11-13-2024 05:31 AM - edited 11-13-2024 09:14 AM
Hello VPN gurus,
I need help here. I trying setup a 3 routers vpn. the R2 as hub. So far i can every network, but the encap,decap packets is all empy.
that mean the tunnel is not established. I even do ping -t xxxx.xx.xxx and do a show crypto ipsec sa on each routers and still shows empty no packets was forwards. Here is my config file for all 3 router.. Im sure I missing some parameter, but I don't know where.
R1
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname R1
no ip cef
no ipv6 cef
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cisco123 address 10.0.0.2
crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
crypto map VPN-MAP 10 ipsec-isakmp
set peer 10.0.0.2
set transform-set TRANSFORM_SET
match address VPN-TO-R2
spanning-tree mode pvst
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
crypto map VPN-MAP
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
interface Serial0/0/0
ip address 10.0.0.1 255.255.255.252
clock rate 2000000
interface Serial0/1/0
no ip address
clock rate 2000000
shutdown
interface Vlan1
no ip address
shutdown
ip classless
ip route 192.168.3.0 255.255.255.0 10.0.0.2
ip flow-export version 9
ip access-list extended VPN-TO-R2
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
!
line con 0
line aux 0
line vty 0 4
login
R2:
Current configuration : 1256 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname R2
!
!
no ip cef
no ipv6 cef
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cisco123 address 10.0.0.1
crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
crypto map VPN-MAP 10 ipsec-isakmp
set peer 10.0.0.1
set transform-set TRANSFORM_SET
match address VPN-TO-R1
!
spanning-tree mode pvst
!
!
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
crypto map VPN-MAP
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
interface Serial0/0/0
ip address 10.0.0.2 255.255.255.252
interface Serial0/1/0
ip address 10.0.1.1 255.255.255.252
clock rate 2000000
interface Vlan1
no ip address
shutdown
ip classless
ip route 192.168.1.0 255.255.255.0 10.0.0.1
ip route 192.168.3.0 255.255.255.0 10.0.1.2
ip flow-export version 9
ip access-list extended VPN-TO-R1
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!
line con 0
line aux 0
line vty 0 4
login
R3:
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname Router
no ip cef
no ipv6 cef
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cisco123 address 10.0.1.1
crypto isakmp key cisco123 address 10.0.1.2
crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
crypto map VPN-MAP 10 ipsec-isakmp
set peer 10.0.1.1
set transform-set TRANSFORM_SET
match address VPN-TO-R1
crypto map VPN-MAP 20 ipsec-isakmp
set peer 10.0.1.2
set transform-set TRANSFORM_SET
match address VPN-TO-R3
spanning-tree mode pvst
interface FastEthernet0/0
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
crypto map VPN-MAP
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
interface Serial0/0/0
ip address 10.0.1.2 255.255.255.252
interface Serial0/1/0
no ip address
clock rate 2000000
shutdown
interface Vlan1
no ip address
shutdown
ip classless
ip route 192.168.1.0 255.255.255.0 10.0.1.1
ip flow-export version 9
ip access-list extended VPN-TO-R2
permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!
line con 0
line aux 0
line vty 0 4
login
11-17-2024 11:26 PM
Hello kennylee88,
As you have mentioned R2 is playing the role of HUB.
But in your configuration R3 is configured with following two peer command:
crypto isakmp key cisco123 address 10.0.1.1
crypto isakmp key cisco123 address 10.0.1.2
only R2 should configured with two ipsec peers. R1 and R3 is having one peer.
You might have interchanged the configurations of R2 and R3...Please check and modify accordingly.
Best regards
******* If This Helps, Please Rate *******
You might
11-21-2024 06:56 AM
is this issue solved ??
MHM
11-23-2024 07:40 AM
Still not working. Maybe is CPT bugs?
I'm redoing it over again.. I will upload PKT file maybe you can see it better in the picture.
11-23-2024 09:21 AM
This router does not support VPN. On PacketTracer you need to use 29xx and you need to enable It with license command.
11-23-2024 09:25 AM
I dont know about if router support ipsec or not.
But idea about ipsec hub and spoke is list below
Topolgy hub spoke1 spoke2
1- the spoke1 must have route toward hub for spoke2 lan
2- the spoke2 must have route toward hub for spoke1 lan
3- the hub IPsec acl must be
A- acl1 from spoke1 to spoke2
B- acl2 from spoke2 to spoke1
4- spoke1 acl from spoke1 lan to spoke2 lan
5- spoke2 acl from spoke2 lan to spoke1 lan
6- the hub must have ipsec key address 0.0.0.0
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide