05-09-2019 08:06 AM - edited 02-21-2020 09:38 PM
Hi All ,
Need Help in ipsec config ,
IASKMP is not up and no traffic in ipsec , Please help, thanks
Below is my config.
toplogy
Site A >> Cloud >>> Site B (eigrp configured)
able to ping both sides VPN'ed traffice but unable to see isakmp peers and ipsec trafffic
Site A Config :
=======================
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key Cisco@123 address 90.0.0.2
!
!
crypto ipsec transform-set TS ah-md5-hmac esp-des
!
crypto map ipsec1 100 ipsec-isakmp
set peer 90.0.0.2
set security-association lifetime seconds 36000
set transform-set TS
match address 101
!
!
!
interface Tunnel1
ip address 172.168.0.2 255.255.0.0
tunnel source Serial0
tunnel destination 90.0.0.2
!
interface FastEthernet0
ip address 10.0.0.1 255.0.0.0
speed auto
!
interface Serial0
ip address 50.0.0.1 255.0.0.0
crypto map ipsec1
!
router eigrp 100
network 10.0.0.0
network 50.0.0.0
network 172.168.0.0
auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 90.0.0.2
no ip http server
no ip http secure-server
!
!
!
access-list 101 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.0.255
Site B Config :
=================
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key Cisco@123 address 50.0.0.1
!
!
crypto ipsec transform-set TS ah-md5-hmac esp-des
!
crypto map ipsec 100 ipsec-isakmp
set peer 50.0.0.1
set security-association lifetime seconds 36000
set transform-set TS
match address 101
!
!
!
interface Tunnel1
ip address 172.168.0.1 255.255.0.0
tunnel source Serial0
tunnel destination 50.0.0.1
!
interface FastEthernet0
ip address 192.168.0.1 255.255.255.0
speed auto
!
interface Serial0
ip address 90.0.0.2 255.0.0.0
crypto map ipsec
router eigrp 100
network 90.0.0.0
network 172.168.0.0
network 192.168.0.0
auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 50.0.0.1
no ip http server
no ip http secure-server
!
!
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
====
Site A output :
SiteA#ping 192.168.0.3 source serial 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.3, timeout is 2 seconds:
Packet sent with a source address of 50.0.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/76/132 ms
SiteA#sh crypto isakmp sa
dst src state conn-id slot status
SiteA#sh crypto ipsec sa
interface: Serial0
Crypto map tag: ipsec1, local addr 50.0.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer 90.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 50.0.0.1, remote crypto endpt.: 90.0.0.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
SiteA#sh crypto session
Crypto session current status
Interface: Serial0
Session status: DOWN
Peer: 90.0.0.2 port 500
IPSEC FLOW: permit ip 10.0.0.0/255.0.0.0 192.168.0.0/255.255.255.0
Active SAs: 0, origin: crypto map
Site B out put :
SiteB#ping 10.0.0.2 source se 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 90.0.0.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/92/128 ms
SiteB#sh crypto isakmp sa
dst src state conn-id slot status
SiteB#sh crypto ipsec sa
interface: Serial0
Crypto map tag: ipsec, local addr 90.0.0.2
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
current_peer 50.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 90.0.0.2, remote crypto endpt.: 50.0.0.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
05-09-2019 08:25 AM - edited 05-09-2019 08:27 AM
Hi,
Do you have nat configured? Is all local traffic being natted by the outside interface?
If so, you need to ensure traffic destined to the remote network is not natted, add a deny rule at the top of the ACL (above the permit rule).
If that is not the case, please enable debugs - debug crypto isakmp and upload the output here for review.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide