Solved: Re: Hi simon clarke,

simon clarke · ‎03-06-2017

Hi All

I am having trouble configuring a site to site vpn in virl, i have tried doing it from bot the command line and asdm with no luck. I have attached a word document with the configurations on and a copy of the topology if anyone could tell me where im going wrong it would be most appreciated.

Thanks

Simon

JP Miranda Z · ‎03-06-2017

Hi simon clarke,

The config looks fine.

Try running debugs:

debug cry isa 180

debug cry ipsec 180

When trying to bring the tunnel up you can run the command sh crypto isa sa and sh crypto ipsec sa so you can check if the tunnel is staying on any of the following messages:

https://www.tunnelsup.com/isakmp-ike-phase-1-status-messages/

Hope this info helps!!

Rate if helps you!!

-JP-

View solution in original post

JP Miranda Z · ‎03-06-2017

Hi simon clarke,

The config looks fine.

Try running debugs:

debug cry isa 180

debug cry ipsec 180

When trying to bring the tunnel up you can run the command sh crypto isa sa and sh crypto ipsec sa so you can check if the tunnel is staying on any of the following messages:

https://www.tunnelsup.com/isakmp-ike-phase-1-status-messages/

Hope this info helps!!

Rate if helps you!!

-JP-

chrilau · ‎09-01-2018

Hi Simon,

I tried to put in the following ipsec configs and tested in virl IOSv and CSR1000v and both were not working. Turned on the debug and there is no any log appear at all. Tried to send a ping from network 10.1.1.0 to 172.16.2.0 network and nothing went through.

@JP Miranda Z wrote:

Hi simon clarke,

The config looks fine.

Try running debugs:

debug cry isa 180

debug cry ipsec 180

When trying to bring the tunnel up you can run the command sh crypto isa sa and sh crypto ipsec sa so you can check if the tunnel is staying on any of the following messages:

https://www.tunnelsup.com/isakmp-ike-phase-1-status-messages/

Hope this info helps!!

Rate if helps you!!

-JP-

Does Virl supports IPSEC?

R1

---

!--- Create an ISAKMP policy for Phase 1
!--- negotiations for the L2L tunnels.
!
ip access-list extended VPN-ACL
permit ip 10.1.1.0 0.0.0.255 172.16.2.0 0.0.0.255
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
!--- Specify the pre-shared key and the remote peer address
!--- to match for the L2L tunnel.
!
crypto isakmp key cisco123 address 10.0.0.2
!
!--- Create the Phase 2 policy for actual data encryption.
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
mode tunnel

!
!--- Create the actual crypto map. Specify
!--- the peer IP address, transform
!--- set, and an access control list (ACL) for the split tunneling.
!
crypto map mymap 10 ipsec-isakmp
set peer 10.0.0.2
set transform-set myset
match address VPN-ACL
!
Int g0/1
crypto map mymap
!

!--- Create an ACL for the traffic to
!--- be encrypted. In this example,
!--- the traffic from 10.1.1.0/24 to 172.16.2.0/24
!--- is encrypted. The traffic which does not match the access list
!--- is unencrypted for the Internet.
!

R2

!--- Create an ISAKMP policy for Phase 1
!--- negotiations for the L2L tunnels.

!

ip access-list extended VPN-ACL permit ip 172.16.2.0 0.0.0.255 10.1.1.0 0.0.0.255!crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2

!

!--- Specify the pre-shared key and the remote peer address
!--- to match for the L2L tunnel.!crypto isakmp key cisco123 address 172.16.1.1

!

!--- Create the Phase 2 policy for actual data encryption.

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac mode tunnel

!

!--- Create the actual crypto map. Specify
!--- the peer IP address, transform
!--- set, and an access control list (ACL) for the split tunneling.

!

crypto map mymap 10 ipsec-isakmp set peer 172.16.1.1 set transform-set myset match address VPN-ACL!

Int g0/2

crypto map mymap

!

!--- Create an ACL for the traffic to
!--- be encrypted. In this example,
!--- the traffic from 172.16.2.0/24 to 10.1.1.0/24
!--- is encrypted. The traffic which does not match the access list
!--- is unencrypted for the Internet.

Site to Site VPN