Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1032
Views
0
Helpful
1
Replies

ipsec site to site lab VPN tunnel setup not working

david.santel
Level 1
Level 1

‎07-09-2011 01:30 PM

I can't seem to get a ipsec site to site lab VPN tunnel started or any packets to cross the VPN tunnel....

Can you take a look and see what I am doing wrong? Any ideas on how to troubleshoot this would be great!

More info needed?

===============================================================

CCC#sh crypto engine connections active

  ID Interface            IP-Address      State  Algorithm           Encrypt  De
crypt

CCC#

===============================================================

CCC#sh crypto map
Crypto Map "aesmap" 10 ipsec-isakmp
        Peer = 100.0.0.2
        Extended IP access list acl_vpn
            access-list acl_vpn permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.
0.255
        Current peer: 100.0.0.2
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={ aes-sha-transform, }
        Interfaces using crypto map aesmap:
                Serial0/0

CCC#

================================================================

CCC#sh crypto ipsec sa

interface: Serial0/0
    Crypto map tag: aesmap, local addr. 100.0.0.1

   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer: 100.0.0.2
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 100.0.0.1, remote crypto endpt.: 100.0.0.2
     path mtu 1500, ip mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

====================================================

CCC#sh crypto isakmp sa
dst             src             state           conn-id    slot

CCC#

==========================================================

CCC#sh ip route

Gateway of last resort is not set

     100.0.0.0/24 is subnetted, 1 subnets
C       100.0.0.0 is directly connected, Serial0/0
C    192.168.1.0/24 is directly connected, FastEthernet0/0
R    192.168.2.0/24 [120/1] via 100.0.0.2, 00:00:04, Serial0/0

==========================================================

Router 1: 2651XM

CCC#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IK8S-M), Version 12.2(24), RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Wed 28-Apr-04 15:30 by kellmill
Image text-base: 0x8000808C, data-base: 0x8128C7D8

ROM: System Bootstrap, Version 12.2(7r) [cmong 7r], RELEASE SOFTWARE (fc1)

CCC uptime is 1 hour, 48 minutes
System returned to ROM by reload
System image file is "flash:flash[A"

Building configuration...

Current configuration : 1001 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname CCC
!
!
ip subnet-zero
!
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key testkey123 address 100.0.0.2
!
!
crypto ipsec transform-set aes-sha-transform esp-des esp-sha-hmac
!

!

crypto map aesmap 10 ipsec-isakmp

set peer 100.0.0.2

set transform-set aes-sha-transform

match address acl_vpn

!

call rsvp-sync

!

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

ip address 100.0.0.1 255.255.255.0

clockrate 250000

crypto map aesmap

!

interface FastEthernet0/1

ip address 10.10.10.10 255.0.0.0

duplex auto

speed auto

!

router rip

network 100.0.0.0

network 192.168.1.0

!

ip classless

no ip http server

!

!

ip access-list extended acl_vpn

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

!

dial-peer cor custom

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

login

!

end

!
crypto map aesmap 10 ipsec-isakmp
set peer 100.0.0.2
set transform-set aes-sha-transform
match address acl_vpn
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
ip address 100.0.0.1 255.255.255.0
clockrate 250000
crypto map aesmap

!
interface FastEthernet0/1
ip address 10.10.10.10 255.0.0.0
duplex auto
speed auto
!
router rip
network 100.0.0.0
network 192.168.1.0
!
ip classless
no ip http server
!
!
ip access-list extended acl_vpn
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
dial-peer cor custom
!
!
!
!
!

line con 0
line aux 0
line vty 0 4
login
!
end

===================================================

Router 2 - 2502   

outoffice#sh run
Building configuration...

Current configuration : 1404 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname outoffice
!
logging rate-limit console 10 except errors
!
ip subnet-zero
no ip finger
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key testkey123 address 100.0.0.1
!
!
crypto ipsec transform-set aes-sha-transform esp-des esp-sha-hmac
!
crypto map aesmap 10 ipsec-isakmp
set peer 100.0.0.1
set transform-set aes-sha-transform
match address acl_vpn
!
!
!
!
interface Ethernet0
ip address 192.168.2.1 255.255.255.0
no ip route-cache
no ip mroute-cache
!
interface Serial0
ip address 100.0.0.2 255.255.255.0
no ip route-cache
no ip mroute-cache
crypto map aesmap
!

!

interface Serial1

no ip address

no ip route-cache

no ip mroute-cache

shutdown

!

interface BRI0

no ip address

no ip route-cache

no ip mroute-cache

shutdown

isdn x25 static-tei 0

cdapi buffers regular 0

cdapi buffers raw 0

cdapi buffers large 0

!

router rip

network 100.0.0.0

network 192.168.2.0

!

ip kerberos source-interface any

ip classless

no ip http server

!

!

ip access-list extended acl_vpn

permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

!

!

line con 0

transport input none

line aux 0

transport input all

line vty 0 4

login

!

end

!
interface Serial1
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
interface BRI0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
isdn x25 static-tei 0
cdapi buffers regular 0
cdapi buffers raw 0
cdapi buffers large 0
!
router rip
network 100.0.0.0
network 192.168.2.0
!
ip kerberos source-interface any
ip classless
no ip http server

!

!

ip access-list extended acl_vpn

permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

!

!

line con 0

transport input none

line aux 0

transport input all

line vty 0 4

login

!

end

Labels:
0 Helpful
1 Reply 1

andamani
Cisco Employee
Cisco Employee

‎07-09-2011 08:11 PM

Hi David,

Please change the transform set to 3des-sha

Please  do the following changes on both the routers:

crypto  ipsec transform-set 3des-sha-transform esp-3des esp-sha-hmac

crypto map aesmap 10 ipsec-isakmp

     no set transform-set aes-sha-transform

     set transform-set 3aes-sha-transform

Initiate  traffic and let me know if it works for you.

Regards,

Anisha

P.S.:  please mark this thread as answered if you feel your query is resolved.  Do rate helpful posts.

0 Helpful
Customers Also Viewed These Support Documents