Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
602
Views
0
Helpful
1
Replies

IPSec Site-to-Site vpn configuration help..-- isakmp not tuning up

raghubevara
Level 1
Level 1

‎05-09-2019 08:06 AM - edited ‎02-21-2020 09:38 PM

Hi All ,

Need Help in ipsec config ,

 

IASKMP is not up and no traffic in ipsec , Please help, thanks

Below is my config.

 

toplogy

Site A >> Cloud >>> Site B (eigrp configured)

 able to ping both sides VPN'ed traffice but unable to see isakmp peers and ipsec trafffic 



Site A Config :

=======================

crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key Cisco@123 address 90.0.0.2
!
!
crypto ipsec transform-set TS ah-md5-hmac esp-des
!
crypto map ipsec1 100 ipsec-isakmp
set peer 90.0.0.2
set security-association lifetime seconds 36000
set transform-set TS
match address 101
!
!
!
interface Tunnel1
ip address 172.168.0.2 255.255.0.0
tunnel source Serial0
tunnel destination 90.0.0.2
!
interface FastEthernet0
ip address 10.0.0.1 255.0.0.0
speed auto
!
interface Serial0
ip address 50.0.0.1 255.0.0.0
crypto map ipsec1
!

 

router eigrp 100
network 10.0.0.0
network 50.0.0.0
network 172.168.0.0
auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 90.0.0.2
no ip http server
no ip http secure-server
!
!
!
access-list 101 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.0.255

 

 

 

 

Site B Config :
=================

 

crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key Cisco@123 address 50.0.0.1
!
!
crypto ipsec transform-set TS ah-md5-hmac esp-des
!
crypto map ipsec 100 ipsec-isakmp
set peer 50.0.0.1
set security-association lifetime seconds 36000
set transform-set TS
match address 101
!
!
!
interface Tunnel1
ip address 172.168.0.1 255.255.0.0
tunnel source Serial0
tunnel destination 50.0.0.1
!
interface FastEthernet0
ip address 192.168.0.1 255.255.255.0
speed auto
!
interface Serial0
ip address 90.0.0.2 255.0.0.0
crypto map ipsec

router eigrp 100
network 90.0.0.0
network 172.168.0.0
network 192.168.0.0
auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 50.0.0.1
no ip http server
no ip http secure-server
!
!
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255

 

====



Site A output :

SiteA#ping 192.168.0.3 source serial 0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.3, timeout is 2 seconds:
Packet sent with a source address of 50.0.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/76/132 ms

SiteA#sh crypto isakmp sa
dst src state conn-id slot status

 

 

SiteA#sh crypto ipsec sa

interface: Serial0
Crypto map tag: ipsec1, local addr 50.0.0.1

protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer 90.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 50.0.0.1, remote crypto endpt.: 90.0.0.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial0
current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

SiteA#sh crypto session
Crypto session current status

Interface: Serial0
Session status: DOWN
Peer: 90.0.0.2 port 500
IPSEC FLOW: permit ip 10.0.0.0/255.0.0.0 192.168.0.0/255.255.255.0
Active SAs: 0, origin: crypto map


Site B out put :

SiteB#ping 10.0.0.2 source se 0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 90.0.0.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/92/128 ms
SiteB#sh crypto isakmp sa
dst src state conn-id slot status

SiteB#sh crypto ipsec sa

interface: Serial0
Crypto map tag: ipsec, local addr 90.0.0.2

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
current_peer 50.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 90.0.0.2, remote crypto endpt.: 50.0.0.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial0
current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Labels:
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎05-09-2019 08:25 AM - edited ‎05-09-2019 08:27 AM

Hi,
Do you have nat configured? Is all local traffic being natted by the outside interface?
If so, you need to ensure traffic destined to the remote network is not natted, add a deny rule at the top of the ACL (above the permit rule).

 

If that is not the case, please enable debugs - debug crypto isakmp and upload the output here for review.

HTH

0 Helpful
Customers Also Viewed These Support Documents