cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1795
Views
20
Helpful
2
Replies

IPSec Site-to-Site vpn configuration help..

Hi all, I'm trying to install IPsec site to site VPN by using GNS3. the whole scenario is working fine ( OSPF & LAN networks are reachable ) but unfortunately the IPsec Tunnel between HQ & RS1 is not working.

hereby please find the below configuration details and help me to fix this issue.

For more information, I have attached the topology diagram and HQ-RTR & RS1-RTR running configuration.

 

HQ-RTR
******
Phase 1 Config
--------------

HQ-RTR(config)#crypto isakmp policy 1
HQ-RTR(config-isakmp)#authentication pre-share
HQ-RTR(config-isakmp)#hash sha
HQ-RTR(config-isakmp)#encryption aes 256
HQ-RTR(config-isakmp)#group 5
HQ-RTR(config-isakmp)#lifetime 86400

crypto isakmp key 6 ipsecpass address 22.22.22.6


Phase 2 Config
--------------

!
crypto ipsec transform-set ipsecset esp-aes esp-sha-hmac
!
!
access-list 101 permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
!

Crypto Map
----------

HQ-RTR(config)#crypto map ipsecmap 10 ipsec-isakmp
HQ-RTR(config-crypto-map)#set peer 22.22.22.6
HQ-RTR(config-crypto-map)#set transform-set ipsecset
HQ-RTR(config-crypto-map)#match address 101


!
HQ-RTR(config)#inter f0/0
HQ-RTR(config-if)#crypto map ipsecmap

---------------------------------------------------------------------------------------------------------

RS1-RTR
******
Phase 1 Config
--------------

RS1-RTR(config)#crypto isakmp policy 1
RS1-RTR(config-isakmp)#authentication pre-share
RS1-RTR(config-isakmp)#hash sha
RS1-RTR(config-isakmp)#encryption aes 256
RS1-RTR(config-isakmp)#group 5
RS1-RTR(config-isakmp)#lifetime 86400

RS1-RTR(config)#crypto isakmp key 6 ipsecpass address 11.11.11.6


Phase 2 Config
--------------

!
crypto ipsec transform-set ipsecset esp-aes esp-sha-hmac
!
!
access-list 101 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
!

Crypto Map
----------

HQ-RTR(config)#crypto map ipsecmap 10 ipsec-isakmp
HQ-RTR(config-crypto-map)#set peer 11.11.11.6
HQ-RTR(config-crypto-map)#set transform-set ipsecset
HQ-RTR(config-crypto-map)#match address 101


!
HQ-RTR(config)#inter f0/0
HQ-RTR(config-if)#crypto map ipsecmap

1 Accepted Solution

Accepted Solutions

Hi,
You've got NAT overload configured on RS1-RTR, therefore all traffic will be sourced from 22.22.22.6, which does not match the crypto ACL 101. Therefore traffic will never be sent over the VPN.

The ACL called NAT isn't even in the configuration file you sent, you need to place a deny between the local network and the remote network so this traffic will not be natted.

HTH

View solution in original post

2 Replies 2

Hi,
You've got NAT overload configured on RS1-RTR, therefore all traffic will be sourced from 22.22.22.6, which does not match the crypto ACL 101. Therefore traffic will never be sent over the VPN.

The ACL called NAT isn't even in the configuration file you sent, you need to place a deny between the local network and the remote network so this traffic will not be natted.

HTH

Hi RJI, Thanks for your support. now it's working.

 

RS1-RTR#conf t
Enter configuration commands, one per line. End with CNTL/Z.
RS1-RTR(config)#no ip nat source list NAT interface FastEthernet0/0 overload
RS1-RTR(config)#do wr
Building configuration...
[OK]

******************************************************************************
RS1-RTR#show crypto session
Crypto session current status

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 11.11.11.6 port 500
IKE SA: local 22.22.22.6/500 remote 11.11.11.6/500 Active
IPSEC FLOW: permit ip 10.0.2.0/255.255.255.0 10.0.1.0/255.255.255.0
Active SAs: 2, origin: crypto map

******************************************************************************
HQ-RTR#show crypto session
Crypto session current status

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 22.22.22.6 port 500
IKE SA: local 11.11.11.6/500 remote 22.22.22.6/500 Active
IPSEC FLOW: permit ip 10.0.1.0/255.255.255.0 10.0.2.0/255.255.255.0
Active SAs: 2, origin: crypto map

******************************************************************************
RS1-PC02#ping 10.0.1.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.1.10, timeout is 2 seconds:
...!!
Success rate is 40 percent (2/5), round-trip min/avg/max = 160/164/168 ms
RS1-PC02#ping 10.0.1.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/99/108 ms


 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: