cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1581
Views
0
Helpful
8
Replies

Need VPN Configuration Help

2boogeyman3
Level 1
Level 1

I'm tring to set you IPSEC Site to Site VPN connection a md seem to be running in problems. Can someone look over my configuration  and lead me on the right direction:

http://www.spec-works.com/bike/help/vpn1.jpg 

Router1#sh crypto map
Crypto Map "TOWIFE" 1 ipsec-isakmp
        Peer = 10.2.2.1
        Extended IP access list HusbandToWife
            access-list HusbandToWife permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
        Current peer: 10.2.2.1
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                3DESHMAC,
        }
        Interfaces using crypto map TOWIFE:
                FastEthernet0/0


Router1#sh running-config
Building configuration...

Current configuration : 1027 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
  hidekeys
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key spike address 10.2.2.1
!
!
crypto ipsec transform-set 3DESHMAC esp-3des esp-sha-hmac
!
crypto map TOWIFE 1 ipsec-isakmp
set peer 10.2.2.1
set transform-set 3DESHMAC
match address HusbandToWife
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map TOWIFE
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
ip access-list extended HusbandToWife
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

Router3#sh crypto map
Crypto Map "TOHUSBAND" 1 ipsec-isakmp
        Peer = 10.1.1.1
        Extended IP access list WifeToHusband
            access-list WifeToHusband permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
        Current peer: 10.1.1.1
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                3DESHMAC,
        }
        Interfaces using crypto map TOHUSBAND:
                FastEthernet0/0

Router3#sh running-config
Building configuration...

Current configuration : 1033 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
  hidekeys
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key spike address 10.1.1.1
!
!
crypto ipsec transform-set 3DESHMAC esp-3des esp-sha-hmac
!
crypto map TOHUSBAND 1 ipsec-isakmp
set peer 10.1.1.1
set transform-set 3DESHMAC
match address WifeToHusband
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
crypto map TOHUSBAND
!
interface FastEthernet0/1
ip address 10.2.2.1 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
ip access-list extended WifeToHusband
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

4 Accepted Solutions

Accepted Solutions

Eugene Khabarov
Level 7
Level 7

Please provide us with "show crypto isakmp peer", "show crypto ipsec sa" and "show ip access-list"  output from both site2site routers. Is there any matches in ACL? Can you ping peers from each other?

---

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer."

View solution in original post

There is no match in access-list, that's why IPSEC phase 1 is not coming up. This is because of lack of routing information from R1 to R3.

On R1 you should specify:

ip route 0.0.0.0 0.0.0.0 10.1.1.2

On R3 you should specify:

ip route 0.0.0.0 0.0.0.0 10.2.2.2

On R2 you should specify:

ip route 192.168.1.0 255.255.255.0 10.1.1.1

ip route 192.168.3.0 255.255.255.0 10.2.2.1

And try to ping once again, after that show us

"show crypto isakmp peer", "show crypto ipsec sa" and "show ip access-list"

---

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer."

View solution in original post

Once again ping but with source FastEthernet0/1:

ping 192.168.1.254 so Fa0/1 on R3

ping 192.168.3.254 so Fa0/1 on R1

and output from 'show crypto isakmp sa' and 'show crypto ipsec sa' once again.

It it is not helpful, try to explicitly define

crypto isakmp policy 1

encr des

hash md5

for example.

---

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer."

View solution in original post

Last check - 'show crypto ipsec sa', you should see encrypted and decrypted packets.

If so, you can mark my answers as correct and give me points for it

---

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer."

View solution in original post

8 Replies 8

Eugene Khabarov
Level 7
Level 7

Please provide us with "show crypto isakmp peer", "show crypto ipsec sa" and "show ip access-list"  output from both site2site routers. Is there any matches in ACL? Can you ping peers from each other?

---

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer."

Router1

Router1#sh crypto isakmp peer


Router1#sh crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: TOWIFE, local addr 10.1.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
   current_peer 10.2.2.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Router1#sh ip access-lists
Extended IP access list HusbandToWife
    10 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
Router1#


Router3


Router3#sh crypto isakmp peers


Router3#sh crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: TOHUSBAND, local addr 192.168.3.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 10.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.3.1, remote crypto endpt.: 10.1.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Router3#sh ip access-lists
Extended IP access list WifeToHusband
    10 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
Router3#

There is no match in access-list, that's why IPSEC phase 1 is not coming up. This is because of lack of routing information from R1 to R3.

On R1 you should specify:

ip route 0.0.0.0 0.0.0.0 10.1.1.2

On R3 you should specify:

ip route 0.0.0.0 0.0.0.0 10.2.2.2

On R2 you should specify:

ip route 192.168.1.0 255.255.255.0 10.1.1.1

ip route 192.168.3.0 255.255.255.0 10.2.2.1

And try to ping once again, after that show us

"show crypto isakmp peer", "show crypto ipsec sa" and "show ip access-list"

---

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer."

Router1

Router1#ping 192.168.3.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/53/96 ms

Router1#sh crypto isakmp peer

Router1#show crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: TOWIFE, local addr 10.1.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
   current_peer 10.2.2.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 15, #recv errors 0

     local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Router1#sh ip access-list
Extended IP access list HusbandToWife
    10 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 (15 matches)

Router1#sh running-config
Building configuration...

Current configuration : 1068 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
  hidekeys
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key spike address 10.2.2.1
!
!
crypto ipsec transform-set 3DESHMAC esp-3des esp-sha-hmac
!
crypto map TOWIFE 1 ipsec-isakmp
set peer 10.2.2.1
set transform-set 3DESHMAC
match address HusbandToWife
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map TOWIFE
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.1.2
!
!
ip http server
no ip http secure-server
!
ip access-list extended HusbandToWife
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end

Router2

Router#sh running-config
Building configuration...

Current configuration : 729 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
  hidekeys
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.2.2.2 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 192.168.1.0 255.255.255.0 10.1.1.1
ip route 192.168.3.0 255.255.255.0 10.2.2.1
!
!
ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

Router3

Router3#ping 192.168.1.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/39/100 ms

Router3#sh crypto isakmp peer

Router3#sh crypto ipsec sa

interface: FastEthernet0/1
    Crypto map tag: TOHUSBAND, local addr 10.2.2.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 10.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.2.2.1, remote crypto endpt.: 10.1.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Router3#sh  ip access-list
Extended IP access list WifeToHusband
    10 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

Router3#sh running-config
Building configuration...

Current configuration : 1074 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
  hidekeys
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key spike address 10.1.1.1
!
!
crypto ipsec transform-set 3DESHMAC esp-3des esp-sha-hmac
!
crypto map TOHUSBAND 1 ipsec-isakmp
set peer 10.1.1.1
set transform-set 3DESHMAC
match address WifeToHusband
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.2.2.1 255.255.255.0
duplex auto
speed auto
crypto map TOHUSBAND
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.2.2.2
!
!
ip http server
no ip http secure-server
!
ip access-list extended WifeToHusband
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end

Once again ping but with source FastEthernet0/1:

ping 192.168.1.254 so Fa0/1 on R3

ping 192.168.3.254 so Fa0/1 on R1

and output from 'show crypto isakmp sa' and 'show crypto ipsec sa' once again.

It it is not helpful, try to explicitly define

crypto isakmp policy 1

encr des

hash md5

for example.

---

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer."

I think it working now

Router1#sh crypto isakmp peers

Peer: 10.2.2.1 Port: 500 Local: 10.1.1.1

Phase1 id: 10.2.2.1

Router1#sh crypto map

Crypto Map "TOWIFE" 1 ipsec-isakmp

        Peer = 10.2.2.1

        Extended IP access list HusbandToWife

            access-list HusbandToWife permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

        Current peer: 10.2.2.1

        Security association lifetime: 4608000 kilobytes/3600 seconds

        PFS (Y/N): N

        Transform sets={

                3DESHMAC,

        }

        Interfaces using crypto map TOWIFE:

                FastEthernet0/0

Router1#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

10.2.2.1        10.1.1.1        QM_IDLE           1001    0 ACTIVE

IPv6 Crypto ISAKMP SA

Router3#sh crypto isakmp peers

Peer: 10.1.1.1 Port: 500 Local: 10.2.2.1

Phase1 id: 10.1.1.1

Router3#sh crypto map

Crypto Map "TOHUSBAND" 1 ipsec-isakmp

        Peer = 10.1.1.1

        Extended IP access list WifeToHusband

            access-list WifeToHusband permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

        Current peer: 10.1.1.1

        Security association lifetime: 4608000 kilobytes/3600 seconds

        PFS (Y/N): N

        Transform sets={

                3DESHMAC,

        }

        Interfaces using crypto map TOHUSBAND:

                FastEthernet0/1

Router3#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

10.2.2.1        10.1.1.1        QM_IDLE           1001    0 ACTIVE

IPv6 Crypto ISAKMP SA

Router3#

Last check - 'show crypto ipsec sa', you should see encrypted and decrypted packets.

If so, you can mark my answers as correct and give me points for it

---

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer."

Router1

Router1#show crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: TOWIFE, local addr 10.1.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
   current_peer 10.2.2.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 9009, #pkts encrypt: 9009, #pkts digest: 9009
    #pkts decaps: 9009, #pkts decrypt: 9009, #pkts verify: 9009
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 16, #recv errors 0

     local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xE17347A9(3782428585)

     inbound esp sas:
      spi: 0x752A0BF1(1965689841)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3, flow_id: 3, crypto map: TOWIFE
        sa timing: remaining key lifetime (k/sec): (4483539/914)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xE17347A9(3782428585)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 4, flow_id: 4, crypto map: TOWIFE
        sa timing: remaining key lifetime (k/sec): (4483539/914)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Router3

Router3#show crypto ipsec sa

interface: FastEthernet0/1
    Crypto map tag: TOHUSBAND, local addr 10.2.2.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 10.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 6273, #pkts encrypt: 6273, #pkts digest: 6273
    #pkts decaps: 6273, #pkts decrypt: 6273, #pkts verify: 6273
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.2.2.1, remote crypto endpt.: 10.1.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0x752A0BF1(1965689841)

     inbound esp sas:
      spi: 0xE17347A9(3782428585)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3, flow_id: 3, crypto map: TOHUSBAND
        sa timing: remaining key lifetime (k/sec): (4389997/1092)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x752A0BF1(1965689841)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 4, flow_id: 4, crypto map: TOHUSBAND
        sa timing: remaining key lifetime (k/sec): (4389997/1092)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas: