Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2696
Views
0
Helpful
18
Replies

IPSEC Tunnel between two routers

Go to solution
w-chantre
Level 1
Level 1

‎09-30-2016 01:23 AM - edited ‎02-21-2020 08:59 PM

Hello,

I actually try to have an IPSEC tunnel between a branche office (with dynamic public IP) to my headquarter (with static public IP).

In my headquarter, I have a router with VRF.

Phase 1 is up and phase 2 is up as well. But I don't have traffic.

Here is my configuration from branche office :

crypto logging session
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 5
 lifetime 28800
crypto isakmp key toto address A.B.C.D no-xauth
crypto isakmp keepalive 10 periodic
crypto isakmp nat keepalive 10
!
!
crypto ipsec transform-set TS_AES_SHA ah-sha-hmac esp-aes
no crypto ipsec nat-transparency udp-encaps
!
crypto map CM_Client 1 ipsec-isakmp
 set peer A.B.C.D
 set transform-set TS_AES_SHA
 set pfs group5
 match address DE-LAN_Client
!
interface FastEthernet4
 description *** 4G vers TP-Link ***
 ip address 192.168.254.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 speed 100
 full-duplex
 crypto map CM_Client
!
interface Vlan1
 description *** ID01-LAN ***
 ip address 172.16.0.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no autostate
!
ip nat inside source list 100 interface FastEthernet4 overload
!
ip access-list extended DE-LAN_Client
 permit ip 172.16.0.0 0.0.0.255 host 10.10.10.10
 permit ip host 10.10.10.10 172.16.0.0 0.0.0.255
!
ip sla 1
 icmp-echo 10.10.10.10 source-ip 172.16.0.254
ip sla schedule 1 life forever start-time now
!
access-list 100 deny   ip 172.16.0.0 0.0.0.255 host 10.10.10.10
access-list 100 permit ip 172.16.0.0 0.0.0.255 any

Here is my configuration for my headquarter :

crypto keyring KR_Client vrf VRF
  pre-shared-key address 0.0.0.0 0.0.0.0 key toto
crypto logging session
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 5
 lifetime 28800
crypto isakmp keepalive 10 periodic
crypto isakmp nat keepalive 10
crypto isakmp profile CI_Client
   vrf VRF
   keyring KR_Client
   match identity address 0.0.0.0 VRF
!
!
crypto ipsec transform-set TS_AES_SHA ah-sha-hmac esp-aes
!
crypto dynamic-map CDM_Client 10
 set transform-set TS_AES_SHA
 set pfs group5
 match address DE-LAN_Client
!
!
crypto map CM_Client 1 ipsec-isakmp dynamic CDM_Client
interface Loopback254
 description *** Lo 4G via IPSEC ***
 ip vrf forwarding VRF
 ip address 178.23.152.8 255.255.255.255
 ip nat outside
 crypto map CM_Client
!
interface Loopback255
 description *** Lo 4G via IPSEC ***
 ip vrf forwarding VRF
 ip address 10.10.10.10 255.255.255.255
 ip nat inside
ip nat inside source list 100 interface Loopback254 vrf VRF overload
ip access-list extended DE-LAN_Client
 permit ip host 10.10.10.10 172.16.0.0 0.0.0.255
 permit ip 172.16.0.0 0.0.0.255 host 10.10.10.10
access-list 100 deny   ip host 10.10.10.10 172.16.0.0 0.0.0.255
access-list 100 permit ip host 10.10.10.10 any

Phase 1 is up :

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
178.23.152.8    192.168.254.2   QM_IDLE           2002    0 ACTIVE

IPv6 Crypto ISAKMP SA
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
178.23.152.8    80.215.202.236  QM_IDLE           1004 ACTIVE

IPv6 Crypto ISAKMP SA

Phase 2 is up :

  local  ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/0/0)
   current_peer 178.23.152.8 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 51, #pkts encrypt: 51, #pkts digest: 51
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0
interface: Loopback254
    Crypto map tag: CM_Client, local addr 178.23.152.8
   protected vrf: VRF
   local  ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
   current_peer 80.215.202.236 port 18932
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

Ping between my two LAN is NOK :

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
Packet sent with a source address of 172.16.0.254
.....
Success rate is 0 percent (0/5)

Encrypted packets are OK but not decryped :

    #pkts encaps: 51, #pkts encrypt: 51, #pkts digest: 51
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

Do you have some idea regarding this problem ?

Thanks a lot

BR

Labels:
0 Helpful
18 Replies 18

Go to solution
w-chantre
Level 1
Level 1
In response to Pawan Raut

‎09-30-2016 03:49 AM

Thanks a lot

0 Helpful

Go to solution
Pawan Raut
Level 4
Level 4
In response to Pawan Raut

‎09-30-2016 04:11 AM

You can try one workaround change subnet mask for Lo254 from /32 to /31 and give next hop IP address as next IP as 178.23.52.9

0 Helpful

Go to solution
w-chantre
Level 1
Level 1
In response to Pawan Raut

‎10-05-2016 12:53 AM

Hi !

I just tried your workaround 5 minutes ago and it's work perfectly !

Tahnks a lot.

BR

0 Helpful

Go to solution
Pawan Raut
Level 4
Level 4
In response to w-chantre

‎10-05-2016 12:57 AM

You are always Welcome

0 Helpful
Customers Also Viewed These Support Documents