cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1260
Views
20
Helpful
11
Replies

Site to Site VPN over IP Sec

Wasif.B
Level 1
Level 1

Hello people,

I am trying to create a site to site vpn over ipsec in eve-ng, please help if some one can. I am unable to ping the loopback0. when I do the show command sh crypto isakmp sa i can see the tunnel is been created. Below are the configuration.

Thank you.

Site-To-Site VPN.png

R1
========
! 1. Configure the Parameters for Phase I
!
crypto isakmp policy 10
auth pre-share
encryption 3des
hash md5
group 2

Crypto isakmp policy 20
auth pre-share
encryption 3des
hash sha
group 2
!
crypto isakmp key cisco111 address 192.1.20.2
crypto isakmp key cisco222 address 192.1.30.3
!
! 2. Configure the patameters for Phase II
!
crypto ipsec transform-set TSET esp-3des esp-md5

! 3. Define the traffic that will be encrypted over the Tunnel
!
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
access-list 102 permit ip 10.1.1.0 0.0.0.255 10.3.3.0 0.0.0.255
!
! 4. configure a crypto map to link the above parameters to each other
!
crypto map CMAP 5 ipsec-isakmp
match address 101
set peer 192.1.20.2
set transform-set TSET
!
crypto map CMAP 10 ipsec-isakmp
match address 102
set peer 192.1.30.3
set transform-set TSET
!
! 5. Apply the crypto map to the outgoing interface
!
interface fa0/0
crypto map CMAP

========================================
R2
========================================
! 1. Configure the Parameters for Phase I
!
crypto isakmp policy 10
auth pre-share
encryption 3des
hash md5
group 2
!
crypto isakmp key cisco111 address 192.1.10.1

! 2. Configure the patameters for Phase II
!
crypto ipsec transform-set TSET esp-3des esp-md5

! 3. Define the traffic that will be encrypted over the Tunnel
access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
!
! 4. configure a crypto map to link the above parameters to each other
!
crypto map CMAP 5 ipsec-isakmp
match address 101
set peer 192.1.10.1
set transform-set TSET
!
! 5. Apply the crypto map to the outgoing interface
!
interface fa0/0
crypto map CMAP

=======================================
R3
=======================================

! 1. Configure the Parameters for Phase I
!
Crypto isakmp policy 20
auth pre-share
encryption 3des
hash sha
group 2
!
crypto isakmp key cisco222 address 192.1.10.1
!
! 2. Configure the patameters for Phase II
!
crypto ipsec transform-set TSET esp-3des esp-md5
! 3. Define the traffic that will be encrypted over the Tunnel
!
access-list 102 permit ip 10.3.3.0 0.0.0.255 10.1.1.0 0.0.0.255
! 4. configure a crypto map to link the above parameters to each other
!
crypto map CMAP 10 ipsec-isakmp
match address 102
set peer 192.1.10.1
set transform-set TSET
! 5. Apply the crypto map to the outgoing interface
!
interface fa0/0
crypto map CMAP

 

Thank you once again for the help.

 

-Wasif

 

 

 

11 Replies 11

Hi,
When you are pinging the peers' Loopback interface, which source interface/IP address is the request coming from? Did you specify the source of the local loopback interface?

Do you have NAT configured on any of the routers?

Can you provide the output of "show crypto isakmp sa" and "show crypto ipsec sa" from each of the routers you are attempting to establish a VPN to.

HTH

Thank you RJI for the reply, please find below the answers to your question.

When you are pinging the peers' Loopback interface, which source interface/IP address is the request coming from? Did you specify the source of the local loopback interface?

ping 10.2.2.2 source 10.1.1.1

ping 10.1.1.1 source 10.2.2.2

this is how I am pining

Do you have NAT configured on any of the routers?

No NAT configured because I am following a video tutorial and there the trainer did not configured NAT.

 

Can you provide the output of "show crypto isakmp sa" and "show crypto ipsec sa" from each of the routers you are attempting to establish a VPN to.

 

R2#ping 10.1.1.1 source 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2
.....
Success rate is 0 percent (0/5)
R2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.1.10.1 192.1.20.1 MM_NO_STATE 0 ACTIVE

IPv6 Crypto ISAKMP SA

 

R2#sh crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: CMAP, local addr 192.1.20.1

protected vrf: (none)
local ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer 192.1.10.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5, #recv errors 0

local crypto endpt.: 192.1.20.1, remote crypto endpt.: 192.1.10.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Hope this will help.

 

The problem is Phase 2 has not completed, you can see that as there are no "inbound esp sas" or "outbound esp sas".

I assume you don't have any ACLs on the interfaces filtering traffic?

Please run "debug isakmp" and provide the output for review.

debug isakm not available strange.

I have one more output for you

 

R2#sh crypto map
Crypto Map IPv4 "CMAP" 5 ipsec-isakmp
Peer = 192.1.10.1
Extended IP access list 101
access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
Current peer: 192.1.10.1
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TSET: { esp-3des esp-md5-hmac } ,
}
Interfaces using crypto map CMAP:
FastEthernet0/0

Sorry, "debug crypto isakmp"

BIG OUTPUT :)

 

R2#ping 10.1.1.1 sou 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2

*Jan 29 14:00:57.999: ISAKMP:(0): SA request profile is (NULL)
*Jan 29 14:00:58.003: ISAKMP: Created a peer struct for 192.1.10.1, peer port 500
*Jan 29 14:00:58.003: ISAKMP: New peer created peer = 0x69202124 peer_handle = 0x80000003
*Jan 29 14:00:58.003: ISAKMP: Locking peer struct 0x69202124, refcount 1 for isakmp_initiator
*Jan 29 14:00:58.007: ISAKMP: local port 500, remote port 500
*Jan 29 14:00:58.007: ISAKMP: set new node 0 to QM_IDLE
*Jan 29 14:00:58.011: ISAKMP:(0):insert sa successfully sa = 688CE578
*Jan 29 14:00:58.011: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jan 29 14:00:58.015: ISAKMP:(0):found peer pre-shared key matching 192.1.10.1
*Jan 29 14:00:58.019: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jan 29 14:00:58.019: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jan 29 14:00:58.019: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jan 29 14:00:58.023: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jan 29 14:00:58.023: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jan 29 14:00:58.027: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

*Jan 29 14:00:58.027: ISAKMP:(0): beginning Main Mode exchange
*Jan 29 14:00:58.031: ISAKMP:(0): sending packet to 192.1.10.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 29 14:00:58.031: ISAKMP:(0):Sending an IKE IPv4 Packet......
Success rate is 0 percent (0/5)
R2#
*Jan 29 14:01:08.035: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 29 14:01:08.035: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Jan 29 14:01:08.039: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jan 29 14:01:08.039: ISAKMP:(0): sending packet to 192.1.10.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 29 14:01:08.039: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 29 14:01:18.043: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 29 14:01:18.043: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Jan 29 14:01:18.047: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jan 29 14:01:18.047: ISAKMP:(0): sending packet to 192.1.10.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 29 14:01:18.051: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 29 14:01:27.999: ISAKMP: set new node 0 to QM_IDLE
*Jan 29 14:01:28.003: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 192.1.20.1, remote 192.1.10.1)
*Jan 29 14:01:28.003: ISAKMP: Error while processing SA request: Failed to initialize SA
*Jan 29 14:01:28.003: ISAKMP: Error while processing KMI message 0, error 2.
*Jan 29 14:01:28.051: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 29 14:01:28.051: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Jan 29 14:01:28.055: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jan 29 14:01:28.055: ISAKMP:(0): sending packet to 192.1.10.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 29 14:01:28.059: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 29 14:01:38.059: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 29 14:01:38.059: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Jan 29 14:01:38.063: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jan 29 14:01:38.063: ISAKMP:(0): sending packet to 192.1.10.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 29 14:01:38.067: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 29 14:01:48.067: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 29 14:01:48.067: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Jan 29 14:01:48.071: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jan 29 14:01:48.071: ISAKMP:(0): sending packet to 192.1.10.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 29 14:01:48.071: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 29 14:01:58.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 29 14:01:58.091: ISAKMP:(0):peer does not do paranoid keepalives.

*Jan 29 14:01:58.091: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 192.1.10.1)
*Jan 29 14:01:58.099: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 192.1.10.1)
*Jan 29 14:01:58.103: ISAKMP: Unlocking peer struct 0x69202124 for isadb_mark_sa_deleted(), count 0
*Jan 29 14:01:58.103: ISAKMP: Deleting peer node by peer_reap for 192.1.10.1: 69202124
*Jan 29 14:01:58.107: ISAKMP:(0):deleting node 1134925364 error FALSE reason "IKE deleted"
*Jan 29 14:01:58.111: ISAKMP:(0):deleting node -163259632 error FALSE reason "IKE deleted"
*Jan 29 14:01:58.111: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jan 29 14:01:58.115: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

*Jan 29 14:02:48.107: ISAKMP:(0):purging node 1134925364
*Jan 29 14:02:48.111: ISAKMP:(0):purging node -163259632
*Jan 29 14:02:58.111: ISAKMP:(0):purging SA., sa=688CE578, delme=688CE578

Is the routing in place? Can the routers even ping each others outside interface?

Sorry for a very delayed response please find below the ping between routers:

R1#ping 192.1.20.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.1.20.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/54/84 ms
R1#ping 192.1.30.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.1.30.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/56/84 ms
R1#

***********************************************************************

R2#ping 192.1.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.1.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/54/60 ms
R2#ping 192.1.30.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.1.30.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/57/80 ms
R2#

***************************************************************************

R3#ping 192.1.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.1.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/53/56 ms
R3#ping 192.1.20.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.1.20.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/52/56 ms
R3#

 

If I ping the loopback the error is U.U.U

Router software version

Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S7

Thank you RJI

 

Do you have an ACLs configured on any of the interfaces that could be blocking the traffic?

Can you run the debug on both routers that you are attempting to establish a VPN with and provide the output. Save them in a text file and upload, easier to review.

All sorted RJI, thank you so much for your help really appreciate the time you spent with me to troubleshoot the issue. I assigned wrong IP address to the R2 interface. Thank you once again.

Good to hear it's working now, thanks for providing an update. It makes sense, the logs indicated that communication to the configured peer could not be established.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: