11-07-2017 09:34 AM - edited 03-12-2019 04:43 AM
I'm trying to setup a IPSec VPN on 2 x 2901 routers in packet tracer (save file attached, you have to change the file extension back to a .pkt file to work with packet tracer 7.1)
i'm doing this as a test for a real 2901 that needs a site to site vpn.
I've run though the setup as per https://www.youtube.com/watch?v=rUns1Jbve0w
and produced the relevant con-fig
---------ROUTER 1-----------
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp key 4NlzqTMXEax8ap address 10.1.1.2
!
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
!
crypto map vpnset 10 ipsec-isakmp
set peer 10.1.1.2
set transform-set vpnset
match address 100
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
crypto map vpnset
!
interface GigabitEthernet0/1
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
------------ ROUTER 1 END------------
---------------ROUTER 2--------------
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp key 4NlzqTMXEax8ap address 10.1.1.1
!
!
!
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
!
crypto map vpnset 10 ipsec-isakmp
set peer 10.1.1.1
set transform-set vpnset
match address 100
!
interface GigabitEthernet0/0
ip address 10.1.1.2 255.255.255.0
duplex auto
speed auto
crypto map vpnset
!
interface GigabitEthernet0/1
ip address 192.168.2.1 255.0.0.0
duplex auto
speed auto
!
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
--------------------------------
The result is no isakmp link
Router(config)#do show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
Both routers were upgraded to 15.5 (my live router is 15.6)
Any thoughts?
11-07-2017 11:30 AM
Hello @AshleyUnwin
Find attached your working network. Let me point to you where did you fail:
-Server 3 had no default gateway
-R1 should have a static route like that ip route 192.168.2.0 255.255.255.0 10.1.1.2
-R2 should have a static route like that ip route 192.168.1.0 255.255.255.0 10.1.1.1
-On R1 you applied crypto map on the wrong interface:
Before:
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
crypto map vpnset
!
After:
!
interface GigabitEthernet0/1
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map vpnset
!
Please, run the file again and you´ll be able to ping server to server. After ping issue the command show crypto isamak sa and show crypto ipsec sa and you´ll see the VPN working.
Router#sh crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: vpnset, local addr 10.1.1.2
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 10.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 0
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
-If I helped you somehow, please, rate it as useful.-
11-07-2017 01:55 PM
ok, i'm attaching a v2 config for my issue
from what i could see although your config looked right for teh ipsec tunnel the additional routes you added meant that data destined for the other side did not actually use the VPN, which is why the isakmp table never listed the connection and the IPSec tunnel packet count didnt leave 0
I have setup a more complex network structure, likely more representative of the real world, the internet requires multiple hops and the addition of NAT at both ends means you cant naturally route into the opposing network.
Both servers and all routers are able to ping ALL internet (10.x.x.x) based ip's.
But the VPN is not establishing to link the LAN (192.168.x.x) networks
Any further help would be great!!!
Please see v2 attached (again requires changing file extension)
Thanks for all your help so far!!!
11-07-2017 03:40 PM
Hi @AshleyUnwin
The tunnel is ok already. I just verify why servers does not ping each other and we are done!
Router#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.3.3.2 10.1.1.1 QM_IDLE 1046 0 ACTIVE
IPv6 Crypto ISAKMP SA
Router#sh crypto ipsec sa
interface: GigabitEthernet0/1
Crypto map tag: vpnset, local addr 10.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.3.3.0/255.255.255.0/0/0)
current_peer 10.3.3.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 0
#pkts decaps: 11, #pkts decrypt: 11, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 10.1.1.1, remote crypto endpt.:10.3.3.2
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x481F3A46(1210006086)
inbound esp sas:
spi: 0x08E346E1(149112545)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2006, flow_id: FPGA:1, crypto map: vpnset
sa timing: remaining key lifetime (k/sec): (4525504/3417)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x481F3A46(1210006086)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2007, flow_id: FPGA:1, crypto map: vpnset
sa timing: remaining key lifetime (k/sec): (4525504/3417)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 10.3.3.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.1.1, remote crypto endpt.:10.3.3.2
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
-If I helped you somehow, please, rate it as useful.-
11-07-2017 04:19 PM
tunnel still not dialling for me :-s
when i run that v2 file i get the following
———————————
Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
Router#show crypto ipsec sa
interface: GigabitEthernet0/1
Crypto map tag: vpnset, local addr 10.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer 10.3.3.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.1.1, remote crypto endpt.:10.3.3.2
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
11-07-2017 04:44 PM
11-08-2017 01:02 AM
Sorry to be a pain, the VPN is now up from the look of it, however i'm not able to ping server to server....any thoughts?
11-08-2017 01:52 AM
That's ok. We are here to learn. I was able to ping. Did you change you setup ?
If VPN is up, you need to permit both 192 network on both side.
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.255
Then the same thing the other way around.
-If I helped you somehow, please, rate it as useful.-
11-08-2017 03:36 AM
I didnt change the config, I have even just re-downloaded the file you sent to check
my two configs are https://www.diffchecker.com/e9s5mHFX
however i'm seeing
Router2 -
show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.1.1.1 10.3.3.2 MM_NO_STATE 0 0 ACTIVE (deleted)
But Router1 -
Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
NOTHING!!!
Its very odd!!!
11-08-2017 03:45 AM
Save config, reload both router and try to ping from server. But, does not ping 192 network, from server, try to ping 10. network on the opposite side. This should brings the VPN up.
IF you prefer I can post my routers config here.
-If I helped you somehow, please, rate it as useful.-
11-08-2017 05:18 AM
ok, i did as you said i redownloaded and opened the file, saved both routers and rebooted both, ran a ping to the outsides both ways and then the vpn established and pings worked.
if i repeat the exact same process again, it doesnt work, no isakmp connection!
It seems to work when it feels like it and drop!
I literally just re-downloaded the file again from here and tried again and nothing!!!
it feels like it only wants to work occasionally.
Does the isakmp keep retrying itself or can i manually trigger a retry?
11-08-2017 05:24 AM
Usually you need to force the first time and them must be some keep alive.
Bear in mind that this is a simulator and may be tricking you. But, most important is to understand the concepts.
You can also try GNS3 or EVE. They are also free and they are not simulator but Emulator and you can run real OS.
-If I helped you somehow, please, rate it as useful.-
11-09-2017 02:30 AM
11-09-2017 02:41 AM - edited 11-09-2017 02:42 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide