cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1728
Views
10
Helpful
9
Replies

Unable to Bring UP IPSec Tunnel

HARIS_HUSSAIN
VIP Alumni
VIP Alumni

I an trying to lab up the IPSEC Tunnel using legacy crypto map method on CSR ROuter. But unable to figure out why my ISAKMP Tunnel won't come up

 

 R1

==

 

crypto isakmp policy 10
encr 3des
hash sha256
authentication pre-share
group 14
lifetime 3000
crypto isakmp key ENCRYPT address 2.0.0.1
crypto ipsec transform-set IPSEC-TSET esp-3des esp-sha256-hmac
mode tunnel
crypto map CRY-MAP 1 ipsec-isakmp
set peer 2.0.0.1
set transform-set IPSEC-TSET
match address IPSEC_ACL
crypto map CRY-MAP
ip access-list extended IPSEC_ACL
permit ip any any
permit ip 10.1.1.0 0.0.0.255 20.1.1.0 0.0.0.255

VG-OMAN1#sh running-config interface gigabitEthernet 1
Building configuration...

Current configuration : 106 bytes
!
interface GigabitEthernet1
ip address 1.0.0.1 255.255.255.0
negotiation auto
crypto map CRY-MAP
end

 

VG-OMAN1#sh ip int b
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 1.0.0.1 YES NVRAM up up
GigabitEthernet2 unassigned YES NVRAM administratively down down
GigabitEthernet3 unassigned YES NVRAM administratively down down
GigabitEthernet4 unassigned YES NVRAM administratively down down
Loopback0 10.1.1.1 YES NVRAM up up

 

 

 

 

R2

===

 

VG-OMAN2#sh running-config | s crypto
crypto isakmp policy 1
encr 3des
hash sha256
authentication pre-share
group 14
lifetime 3000
crypto isakmp key ENCRYPT address 1.0.0.1
crypto ipsec transform-set IPSEC-TSET esp-3des esp-sha256-hmac
mode tunnel
crypto map MY_MAP 1 ipsec-isakmp
set peer 1.0.0.1
set transform-set IPSEC-TSET
match address CRY-ACL
crypto map MY_MAP

 

ip access-list extended CRY-ACL
permit ip 20.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255


VG-OMAN2#sh ip int b
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 2.0.0.1 YES NVRAM up up
GigabitEthernet2 unassigned YES NVRAM administratively down down
GigabitEthernet3 unassigned YES NVRAM administratively down down
GigabitEthernet4 unassigned YES NVRAM administratively down down
Loopback0 20.1.1.1 YES NVRAM up up

 

 

 

TEST

R2

===

 

VG-OMAN2#ping 10.1.1.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 20.1.1.1

*Apr 10 12:03:40.400: %SYS-5-CONFIG_I: Configured from console by console.....
Success rate is 0 percent (0/5)

 

 

R1

==

VG-OMAN1#ping 20.1.1.1 source loo
VG-OMAN1#ping 20.1.1.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
.....
Success rate is 0 percent (0/5)

 

9 Replies 9

Hi,
Can you remove permit ip any any from R1 Crypto ACL

ip access-list extended IPSEC_ACL
no permit ip any any

I assume there is a default route on both routers? there will need to be.

Turn on isakmp/ikev1 debugs, run the ping again and upload the output of the debugs here please.

Tried the debugs but nothing comes up. I think it is not triggering the traffic? Is this support on CSR Routers?

 

VG-OMAN1#sh run | s route
ip route 0.0.0.0 0.0.0.0 GigabitEthernet1
VG-OMAN1#ping 20.1.1.1 so
VG-OMAN1#ping 20.1.1.1 source 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
.....
Success rate is 0 percent (0/5)

Yes it's supported on CSR routers, what license do you have?

Have you try changing your static route statement from "ip route 0.0.0.0 0.0.0.0 GigabitEthernet1" to "ip route 0.0.0.0 0.0.0.0 x.x.x.x" on both routers?

Didn't try that will try

Changing the static route statement resolved the issue. But I didn't understand Why that would impact? Can you elaborate

*** Please rate helpful post; Mark "Accept as a Solution" if applicable

Thanks,
Haris

Any specific reason why static route with interfaces is not supported in IPSEC?

In my experience I encountered the same issue as you.  I can't say with confidence but my guess that the answer is found on the links below.  I think its software logic is probably causing confusing to itself.

https://learningnetwork.cisco.com/thread/78180

https://www.cisco.com/c/en/us/support/docs/dial-access/floating-static-route/118263-technote-nexthop-00.html

Dennis Mink
VIP Alumni
VIP Alumni

Config looks same onboth ends. I assume you checked the psk s? Plz add isakmp debugs

Please remember to rate useful posts, by clicking on the stars below.