet-zero
!
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key testkey123 address 100.0.0.2
!
!
crypto ipsec transform-set aes-sha-transform esp-des esp-sha-hmac
!
!
crypto map aesmap 10 ipsec-isakmp
set peer 100.0.0.2
set transform-set aes-sha-transform
match address acl_vpn
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
ip address 100.0.0.1 255.255.255.0
clockrate 250000
crypto map aesmap
!
interface FastEthernet0/1
ip address 10.10.10.10 255.0.0.0
duplex auto
speed auto
!
router rip
network 100.0.0.0
network 192.168.1.0
!
ip classless
no ip http server
!
!
ip access-list extended acl_vpn
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
end
!
crypto map aesmap 10 ipsec-isakmp
set peer 100.0.0.2
set transform-set aes-sha-transform
match address acl_vpn
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
ip address 100.0.0.1 255.255.255.0
clockrate 250000
crypto map aesmap
!
interface FastEthernet0/1
ip address 10.10.10.10 255.0.0.0
duplex auto
speed auto
!
router rip
network 100.0.0.0
network 192.168.1.0
!
ip classless
no ip http server
!
!
ip access-list extended acl_vpn
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
end
===================================================
Router 2 - 2502
outoffice#sh run
Building configuration...
Current configuration : 1404 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname outoffice
!
logging rate-limit console 10 except errors
!
ip subnet-zero
no ip finger
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key testkey123 address 100.0.0.1
!
!
crypto ipsec transform-set aes-sha-transform esp-des esp-sha-hmac
!
crypto map aesmap 10 ipsec-isakmp
set peer 100.0.0.1
set transform-set aes-sha-transform
match address acl_vpn
!
!
!
!
interface Ethernet0
ip address 192.168.2.1 255.255.255.0
no ip route-cache
no ip mroute-cache
!
interface Serial0
ip address 100.0.0.2 255.255.255.0
no ip route-cache
no ip mroute-cache
crypto map aesmap
!
!
interface Serial1
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
interface BRI0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
isdn x25 static-tei 0
cdapi buffers regular 0
cdapi buffers raw 0
cdapi buffers large 0
!
router rip
network 100.0.0.0
network 192.168.2.0
!
ip kerberos source-interface any
ip classless
no ip http server
!
!
ip access-list extended acl_vpn
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
line con 0
transport input none
line aux 0
transport input all
line vty 0 4
login
!
end
!
interface Serial1
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
interface BRI0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
isdn x25 static-tei 0
cdapi buffers regular 0
cdapi buffers raw 0
cdapi buffers large 0
!
router rip
network 100.0.0.0
network 192.168.2.0
!
ip kerberos source-interface any
ip classless
no ip http server
!
!
ip access-list extended acl_vpn
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
line con 0
transport input none
line aux 0
transport input all
line vty 0 4
login
!
end
07-09-2011 08:11 PM
Hi David,
Please change the transform set to 3des-sha
Please do the following changes on both the routers:
crypto ipsec transform-set 3des-sha-transform esp-3des esp-sha-hmac
crypto map aesmap 10 ipsec-isakmp
no set transform-set aes-sha-transform
set transform-set 3aes-sha-transform
Initiate traffic and let me know if it works for you.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide