ā12-11-2023 02:06 PM - edited ā12-11-2023 02:09 PM
i have created IPsec tunnel phase1 ,2 as below but tunnel is not up consider the below :
source 172.16.16.0/24 and dist 172.30.55.0/24
configuration on router A
crypto isakmp policy 10
encr aes 256
hash sha384
authentication pre-share
group 14
lifetime 28800
crypto isakmp key ********* address 172.30.55.10
crypto ipsec transform-set myset esp-aes 256 esp-sha256-hmac
mode tunnel
!
!
crypto map myset 10 ipsec-isakmp
set peer 172.30.55.10
set security-association lifetime seconds 28800
set transform-set myset
match address 100
access-list 100 permit ip 172.16.16.0 0.0.0.255 172.30.55.0 0.0.0.255
output "
show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
ā12-11-2023 02:09 PM
match address 100 <<- did you config ACL for traffic must pass through VPN
did you apply the cypto map to interface ?
MHM
ā12-11-2023 02:11 PM
yes i have created access list (access-list 100 permit ip 172.16.16.0 0.0.0.255 172.30.55.0 0.0.0.255)
and under outside interface i have applied the crypto
interface FastEthernet0
switchport trunk native vlan 3665
switchport mode trunk
no ip address
crypto map myset
!
ā12-11-2023 02:24 PM
the crypto map can not apply under L2 interface you need to apply it under L3 interface
also how is peer IP in same subnet as remote LAN ?
Configure a LAN-to-LAN IPsec Tunnel Between Two Routers - Cisco
check this guide
MHM
ā12-11-2023 02:34 PM
i have performed the steps for Configure a LAN-to-LAN IPsec Tunnel Between Two Routers - Cisco but tunnel is not up ,also what do yon mean peer IP in same subnet as remote LAN ? remote peer address is 172.30.55.10 (destination )and local subnet is 172.16.16.1 (source )
ā12-12-2023 06:18 AM
Hi again
the IP we use in set peer IP is IP use to connect between two peer and form ipsec tunnel
Local and remote subnet use in access list is LAN we want to protect via IPSec.
You config make set peer of IPsec same LAN that must protect by IPsec.
Make double check guide again see The IP use for set peer is same subnet use in access list
MHM
ā12-12-2023 06:26 AM
Hi ,
i have applied the commands after review the guide again as the below but still tunnel down :
access-list 100 permit ip 172.16.16.0 0.0.0.255 172.30.55.0 0.0.0.255
crypto isakmp policy 10
encr aes 256
hash sha384
authentication pre-share
group 14
lifetime 28800
crypto isakmp key FRA_42HA8_!N$ address 172.30.55.1
!
!
crypto ipsec transform-set myset esp-aes 256 esp-sha256-hmac
mode tunnel
!
!
crypto map myset 10 ipsec-isakmp
set peer 172.30.55.10
set security-association lifetime seconds 28800
set transform-set myset
match address 100
ā12-12-2023 06:31 AM
Same misconfig
You use
set peer 172.30.55.10
And then use acl permit
access-list 100 permit ip 172.16.16.0 0.0.0.255 172.30.55.0 0.0.0.255
Friend use any other IP between two peer and use it in set peer and check
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide