02-27-2019 11:03 PM - edited 02-21-2020 09:34 PM
Hi all, I'm trying to install IPsec site to site VPN by using GNS3. the whole scenario is working fine ( OSPF & LAN networks are reachable ) but unfortunately the IPsec Tunnel between HQ & RS1 is not working.
hereby please find the below configuration details and help me to fix this issue.
For more information, I have attached the topology diagram and HQ-RTR & RS1-RTR running configuration.
HQ-RTR
******
Phase 1 Config
--------------
HQ-RTR(config)#crypto isakmp policy 1
HQ-RTR(config-isakmp)#authentication pre-share
HQ-RTR(config-isakmp)#hash sha
HQ-RTR(config-isakmp)#encryption aes 256
HQ-RTR(config-isakmp)#group 5
HQ-RTR(config-isakmp)#lifetime 86400
crypto isakmp key 6 ipsecpass address 22.22.22.6
Phase 2 Config
--------------
!
crypto ipsec transform-set ipsecset esp-aes esp-sha-hmac
!
!
access-list 101 permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
!
Crypto Map
----------
HQ-RTR(config)#crypto map ipsecmap 10 ipsec-isakmp
HQ-RTR(config-crypto-map)#set peer 22.22.22.6
HQ-RTR(config-crypto-map)#set transform-set ipsecset
HQ-RTR(config-crypto-map)#match address 101
!
HQ-RTR(config)#inter f0/0
HQ-RTR(config-if)#crypto map ipsecmap
---------------------------------------------------------------------------------------------------------
RS1-RTR
******
Phase 1 Config
--------------
RS1-RTR(config)#crypto isakmp policy 1
RS1-RTR(config-isakmp)#authentication pre-share
RS1-RTR(config-isakmp)#hash sha
RS1-RTR(config-isakmp)#encryption aes 256
RS1-RTR(config-isakmp)#group 5
RS1-RTR(config-isakmp)#lifetime 86400
RS1-RTR(config)#crypto isakmp key 6 ipsecpass address 11.11.11.6
Phase 2 Config
--------------
!
crypto ipsec transform-set ipsecset esp-aes esp-sha-hmac
!
!
access-list 101 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
!
Crypto Map
----------
HQ-RTR(config)#crypto map ipsecmap 10 ipsec-isakmp
HQ-RTR(config-crypto-map)#set peer 11.11.11.6
HQ-RTR(config-crypto-map)#set transform-set ipsecset
HQ-RTR(config-crypto-map)#match address 101
!
HQ-RTR(config)#inter f0/0
HQ-RTR(config-if)#crypto map ipsecmap
Solved! Go to Solution.
02-28-2019 01:37 AM
02-28-2019 01:37 AM
03-03-2019 05:20 AM - edited 06-30-2019 07:38 AM
Hi RJI, Thanks for your support. now it's working.
RS1-RTR#conf t
Enter configuration commands, one per line. End with CNTL/Z.
RS1-RTR(config)#no ip nat source list NAT interface FastEthernet0/0 overload
RS1-RTR(config)#do wr
Building configuration...
[OK]
******************************************************************************
RS1-RTR#show crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 11.11.11.6 port 500
IKE SA: local 22.22.22.6/500 remote 11.11.11.6/500 Active
IPSEC FLOW: permit ip 10.0.2.0/255.255.255.0 10.0.1.0/255.255.255.0
Active SAs: 2, origin: crypto map
******************************************************************************
HQ-RTR#show crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 22.22.22.6 port 500
IKE SA: local 11.11.11.6/500 remote 22.22.22.6/500 Active
IPSEC FLOW: permit ip 10.0.1.0/255.255.255.0 10.0.2.0/255.255.255.0
Active SAs: 2, origin: crypto map
******************************************************************************
RS1-PC02#ping 10.0.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.1.10, timeout is 2 seconds:
...!!
Success rate is 40 percent (2/5), round-trip min/avg/max = 160/164/168 ms
RS1-PC02#ping 10.0.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/99/108 ms
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide