01-29-2020 02:58 AM
Hello people,
I am trying to create a site to site vpn over ipsec in eve-ng, please help if some one can. I am unable to ping the loopback0. when I do the show command sh crypto isakmp sa i can see the tunnel is been created. Below are the configuration.
Thank you.
R1
========
! 1. Configure the Parameters for Phase I
!
crypto isakmp policy 10
auth pre-share
encryption 3des
hash md5
group 2
Crypto isakmp policy 20
auth pre-share
encryption 3des
hash sha
group 2
!
crypto isakmp key cisco111 address 192.1.20.2
crypto isakmp key cisco222 address 192.1.30.3
!
! 2. Configure the patameters for Phase II
!
crypto ipsec transform-set TSET esp-3des esp-md5
! 3. Define the traffic that will be encrypted over the Tunnel
!
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
access-list 102 permit ip 10.1.1.0 0.0.0.255 10.3.3.0 0.0.0.255
!
! 4. configure a crypto map to link the above parameters to each other
!
crypto map CMAP 5 ipsec-isakmp
match address 101
set peer 192.1.20.2
set transform-set TSET
!
crypto map CMAP 10 ipsec-isakmp
match address 102
set peer 192.1.30.3
set transform-set TSET
!
! 5. Apply the crypto map to the outgoing interface
!
interface fa0/0
crypto map CMAP
========================================
R2
========================================
! 1. Configure the Parameters for Phase I
!
crypto isakmp policy 10
auth pre-share
encryption 3des
hash md5
group 2
!
crypto isakmp key cisco111 address 192.1.10.1
! 2. Configure the patameters for Phase II
!
crypto ipsec transform-set TSET esp-3des esp-md5
! 3. Define the traffic that will be encrypted over the Tunnel
access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
!
! 4. configure a crypto map to link the above parameters to each other
!
crypto map CMAP 5 ipsec-isakmp
match address 101
set peer 192.1.10.1
set transform-set TSET
!
! 5. Apply the crypto map to the outgoing interface
!
interface fa0/0
crypto map CMAP
=======================================
R3
=======================================
! 1. Configure the Parameters for Phase I
!
Crypto isakmp policy 20
auth pre-share
encryption 3des
hash sha
group 2
!
crypto isakmp key cisco222 address 192.1.10.1
!
! 2. Configure the patameters for Phase II
!
crypto ipsec transform-set TSET esp-3des esp-md5
! 3. Define the traffic that will be encrypted over the Tunnel
!
access-list 102 permit ip 10.3.3.0 0.0.0.255 10.1.1.0 0.0.0.255
! 4. configure a crypto map to link the above parameters to each other
!
crypto map CMAP 10 ipsec-isakmp
match address 102
set peer 192.1.10.1
set transform-set TSET
! 5. Apply the crypto map to the outgoing interface
!
interface fa0/0
crypto map CMAP
Thank you once again for the help.
-Wasif
01-29-2020 03:10 AM
01-29-2020 03:25 AM - edited 01-29-2020 03:28 AM
Thank you RJI for the reply, please find below the answers to your question.
When you are pinging the peers' Loopback interface, which source interface/IP address is the request coming from? Did you specify the source of the local loopback interface?
ping 10.2.2.2 source 10.1.1.1
ping 10.1.1.1 source 10.2.2.2
this is how I am pining
Do you have NAT configured on any of the routers?
No NAT configured because I am following a video tutorial and there the trainer did not configured NAT.
Can you provide the output of "show crypto isakmp sa" and "show crypto ipsec sa" from each of the routers you are attempting to establish a VPN to.
R2#ping 10.1.1.1 source 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2
.....
Success rate is 0 percent (0/5)
R2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.1.10.1 192.1.20.1 MM_NO_STATE 0 ACTIVE
IPv6 Crypto ISAKMP SA
R2#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: CMAP, local addr 192.1.20.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer 192.1.10.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5, #recv errors 0
local crypto endpt.: 192.1.20.1, remote crypto endpt.: 192.1.10.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Hope this will help.
01-29-2020 03:42 AM
01-29-2020 03:50 AM
debug isakm not available strange.
I have one more output for you
R2#sh crypto map
Crypto Map IPv4 "CMAP" 5 ipsec-isakmp
Peer = 192.1.10.1
Extended IP access list 101
access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
Current peer: 192.1.10.1
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TSET: { esp-3des esp-md5-hmac } ,
}
Interfaces using crypto map CMAP:
FastEthernet0/0
01-29-2020 03:53 AM
01-29-2020 04:16 AM
BIG OUTPUT :)
R2#ping 10.1.1.1 sou 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2
*Jan 29 14:00:57.999: ISAKMP:(0): SA request profile is (NULL)
*Jan 29 14:00:58.003: ISAKMP: Created a peer struct for 192.1.10.1, peer port 500
*Jan 29 14:00:58.003: ISAKMP: New peer created peer = 0x69202124 peer_handle = 0x80000003
*Jan 29 14:00:58.003: ISAKMP: Locking peer struct 0x69202124, refcount 1 for isakmp_initiator
*Jan 29 14:00:58.007: ISAKMP: local port 500, remote port 500
*Jan 29 14:00:58.007: ISAKMP: set new node 0 to QM_IDLE
*Jan 29 14:00:58.011: ISAKMP:(0):insert sa successfully sa = 688CE578
*Jan 29 14:00:58.011: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jan 29 14:00:58.015: ISAKMP:(0):found peer pre-shared key matching 192.1.10.1
*Jan 29 14:00:58.019: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jan 29 14:00:58.019: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jan 29 14:00:58.019: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jan 29 14:00:58.023: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jan 29 14:00:58.023: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jan 29 14:00:58.027: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Jan 29 14:00:58.027: ISAKMP:(0): beginning Main Mode exchange
*Jan 29 14:00:58.031: ISAKMP:(0): sending packet to 192.1.10.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 29 14:00:58.031: ISAKMP:(0):Sending an IKE IPv4 Packet......
Success rate is 0 percent (0/5)
R2#
*Jan 29 14:01:08.035: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 29 14:01:08.035: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Jan 29 14:01:08.039: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jan 29 14:01:08.039: ISAKMP:(0): sending packet to 192.1.10.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 29 14:01:08.039: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 29 14:01:18.043: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 29 14:01:18.043: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Jan 29 14:01:18.047: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jan 29 14:01:18.047: ISAKMP:(0): sending packet to 192.1.10.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 29 14:01:18.051: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 29 14:01:27.999: ISAKMP: set new node 0 to QM_IDLE
*Jan 29 14:01:28.003: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 192.1.20.1, remote 192.1.10.1)
*Jan 29 14:01:28.003: ISAKMP: Error while processing SA request: Failed to initialize SA
*Jan 29 14:01:28.003: ISAKMP: Error while processing KMI message 0, error 2.
*Jan 29 14:01:28.051: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 29 14:01:28.051: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Jan 29 14:01:28.055: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jan 29 14:01:28.055: ISAKMP:(0): sending packet to 192.1.10.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 29 14:01:28.059: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 29 14:01:38.059: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 29 14:01:38.059: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Jan 29 14:01:38.063: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jan 29 14:01:38.063: ISAKMP:(0): sending packet to 192.1.10.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 29 14:01:38.067: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 29 14:01:48.067: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 29 14:01:48.067: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Jan 29 14:01:48.071: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jan 29 14:01:48.071: ISAKMP:(0): sending packet to 192.1.10.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 29 14:01:48.071: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 29 14:01:58.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 29 14:01:58.091: ISAKMP:(0):peer does not do paranoid keepalives.
*Jan 29 14:01:58.091: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 192.1.10.1)
*Jan 29 14:01:58.099: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 192.1.10.1)
*Jan 29 14:01:58.103: ISAKMP: Unlocking peer struct 0x69202124 for isadb_mark_sa_deleted(), count 0
*Jan 29 14:01:58.103: ISAKMP: Deleting peer node by peer_reap for 192.1.10.1: 69202124
*Jan 29 14:01:58.107: ISAKMP:(0):deleting node 1134925364 error FALSE reason "IKE deleted"
*Jan 29 14:01:58.111: ISAKMP:(0):deleting node -163259632 error FALSE reason "IKE deleted"
*Jan 29 14:01:58.111: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jan 29 14:01:58.115: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
*Jan 29 14:02:48.107: ISAKMP:(0):purging node 1134925364
*Jan 29 14:02:48.111: ISAKMP:(0):purging node -163259632
*Jan 29 14:02:58.111: ISAKMP:(0):purging SA., sa=688CE578, delme=688CE578
01-29-2020 04:46 AM
01-30-2020 01:38 AM - edited 01-30-2020 01:41 AM
Sorry for a very delayed response please find below the ping between routers:
R1#ping 192.1.20.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.1.20.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/54/84 ms
R1#ping 192.1.30.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.1.30.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/56/84 ms
R1#
***********************************************************************
R2#ping 192.1.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.1.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/54/60 ms
R2#ping 192.1.30.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.1.30.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/57/80 ms
R2#
***************************************************************************
R3#ping 192.1.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.1.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/53/56 ms
R3#ping 192.1.20.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.1.20.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/52/56 ms
R3#
If I ping the loopback the error is U.U.U
Router software version
Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S7
Thank you RJI
01-30-2020 02:04 AM
01-30-2020 02:02 AM
01-30-2020 04:16 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: