09-17-2021 12:01 PM
Greetings!
I´ve tried to set up a tunnel between 2 routers using IPSec VPN but can´t make it to exchange traffic.
Before, using serial connection and advertising routes with ospf everything pings everything.
ASBR only as directly connected routes.
What am I not seeing? Help is very much apreciated.
I´ve attached zip file.
Both routers are 2811 IOS15 in Packet Tracer
ROUTER ON THE RIGHT:
Current configuration : 2426 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
no ip cef
no ipv6 cef
!
license udi pid CISCO2811/K9 sn FTX10171QR5-
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
!
crypto isakmp key ACLKey address 192.168.200.1
!
crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
!
crypto map MYMAP 10 ipsec-isakmp
set peer 192.168.200.1
set pfs group5
set security-association lifetime seconds 86400
set transform-set MYSET
match address VPN
!
spanning-tree mode pvst
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 192.168.100.2 255.255.255.252
crypto map MYMAP
!
interface Serial0/0/1
no ip address
clock rate 2000000
shutdown
!
interface Serial0/1/0
ip address 192.168.4.1 255.255.255.252
!
interface Serial0/1/1
ip address 192.168.5.1 255.255.255.252
!
interface Serial0/2/0
ip address 192.168.2.2 255.255.255.252
!
interface Serial0/2/1
ip address 192.168.3.2 255.255.255.252
!
interface Serial0/3/0
no ip address
clock rate 2000000
shutdown
!
interface Serial0/3/1
no ip address
clock rate 2000000
shutdown
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 192.168.2.0 0.0.0.255 area 0
network 192.168.3.0 0.0.0.255 area 0
network 192.168.5.0 0.0.0.255 area 0
network 192.168.4.0 0.0.0.255 area 0
network 192.168.100.0 0.0.0.255 area 0
!
ip classless
ip route 192.168.1.0 255.255.255.252 192.168.2.1
ip route 192.168.1.0 255.255.255.252 192.168.3.1
ip route 30.0.0.0 255.0.0.0 192.168.3.1
ip route 40.0.0.0 255.0.0.0 192.168.3.1
ip route 10.0.0.0 255.0.0.0 192.168.2.1
ip route 20.0.0.0 255.0.0.0 192.168.2.1
ip route 192.168.6.0 255.255.255.252 192.168.5.2
ip route 192.168.6.0 255.255.255.252 192.168.4.2
ip route 40.0.0.0 255.0.0.0 192.168.5.2
ip route 40.0.0.0 255.0.0.0 192.168.4.2
ip route 50.0.0.0 255.0.0.0 192.168.5.2
ip route 50.0.0.0 255.0.0.0 192.168.4.2
!
ip flow-export version 9
!
!
ip access-list extended VPN
permit ip any 192.168.0.0 0.0.255.255
permit ip any 70.0.0.0 0.255.255.255
permit ip any 80.0.0.0 0.255.255.255
permit ip any any
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
ROUTER ON THE LEFT:
Current configuration : 1793 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
no ip cef
no ipv6 cef
!
license udi pid CISCO2811/K9 sn FTX101799K6-
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
!
crypto isakmp key ACLKey address 192.168.100.2
!
crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
!
crypto map MYMAP 10 ipsec-isakmp
set peer 192.168.100.2
set pfs group5
set security-association lifetime seconds 86400
set transform-set MYSET
match address VPN
!
spanning-tree mode pvst
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
bandwidth 64
ip address 192.168.200.1 255.255.255.252
clock rate 64000
crypto map MYMAP
!
interface Serial0/0/1
no ip address
clock rate 2000000
shutdown
!
interface Serial0/2/0
ip address 192.168.7.1 255.255.255.252
clock rate 2000000
!
interface Serial0/2/1
ip address 192.168.8.1 255.255.255.252
clock rate 2000000
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 192.168.7.0 0.0.0.255 area 3
network 192.168.8.0 0.0.0.255 area 3
network 192.168.200.0 0.0.0.255 area 3
!
router rip
!
ip classless
!
ip flow-export version 9
!
!
ip access-list extended VPN
permit ip any 192.168.0.0 0.0.255.255
permit ip any 10.0.0.0 0.255.255.255
permit ip any 20.0.0.0 0.255.255.255
permit ip any 30.0.0.0 0.255.255.255
permit ip any 40.0.0.0 0.255.255.255
permit ip any 50.0.0.0 0.255.255.255
permit ip any 60.0.0.0 0.255.255.255
permit ip any any
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
Solved! Go to Solution.
09-20-2021 02:21 PM
By quick look, it looks to me you are missing routes for 1.1.1.1 and 4.4.4.4 on relevant routers. You are telling your routers to build tunnels on these IPs, but not telling them how to get there.
Lets try to fix that part first.
BR,
Milos
09-17-2021 02:06 PM
You are failing at couple of things.
Crypto domain must match on both sides. What you push down the VPN must match in the VPN ACL, it just needs to be inverted. In your setup, VPN ACLs are not mirrored.
Another thing is that you are configuring policy-based VPN. This means that you can't use OSPF between as it won't work. You'll have to define interesting traffic in ACL, s and then point those network towards 'outside', either by static routes or dynamic routing learned from elsewhere.
Each time some additional traffic is required to be defined through the tunnel, you'll have to update routing and ACLs.
If you would like to use OSPF between your routers, and to be able just to add route for the VPN, then you need route-based VPN.
You can find nice explanation for policy-based VPN here, and for route-based VPN here.
BR,
Milos
09-20-2021 10:33 AM
Hi Milos_Jovanovic,
Thanks for your reply.
I manage to learn a lot from those links and sucessfully configure other labs.
I do have a new problem concerning this lab. I´ve change the routing protocol of the routers to EIGRP and when trying to create a GRE Tunnel, I get this result
Tunnel1 is up, line protocol is down (disabled). Any ideia about what might be? Thank you in advance
Tunnel1 is up, line protocol is down (disabled)
Hardware is Tunnel
Internet address is 209.165.100.2/30
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 1.1.1.1 (Loopback0), destination 4.4.4.4
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
----------------------------------------------
Tunnel1 is up, line protocol is down (disabled)
Hardware is Tunnel
Internet address is 209.165.100.1/30
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 4.4.4.4 (Loopback0), destination 1.1.1.1
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
09-20-2021 11:28 AM
GLad to hear I was able to help.
Could you please share your configurations, as from these outputs, I don't see much?
BR,
Milos
09-20-2021 01:40 PM
Yes off course.
LEFT ROUTER:
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel1
ip address 209.165.100.2 255.255.255.252
mtu 1476
tunnel source Loopback0
tunnel destination 4.4.4.4
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
bandwidth 64
ip address 192.168.200.1 255.255.255.252
clock rate 64000
!
interface Serial0/0/1
no ip address
clock rate 2000000
shutdown
!
interface Serial0/2/0
ip address 192.168.7.1 255.255.255.252
clock rate 2000000
!
interface Serial0/2/1
ip address 192.168.8.1 255.255.255.252
clock rate 2000000
!
interface Vlan1
no ip address
shutdown
!
router eigrp 1
network 192.168.200.0 0.0.0.3
network 192.168.7.0 0.0.0.3
network 192.168.8.0 0.0.0.3
!
ip classless
!
ip flow-export version 9
RIGHT ROUTER:
interface Loopback0
ip address 4.4.4.4 255.255.255.255
!
interface Tunnel1
ip address 209.165.100.1 255.255.255.252
mtu 1476
tunnel source Loopback0
tunnel destination 1.1.1.1
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 192.168.100.2 255.255.255.252
!
interface Serial0/0/1
no ip address
clock rate 2000000
shutdown
!
interface Serial0/1/0
ip address 192.168.4.1 255.255.255.252
!
interface Serial0/1/1
ip address 192.168.5.1 255.255.255.252
!
interface Serial0/2/0
ip address 192.168.2.2 255.255.255.252
!
interface Serial0/2/1
ip address 192.168.3.2 255.255.255.252
!
interface Serial0/3/0
no ip address
clock rate 2000000
shutdown
!
interface Serial0/3/1
no ip address
clock rate 2000000
shutdown
!
interface Vlan1
no ip address
shutdown
!
router eigrp 1
network 192.168.100.0 0.0.0.3
network 192.168.4.0 0.0.0.3
network 192.168.5.0 0.0.0.3
network 192.168.3.0 0.0.0.3
network 192.168.2.0 0.0.0.3
!
ip classless
ip route 192.168.1.0 255.255.255.252 192.168.3.1
ip route 30.0.0.0 255.0.0.0 192.168.3.1
ip route 40.0.0.0 255.0.0.0 192.168.3.1
ip route 10.0.0.0 255.0.0.0 192.168.2.1
ip route 20.0.0.0 255.0.0.0 192.168.2.1
ip route 192.168.6.0 255.255.255.252 192.168.5.2
ip route 192.168.6.0 255.255.255.252 192.168.4.2
ip route 40.0.0.0 255.0.0.0 192.168.5.2
ip route 40.0.0.0 255.0.0.0 192.168.4.2
ip route 50.0.0.0 255.0.0.0 192.168.5.2
ip route 50.0.0.0 255.0.0.0 192.168.4.2
ip route 192.168.1.0 255.255.255.252 192.168.2.1
!
ip flow-export version 9
ROUTER INBETWEEN:
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
bandwidth 64
ip address 192.168.100.1 255.255.255.252
clock rate 64000
!
interface Serial0/0/1
bandwidth 64000
ip address 192.168.200.2 255.255.255.252
!
interface Vlan1
no ip address
shutdown
!
router eigrp 1
network 192.168.100.0 0.0.0.3
network 192.168.200.0 0.0.0.3
no auto-summary
!
ip classless
!
ip flow-export version 9
09-20-2021 02:21 PM
By quick look, it looks to me you are missing routes for 1.1.1.1 and 4.4.4.4 on relevant routers. You are telling your routers to build tunnels on these IPs, but not telling them how to get there.
Lets try to fix that part first.
BR,
Milos
09-21-2021 09:02 AM
Thanks Milos_Jovanovic,
Manage to solve the issue and redistributed routes between OSPF and EIGRP.
Greetings
Bruno
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide