cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
430
Views
5
Helpful
6
Replies

VPN Ipsec not exchanging traffic

Greetings!

I´ve tried to set up a tunnel between 2 routers using  IPSec VPN but can´t make it to exchange traffic. 

Before, using serial connection and advertising routes with ospf everything pings everything.

ASBR only as directly connected routes.

What am I not seeing? Help is very much apreciated.

I´ve attached zip file.

 

Both routers are 2811 IOS15 in Packet Tracer

Capturar.PNG

 

ROUTER ON THE RIGHT:

Current configuration : 2426 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!

no ip cef
no ipv6 cef
!

license udi pid CISCO2811/K9 sn FTX10171QR5-
!

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
!
crypto isakmp key ACLKey address 192.168.200.1
!

crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
!
crypto map MYMAP 10 ipsec-isakmp
set peer 192.168.200.1
set pfs group5
set security-association lifetime seconds 86400
set transform-set MYSET
match address VPN
!

spanning-tree mode pvst
!

interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 192.168.100.2 255.255.255.252
crypto map MYMAP
!
interface Serial0/0/1
no ip address
clock rate 2000000
shutdown
!
interface Serial0/1/0
ip address 192.168.4.1 255.255.255.252
!
interface Serial0/1/1
ip address 192.168.5.1 255.255.255.252
!
interface Serial0/2/0
ip address 192.168.2.2 255.255.255.252
!
interface Serial0/2/1
ip address 192.168.3.2 255.255.255.252
!
interface Serial0/3/0
no ip address
clock rate 2000000
shutdown
!
interface Serial0/3/1
no ip address
clock rate 2000000
shutdown
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 192.168.2.0 0.0.0.255 area 0
network 192.168.3.0 0.0.0.255 area 0
network 192.168.5.0 0.0.0.255 area 0
network 192.168.4.0 0.0.0.255 area 0
network 192.168.100.0 0.0.0.255 area 0
!
ip classless
ip route 192.168.1.0 255.255.255.252 192.168.2.1
ip route 192.168.1.0 255.255.255.252 192.168.3.1
ip route 30.0.0.0 255.0.0.0 192.168.3.1
ip route 40.0.0.0 255.0.0.0 192.168.3.1
ip route 10.0.0.0 255.0.0.0 192.168.2.1
ip route 20.0.0.0 255.0.0.0 192.168.2.1
ip route 192.168.6.0 255.255.255.252 192.168.5.2
ip route 192.168.6.0 255.255.255.252 192.168.4.2
ip route 40.0.0.0 255.0.0.0 192.168.5.2
ip route 40.0.0.0 255.0.0.0 192.168.4.2
ip route 50.0.0.0 255.0.0.0 192.168.5.2
ip route 50.0.0.0 255.0.0.0 192.168.4.2
!
ip flow-export version 9
!
!
ip access-list extended VPN
permit ip any 192.168.0.0 0.0.255.255
permit ip any 70.0.0.0 0.255.255.255
permit ip any 80.0.0.0 0.255.255.255
permit ip any any
!

line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end

 

ROUTER ON THE LEFT:

Current configuration : 1793 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!

no ip cef
no ipv6 cef
!

license udi pid CISCO2811/K9 sn FTX101799K6-
!

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
!
crypto isakmp key ACLKey address 192.168.100.2
!

crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
!
crypto map MYMAP 10 ipsec-isakmp
set peer 192.168.100.2
set pfs group5
set security-association lifetime seconds 86400
set transform-set MYSET
match address VPN
!

spanning-tree mode pvst
!

interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
bandwidth 64
ip address 192.168.200.1 255.255.255.252
clock rate 64000
crypto map MYMAP
!
interface Serial0/0/1
no ip address
clock rate 2000000
shutdown
!
interface Serial0/2/0
ip address 192.168.7.1 255.255.255.252
clock rate 2000000
!
interface Serial0/2/1
ip address 192.168.8.1 255.255.255.252
clock rate 2000000
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 192.168.7.0 0.0.0.255 area 3
network 192.168.8.0 0.0.0.255 area 3
network 192.168.200.0 0.0.0.255 area 3
!
router rip
!
ip classless
!
ip flow-export version 9
!
!
ip access-list extended VPN
permit ip any 192.168.0.0 0.0.255.255
permit ip any 10.0.0.0 0.255.255.255
permit ip any 20.0.0.0 0.255.255.255
permit ip any 30.0.0.0 0.255.255.255
permit ip any 40.0.0.0 0.255.255.255
permit ip any 50.0.0.0 0.255.255.255
permit ip any 60.0.0.0 0.255.255.255
permit ip any any
!

line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Hi @bruno.machado.Mac,

By quick look, it looks to me you are missing routes for 1.1.1.1 and 4.4.4.4 on relevant routers. You are telling your routers to build tunnels on these IPs, but not telling them how to get there.

Lets try to fix that part first.

BR,

Milos

View solution in original post

6 REPLIES 6
Milos_Jovanovic
Collaborator

Hi @bruno.machado.Mac,

You are failing at couple of things.

Crypto domain must match on both sides. What you push down the VPN must match in the VPN ACL, it just needs to be inverted. In your setup, VPN ACLs are not mirrored.

Another thing is that you are configuring policy-based VPN. This means that you can't use OSPF between as it won't work. You'll have to define interesting traffic in ACL, s and then point those network towards 'outside', either by static routes or dynamic routing learned from elsewhere.

Each time some additional traffic is required to be defined through the tunnel, you'll have to update routing and ACLs.

If you would like to use OSPF between your routers, and to be able just to add route for the VPN, then you need route-based VPN.

You can find nice explanation for policy-based VPN here, and for route-based VPN here.

BR,

Milos

Hi Milos_Jovanovic,

 

Thanks for your reply.

I manage to learn a lot from those links and sucessfully configure other labs.

I do have a new problem concerning this lab. I´ve change the routing protocol of the routers to EIGRP and when trying to create a  GRE Tunnel, I get this result 

Tunnel1 is up, line protocol is down (disabled). Any ideia about what might be? Thank you in advance

 

Tunnel1 is up, line protocol is down (disabled)

Hardware is Tunnel

Internet address is 209.165.100.2/30

MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 1.1.1.1 (Loopback0), destination 4.4.4.4

Tunnel protocol/transport GRE/IP

Key disabled, sequencing disabled

Checksumming of packets disabled

Tunnel TTL 255

Fast tunneling enabled

Tunnel transport MTU 1476 bytes

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Last input never, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 input packets with dribble condition detected

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 unknown protocol drops

0 output buffer failures, 0 output buffers swapped out

----------------------------------------------

Tunnel1 is up, line protocol is down (disabled)

Hardware is Tunnel

Internet address is 209.165.100.1/30

MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 4.4.4.4 (Loopback0), destination 1.1.1.1

Tunnel protocol/transport GRE/IP

Key disabled, sequencing disabled

Checksumming of packets disabled

Tunnel TTL 255

Fast tunneling enabled

Tunnel transport MTU 1476 bytes

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Last input never, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 input packets with dribble condition detected

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 unknown protocol drops

0 output buffer failures, 0 output buffers swapped out

Hi @bruno.machado.Mac,

GLad to hear I was able to help.

Could you please share your configurations, as from these outputs, I don't see much?

BR,

Milos

Yes off course.

LEFT ROUTER:

interface Loopback0

ip address 1.1.1.1 255.255.255.255

!

interface Tunnel1

ip address 209.165.100.2 255.255.255.252

mtu 1476

tunnel source Loopback0

tunnel destination 4.4.4.4

!

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

shutdown

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Serial0/0/0

bandwidth 64

ip address 192.168.200.1 255.255.255.252

clock rate 64000

!

interface Serial0/0/1

no ip address

clock rate 2000000

shutdown

!

interface Serial0/2/0

ip address 192.168.7.1 255.255.255.252

clock rate 2000000

!

interface Serial0/2/1

ip address 192.168.8.1 255.255.255.252

clock rate 2000000

!

interface Vlan1

no ip address

shutdown

!

router eigrp 1

network 192.168.200.0 0.0.0.3

network 192.168.7.0 0.0.0.3

network 192.168.8.0 0.0.0.3

 

!

ip classless

!

ip flow-export version 9

 

RIGHT ROUTER:

interface Loopback0

ip address 4.4.4.4 255.255.255.255

!

interface Tunnel1

ip address 209.165.100.1 255.255.255.252

mtu 1476

tunnel source Loopback0

tunnel destination 1.1.1.1

!

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

shutdown

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Serial0/0/0

ip address 192.168.100.2 255.255.255.252

!

interface Serial0/0/1

no ip address

clock rate 2000000

shutdown

!

interface Serial0/1/0

ip address 192.168.4.1 255.255.255.252

!

interface Serial0/1/1

ip address 192.168.5.1 255.255.255.252

!

interface Serial0/2/0

ip address 192.168.2.2 255.255.255.252

!

interface Serial0/2/1

ip address 192.168.3.2 255.255.255.252

!

interface Serial0/3/0

no ip address

clock rate 2000000

shutdown

!

interface Serial0/3/1

no ip address

clock rate 2000000

shutdown

!

interface Vlan1

no ip address

shutdown

!

router eigrp 1

network 192.168.100.0 0.0.0.3

network 192.168.4.0 0.0.0.3

network 192.168.5.0 0.0.0.3

network 192.168.3.0 0.0.0.3

network 192.168.2.0 0.0.0.3

 

!

ip classless

ip route 192.168.1.0 255.255.255.252 192.168.3.1

ip route 30.0.0.0 255.0.0.0 192.168.3.1

ip route 40.0.0.0 255.0.0.0 192.168.3.1

ip route 10.0.0.0 255.0.0.0 192.168.2.1

ip route 20.0.0.0 255.0.0.0 192.168.2.1

ip route 192.168.6.0 255.255.255.252 192.168.5.2

ip route 192.168.6.0 255.255.255.252 192.168.4.2

ip route 40.0.0.0 255.0.0.0 192.168.5.2

ip route 40.0.0.0 255.0.0.0 192.168.4.2

ip route 50.0.0.0 255.0.0.0 192.168.5.2

ip route 50.0.0.0 255.0.0.0 192.168.4.2

ip route 192.168.1.0 255.255.255.252 192.168.2.1

!

ip flow-export version 9

 

ROUTER INBETWEEN:

interface FastEthernet0/0

no ip address

duplex auto

speed auto

shutdown

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Serial0/0/0

bandwidth 64

ip address 192.168.100.1 255.255.255.252

clock rate 64000

!

interface Serial0/0/1

bandwidth 64000

ip address 192.168.200.2 255.255.255.252

!

interface Vlan1

no ip address

shutdown

!

router eigrp 1

network 192.168.100.0 0.0.0.3

network 192.168.200.0 0.0.0.3

no auto-summary

!

ip classless

!

ip flow-export version 9

Hi @bruno.machado.Mac,

By quick look, it looks to me you are missing routes for 1.1.1.1 and 4.4.4.4 on relevant routers. You are telling your routers to build tunnels on these IPs, but not telling them how to get there.

Lets try to fix that part first.

BR,

Milos

View solution in original post

Thanks Milos_Jovanovic,

 

Manage to solve the issue and redistributed routes between OSPF and EIGRP.

 

Greetings

 

Bruno

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE- Guest and Posture Troubleshooting (37%)

Content for Community-Ad