Re: Site to Site IPsec VPN In Packet Tracer

jk865 · ‎01-03-2022

I'm trying to build a Site to site IP-Sec VPN in Packet tracer with the following ACL but its not catching any packets can somebody point me in the right direction please :

Thanks in advance.

Router 1

access-list 110 permit ip 172.10.0.32 0.0.0.15 172.10.0.0 0.0.0.31

access-list 110 permit ip 172.10.0.48 0.0.0.7 172.10.0.0 0.0.0.31

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

!

crypto isakmp key zDGkUPC5! address 209.165.100.134

!

crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac

!

crypto map VPN-MAP 10 ipsec-isakmp

description VPN connection to Router 2

set peer 209.165.100.134

set transform-set VPN-SET

match address 110

Router 2

access-list 110 permit ip 172.10.0.0 0.0.0.31 172.10.0.32 0.0.0.15

access-list 110 permit ip 172.10.0.0 0.0.0.31 172.10.0.48 0.0.0.7

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

!

crypto isakmp key zDGkUPC5! address 209.165.100.129

!

crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac

!

crypto map VPN-MAP 10 ipsec-isakmp

description VPN connection to Router 1

set peer 209.165.100.129

set transform-set VPN-SET

match address 110

Rob Ingram · ‎01-03-2022

@jk865 hard to tell not enough information. Have the IPSec SA been established? How are you testing connectivity? Can the routers ping each other? Provide the full configuration of both routers.

jk865 · ‎01-03-2022

Hi

I'm trying to configure a site-to-site VPN between three routers one of which is passive with multiple ACLs and I'm having a bit of a meltdown. Some of the ACLs work , the VPN works If I don't apply the ACLs as soon as I apply the ACLs it stops working

Thanks In advnace

The lab specifies there should be four ACLs :

NETWORK 2 and NETWORK 1 should be able to communicate via the VPN, without restrictions.

NETWORK 2 should be able to communicate to the ciscolab.com server but without the VPN.

NETWORK 1 can only communicate to the INTERNET if the communication is initiated by a NETWORK 1 user. This means that communication initiated by INTERNET devices should not be allowed.

INTERNET devices can communicate only to the pocoloco.com device and only for HTTPS communication. < This seems to work.

Router 1

ip access-list extended VPN Applied with VPN

deny ip host 172.10.0.51 172.10.0.0 0.0.0.31

permit ip 172.10.0.32 0.0.0.15 172.10.0.0 0.0.0.31

permit ip 172.10.0.48 0.0.0.7 172.10.0.0 0.0.0.31

ip access-list extended INTERNET Applied S/0/0/0 OUTBOUND

permit ip 172.10.0.32 0.0.0.15 209.165.100.96 0.0.0.31

permit ip 172.10.0.48 0.0.0.7 209.165.100.96 0.0.0.31

ip access-list extended INTERNET_TO_CISCOLAB.COM Applied s0/0/0 INBOUND

permit tcp 209.165.100.96 0.0.0.31 host 172.10.0.51 eq 443

deny ip any any

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

!

crypto isakmp key zDGkUPC5! address 209.165.100.134

!

crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac

!

crypto map VPN-MAP 10 ipsec-isakmp

description VPN connection to Router 2

set peer 209.165.100.134

set transform-set VPN-SET

match address VPN

router 2

ip access-list extended VPN

access-list 110 permit ip 172.10.0.0 0.0.0.31 172.10.0.32 0.0.0.15

access-list 110 permit ip 172.10.0.0 0.0.0.31 172.10.0.48 0.0.0.7

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

!

crypto isakmp key zDGkUPC5! address 209.165.100.129

!

crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac

!

crypto map VPN-MAP 10 ipsec-isakmp

description VPN connection to Router 1

set peer 209.165.100.129

set transform-set VPN-SET

match address VPN