07-21-2013 06:24 AM
Hello,
I'm trying to simulate an intranet VPN for a school project in packet tracer 6.0.1. I have made all the settings. Voip is working between sites, i have connection everywhere. My problem is that i want to make connection to Head office with two remote sites. I cant establish tunnel between head and remote site.
Here is the diagram and the source. Any help would be appreciated. Thanks!
CCME1 router settings
hostname CCME1
!
!
!
!
ip dhcp excluded-address 10.10.0.1 10.10.0.10
ip dhcp excluded-address 10.15.0.1 10.15.0.10
!
ip dhcp pool Date_pool
network 10.10.0.0 255.255.255.0
default-router 10.10.0.1
ip dhcp pool Voce_pool
network 10.15.0.0 255.255.255.0
default-router 10.15.0.1
option 150 ip 10.15.0.1
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp key 0 address 172.1.2.1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set utmset esp-aes esp-sha-hmac
!
crypto map r1_to_r2 100 ipsec-isakmp
set peer 172.1.2.1
set pfs group2
set security-association lifetime seconds 86400
set transform-set utmset
match address 102
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface Loopback0
ip address 99.99.99.99 255.255.255.255
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
description MNG
encapsulation dot1Q 1
ip address 10.1.0.1 255.255.255.0
!
interface FastEthernet0/0.10
description LAN_DATE
encapsulation dot1Q 10 native
ip address 10.10.0.1 255.255.255.0
!
interface FastEthernet0/0.15
description LAN_VOCE
encapsulation dot1Q 15
ip address 10.15.0.1 255.255.255.0
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet1/0
description SPRE_MIHAILESTI
ip address 172.1.2.1 255.255.255.252
duplex auto
speed auto
crypto map r1_to_r2
!
interface FastEthernet1/1
description SPRE_R3
ip address 172.1.3.1 255.255.255.252
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 10.1.0.0 0.0.0.255 area 10
network 10.10.0.0 0.0.0.255 area 10
network 10.15.0.0 0.0.0.255 area 10
network 172.1.2.0 0.0.0.3 area 10
network 172.1.3.0 0.0.0.3 area 10
!
ip classless
!
!
access-list 102 permit ip 10.10.0.0 0.0.0.255 20.10.0.0 0.0.0.255
access-list 102 permit ip 10.1.0.0 0.0.0.255 20.1.0.0 0.0.0.255
access-list 102 permit ip 10.15.0.0 0.0.0.255 20.15.0.0 0.0.0.255
!
no cdp run
!
!
!
!
!
dial-peer voice 6 voip
destination-pattern 200.
session target ipv4:172.1.2.2
!
dial-peer voice 7 voip
destination-pattern 300.
session target ipv4:172.1.3.2
!
telephony-service
max-ephones 10
max-dn 20
ip source-address 10.15.0.1 port 2000
!
ephone-dn 1
number 1000
!
ephone-dn 2
number 1001
!
ephone-dn 3
number 1002
!
ephone-dn 4
number 1003
!
ephone-dn 5
number 1004
!
ephone-dn 6
number 1005
!
ephone 1
device-security-mode none
mac-address 00D0.FF2B.27D0
type 7960
button 1:1
!
ephone 2
device-security-mode none
mac-address 0090.21D4.9973
type 7960
button 1:2
!
ephone 3
device-security-mode none
mac-address 0030.F2D9.A344
type 7960
button 1:3
!
ephone 4
device-security-mode none
mac-address 0004.9A90.47E2
type 7960
button 1:4
!
ephone 5
device-security-mode none
mac-address 0004.9A1A.E70E
type 7960
button 1:5
!
ephone 6
device-security-mode none
mac-address 0010.118B.34B6
type 7960
button 1:6
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
CCME2 router settings:
hostname CCME2
!
!
!
!
ip dhcp excluded-address 20.10.0.1 20.10.0.10
ip dhcp excluded-address 20.15.0.1 20.15.0.10
!
ip dhcp pool Date_pool
network 20.10.0.0 255.255.255.0
default-router 20.10.0.1
ip dhcp pool Voce_pool
network 20.15.0.0 255.255.255.0
default-router 20.15.0.1
option 150 ip 20.15.0.1
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp key 0 address 172.1.2.2
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set utmset esp-aes esp-sha-hmac
!
crypto map r2_to_r1 100 ipsec-isakmp
set peer 172.1.2.2
set pfs group2
set security-association lifetime seconds 86400
set transform-set utmset
match address 102
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface Loopback0
ip address 99.99.99.98 255.255.255.255
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
description MNG_R2
encapsulation dot1Q 1
ip address 20.1.0.1 255.255.255.0
!
interface FastEthernet0/0.10
description LAN_DATE_R2
encapsulation dot1Q 10 native
ip address 20.10.0.1 255.255.255.0
!
interface FastEthernet0/0.15
description LAN_VOCE_R2
encapsulation dot1Q 15
ip address 20.15.0.1 255.255.255.0
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet1/0
description WAN_R2
ip address 172.1.2.2 255.255.255.252
duplex auto
speed auto
crypto map r2_to_r1
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 20.1.0.0 0.0.0.255 area 10
network 20.10.0.0 0.0.0.255 area 10
network 20.15.0.0 0.0.0.255 area 10
network 172.1.2.0 0.0.0.3 area 10
!
ip classless
!
!
access-list 102 permit ip 20.1.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 102 permit ip 20.10.0.0 0.0.0.255 10.10.0.0 0.0.0.255
access-list 102 permit ip 20.15.0.0 0.0.0.255 10.15.0.0 0.0.0.255
!
no cdp run
!
!
!
!
!
dial-peer voice 6 voip
destination-pattern 100.
session target ipv4:172.1.2.1
!
dial-peer voice 7 voip
session target ipv4:172.1.3.2
!
dial-peer voice 23 voip
destination-pattern 300.
session target ipv4:172.20.3.1
!
telephony-service
max-ephones 10
max-dn 20
ip source-address 20.15.0.1 port 2000
!
ephone-dn 1
number 2000
!
ephone-dn 2
number 2001
!
ephone-dn 3
number 2002
!
ephone 1
device-security-mode none
mac-address 0030.F296.69A0
type 7960
button 1:1
!
ephone 2
device-security-mode none
mac-address 000A.F399.C70B
type 7960
button 1:2
!
ephone 3
device-security-mode none
mac-address 00D0.FF0D.31CC
type 7960
button 1:3
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
Thanks!!!!
Solved! Go to Solution.
07-21-2013 08:05 PM
You want your peer addresses in the crypto map and crypto key addresses to be the ones of the remote router. It looks like they are pointing to themselves right now.
Sent from Cisco Technical Support iPhone App
07-21-2013 08:05 PM
You want your peer addresses in the crypto map and crypto key addresses to be the ones of the remote router. It looks like they are pointing to themselves right now.
Sent from Cisco Technical Support iPhone App
07-21-2013 11:22 PM
Thanks Mr. Elton for your response. I did make the changes but is not working at all. I really don't know what to do anymore. Here is the new configurations:
CCME1
hostname CCME1
!
!
!
!
ip dhcp excluded-address 10.10.0.1 10.10.0.10
ip dhcp excluded-address 10.15.0.1 10.15.0.10
!
ip dhcp pool Date_pool
network 10.10.0.0 255.255.255.0
default-router 10.10.0.1
ip dhcp pool Voce_pool
network 10.15.0.0 255.255.255.0
default-router 10.15.0.1
option 150 ip 10.15.0.1
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key CRIPTARE address 172.1.2.2
!
!
crypto ipsec transform-set R1R2 esp-3des esp-sha-hmac
!
crypto map R1R2 1 ipsec-isakmp
description TUNELR1R2
set peer 172.1.2.2
set transform-set R1R2
match address 100
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface Loopback0
ip address 99.99.99.99 255.255.255.255
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
description MNG
encapsulation dot1Q 1
ip address 10.1.0.1 255.255.255.0
!
interface FastEthernet0/0.10
description LAN_DATE
encapsulation dot1Q 10 native
ip address 10.10.0.1 255.255.255.0
!
interface FastEthernet0/0.15
description LAN_VOCE
encapsulation dot1Q 15
ip address 10.15.0.1 255.255.255.0
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet1/0
description SPRE_MIHAILESTI
ip address 172.1.2.1 255.255.255.252
duplex auto
speed auto
crypto map R1R2
!
interface FastEthernet1/1
description SPRE_R3
ip address 172.1.3.1 255.255.255.252
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 10.1.0.0 0.0.0.255 area 10
network 10.10.0.0 0.0.0.255 area 10
network 10.15.0.0 0.0.0.255 area 10
network 172.1.2.0 0.0.0.3 area 10
network 172.1.3.0 0.0.0.3 area 10
!
ip classless
!
!
access-list 100 permit ip 10.1.0.0 0.0.0.255 20.1.0.0 0.0.0.255
access-list 100 permit ip 10.10.0.0 0.0.0.255 20.10.0.0 0.0.0.255
access-list 100 permit ip 10.15.0.0 0.0.0.255 20.15.0.0 0.0.0.255
!
no cdp run
!
!
!
!
!
dial-peer voice 6 voip
destination-pattern 200.
session target ipv4:172.1.2.2
!
dial-peer voice 7 voip
destination-pattern 300.
session target ipv4:172.1.3.2
!
telephony-service
max-ephones 10
max-dn 20
ip source-address 10.15.0.1 port 2000
!
ephone-dn 1
number 1000
!
ephone-dn 2
number 1001
!
ephone-dn 3
number 1002
!
ephone-dn 4
number 1003
!
ephone-dn 5
number 1004
!
ephone-dn 6
number 1005
!
ephone 1
device-security-mode none
mac-address 00D0.FF2B.27D0
type 7960
button 1:1
!
ephone 2
device-security-mode none
mac-address 0090.21D4.9973
type 7960
button 1:2
!
ephone 3
device-security-mode none
mac-address 0030.F2D9.A344
type 7960
button 1:3
!
ephone 4
device-security-mode none
mac-address 0004.9A90.47E2
type 7960
button 1:4
!
ephone 5
device-security-mode none
mac-address 0004.9A1A.E70E
type 7960
button 1:5
!
ephone 6
device-security-mode none
mac-address 0010.118B.34B6
type 7960
button 1:6
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
CCME2
hostname CCME2
!
!
!
!
ip dhcp excluded-address 20.10.0.1 20.10.0.10
ip dhcp excluded-address 20.15.0.1 20.15.0.10
!
ip dhcp pool Date_pool
network 20.10.0.0 255.255.255.0
default-router 20.10.0.1
ip dhcp pool Voce_pool
network 20.15.0.0 255.255.255.0
default-router 20.15.0.1
option 150 ip 20.15.0.1
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key R1R2 address 172.1.2.1
!
!
crypto ipsec transform-set R1R2 esp-3des esp-sha-hmac
!
crypto map R1R2 1 ipsec-isakmp
description TUNELR1R2
set peer 172.1.2.1
set transform-set R1R2
match address 100
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface Loopback0
ip address 99.99.99.98 255.255.255.255
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
description MNG_R2
encapsulation dot1Q 1
ip address 20.1.0.1 255.255.255.0
!
interface FastEthernet0/0.10
description LAN_DATE_R2
encapsulation dot1Q 10 native
ip address 20.10.0.1 255.255.255.0
!
interface FastEthernet0/0.15
description LAN_VOCE_R2
encapsulation dot1Q 15
ip address 20.15.0.1 255.255.255.0
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet1/0
description WAN_R2
ip address 172.1.2.2 255.255.255.252
duplex auto
speed auto
crypto map R1R2
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 20.1.0.0 0.0.0.255 area 10
network 20.10.0.0 0.0.0.255 area 10
network 20.15.0.0 0.0.0.255 area 10
network 172.1.2.0 0.0.0.3 area 10
!
ip classless
!
!
access-list 100 permit ip 20.1.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 100 permit ip 20.10.0.0 0.0.0.255 10.10.0.0 0.0.0.255
access-list 100 permit ip 20.15.0.0 0.0.0.255 10.15.0.0 0.0.0.255
!
no cdp run
!
!
!
!
!
dial-peer voice 6 voip
destination-pattern 100.
session target ipv4:172.1.2.1
!
dial-peer voice 7 voip
session target ipv4:172.1.3.2
!
dial-peer voice 23 voip
destination-pattern 300.
session target ipv4:172.20.3.1
!
telephony-service
max-ephones 10
max-dn 20
ip source-address 20.15.0.1 port 2000
!
ephone-dn 1
number 2000
!
ephone-dn 2
number 2001
!
ephone-dn 3
number 2002
!
ephone 1
device-security-mode none
mac-address 0030.F296.69A0
type 7960
button 1:1
!
ephone 2
device-security-mode none
mac-address 000A.F399.C70B
type 7960
button 1:2
!
ephone 3
device-security-mode none
mac-address 00D0.FF0D.31CC
type 7960
button 1:3
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
Thanks!
07-22-2013 02:17 AM
Regarding the above configuration. The tunnel is up. But it seems it's something wrong.
CCME1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
172.1.2.2 172.1.2.1 QM_IDLE 1065 0 ACTIVE
IPv6 Crypto ISAKMP SA
CCME1#
So... the tunnel is up. But when i want to see the ipsec sa the results are like this:
CCME1#show crypto ipsec sa
interface: FastEthernet1/0
Crypto map tag: r1r2, local addr 172.1.2.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.1.0.0/255.255.255.0/0/0)
current_peer 172.1.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.1.2.1, remote crypto endpt.:172.1.2.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: 0x5FDC20C7(1608261831)
inbound esp sas:
spi: 0x72D901C5(1926824389)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2009, flow_id: FPGA:1, crypto map: r1r2
sa timing: remaining key lifetime (k/sec): (4525504/942)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x5FDC20C7(1608261831)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2010, flow_id: FPGA:1, crypto map: r1r2
sa timing: remaining key lifetime (k/sec): (4525504/942)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (10.10.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.10.0.0/255.255.255.0/0/0)
current_peer 172.1.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.1.2.1, remote crypto endpt.:172.1.2.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: 0x5FDC20C7(1608261831)
inbound esp sas:
spi: 0x72D901C5(1926824389)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2009, flow_id: FPGA:1, crypto map: r1r2
sa timing: remaining key lifetime (k/sec): (4525504/942)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x5FDC20C7(1608261831)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2010, flow_id: FPGA:1, crypto map: r1r2
sa timing: remaining key lifetime (k/sec): (4525504/942)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (10.15.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.15.0.0/255.255.255.0/0/0)
current_peer 172.1.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.1.2.1, remote crypto endpt.:172.1.2.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: 0x5FDC20C7(1608261831)
inbound esp sas:
spi: 0x72D901C5(1926824389)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2009, flow_id: FPGA:1, crypto map: r1r2
sa timing: remaining key lifetime (k/sec): (4525504/942)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x5FDC20C7(1608261831)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2010, flow_id: FPGA:1, crypto map: r1r2
sa timing: remaining key lifetime (k/sec): (4525504/942)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
CCME1#
It's that normal?
Or this one is normal?
Router A#sho crypto isakmp sa
dst src state conn-id slot
30.0.0.1 20.0.0.1 QM_IDLE 2 0
Router A#sho crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: branch-map, local addr. 20.0.0.1
protected vrf:
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
current_peer: 30.0.0.1:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1059, #pkts encrypt: 1059, #pkts digest 1059
#pkts decaps: 1059, #pkts decrypt: 1059, #pkts verify 1059
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
07-22-2013 11:59 AM
Hi Cosmin!
I have faced such problem before on 2 occassions.
The first one was my Nat statment on ASA. I had it reversed. after changing it packets starte encaps and decaping both sides.
The second time was both on a Router and ASA, the issue was routing related. If packets gets to one destination and doesn't know how to return the packet to the source...you'll have such problems.
So my little suggestion would be please check that you routing is fine on both ends.
Cheers
Teddy
07-22-2013 12:46 PM
Thanks Teddy,
I sorted it out but now i have a new challenge. I have a project in packet tracer to create 2 vpn tunnels from 2 sites to a headquarter office. I made the first tunnel between the head and the 1'st remote site. Now i cant create the 2'nd tunnel from head to remote site 2. I must simulate over intranet not over internet so i have some switches. On the head router i have 2 fast ethernet adapters. So...the first tunnel is created on fa1/0. I cant create a tunnel from fa1/1 to remote site 2. When i apply the crypto map to the interface fa1/1 on the head router i'm not getting the message that the isakmp is ON. Any advice?
07-23-2013 03:44 AM
Hi Cosmin,
Glad you sorted out the first! Fair enough about that! Please pray tell what you did to resolve the issue.
For the second tunnel you are building, do you have any previous crypto map applied to the interface before? From what I know you can only have one crypto map applied to an interface per time.
So the best thing to do is, use the same crypto map but with different sequence numbers.
say you have something like this:
crypto ipsec transform-set TSVPN esp-aes esp-sha-hmac
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.1.100
set transform-set TSVPN
match address VPN-TRAFFIC
interface FastEthernet0/0
crypto map CMAP
Your next crypto map statement should be the same but will sequence number 11 or something.
BUT
In the case where by you don't have any msg saying that the crypto isakmp is on, on the interface...my guess would be that that the IOS doesn't support ISAKMP. You might need to check that to make sure its an IOS that support such functionality! I might be wrong.
Ok just do sh version on your router and paste the outcome lets see.
I hope this helps only If i'm not understanding your question correctly. Please let me know either ways.
Cheers
Teddy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide