?
Solved

getting IPSec to work

Posted on 2006-04-18
6
Medium Priority
?
564 Views
Last Modified: 2012-06-21
I have a pair of 2610 routers that I am trying to configure with an IPSec tunnel. The configurations seem to be correct, but attempts to generate debug output have not worked. The output of 'show' commands looks like the configuration is correct, but neither ping nor tftp generates any debug output. The The sequence I type on each router to set up for debug is:

debug crypto isakmp
debug crypto ipsec
conf t
logging console
end

Just to avoid the obvious question, I can readily ping from a host behind router1 (172.24.8.2/23) to a host behind router2 (172.24.10.2/23). I can also tftp a file from one host to the other. The problem is that the traffic is not being encrypted, as per the output of 'show crypto ipsec sa'. No counters are being incremented.

The configurations are included below, along with 'show' output.


***********************************
Router 1

! assign hostname
hostname Router1
! set enable password
enable password 8charpwd
! set ip network options
ip classless
ip subnet-zero
! shut down services
no ip source-route
no ip finger
no ip http server
no ip bootp server
no ip name-server
!no ip domain-lookup
no snmp-server
no cdp run
no ntp
no service tcp-small-servers
no service udp-small-servers
no service config
! set timestamp options
service timestamps debug uptime
service timestamps log uptime
! encrypt clear text passwords with type 7
service password-encryption
! Local database
username mgr password 8charpwd
! EIGRP Authentication
key chain echain
key 1
key-string estring

! ssh
ip domain-name cisco.com
crypto key generate rsa
end

ip ssh time-out 15
ip ssh authentication-retries 3

! R1WAN
!inter fa0/0 LAB
inter e0/0
ip address 10.0.1.1 255.255.255.128
!speed 100 LAB
duplex full
no ip proxy-arp
no ip directed-broadcast
no ip unreachable
no ip mask-reply
no ip redirect
no ip route-cache
no ip mroute-cache
! EIGRP authentication
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 echain
no shut

! R1LAN
!inter fa0/1 LAB
inter e1/0
ip address 172.24.8.1 255.255.254.0
!speed 100 LAB
duplex full
no ip proxy-arp
no ip directed-broadcast
no ip unreachable
no ip mask-reply
no ip redirect
no ip route-cache
no ip mroute-cache
! EIGRP authentication
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 echain
no shut

! EIGRP routing
router eigrp 1
network 172.24.8.0
network 10.0.1.0
no auto-summary

! console access
line con 0
exec-timeout 3
login local

line aux 0
exec-timeout 3
transport input none
login local

line vty 0 3
exec-timeout 3
transport input ssh
login local

! IPSec
crypto isakmp enable
crypto isakmp policy 1    
authentication pre-share
encryption 3des
group 1
hash md5
lifetime 86400
crypto isakmp identity address
crypto isakmp key ikey address 10.0.1.129
crypto ipsec transform-set iset esp-des
mode tunnel
crypto map imap 5 ipsec-isakmp
set peer 10.0.1.129
set transform-set iset
match address 110

crypto ipsec security-association lifetime seconds 3600
access-list 110 permit tcp 172.24.8.0 0.0.1.255 172.24.10.0 0.0.1.255

inter e0/0
! IPSec
crypto map imap
no shut

********************************
Router 2

! assign hostname
hostname Router2
! set enable password
enable password 8charpwd
! set ip network options
ip classless
ip subnet-zero
! shut down services
no ip source-route
no ip finger
no ip http server
no ip bootp server
no ip name-server
!no ip domain-lookup
no snmp-server
no cdp run
no ntp
no service tcp-small-servers
no service udp-small-servers
no service config
! set timestamp options
service timestamps debug uptime
service timestamps log uptime
! encrypt clear text passwords with type 7
service password-encryption
! Local database
username mgr password 8charpwd
! EIGRP Authentication
key chain echain
key 1
key-string estring

! ssh
ip domain-name cisco.com
crypto key generate rsa

ip ssh time-out 15
ip ssh authentication-retries 3

! R2WAN
!inter fa0/0 LAB
inter e0/0
ip address 10.0.1.129 255.255.255.128
!speed 100 LAB
duplex full
no ip proxy-arp
no ip directed-broadcast
no ip unreachable
no ip mask-reply
no ip redirect
no ip route-cache
no ip mroute-cache
! EIGRP authentication
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 echain
no shut

! R2LAN
!inter fa0/1 LAB
inter e1/0
ip address 172.24.10.1 255.255.254.0
!speed 100 LAB
duplex full
no ip proxy-arp
no ip directed-broadcast
no ip unreachable
no ip mask-reply
no ip redirect
no ip route-cache
no ip mroute-cache
! EIGRP authentication
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 echain
no shut

! EIGRP routing
router eigrp 1
network 172.24.10.0
network 10.0.1.0
no auto-summary

! console access
line con 0
exec-timeout 3
login local

line aux 0
exec-timeout 3
transport input none
login local

line vty 0 3
exec-timeout 3
transport input ssh
login local

! IPSec
crypto isakmp enable
crypto isakmp policy 1    
authentication pre-share
encryption 3des
group 1
hash md5
lifetime 86400
crypto isakmp identity address
crypto isakmp key ikey address 10.0.1.1
crypto ipsec transform-set iset esp-des
mode tunnel
crypto map imap 5 ipsec-isakmp
set peer 10.0.1.1
set transform-set iset
match address 110

crypto ipsec security-association lifetime seconds 3600
access-list 110 permit tcp 172.24.10.0 0.0.1.255 172.24.8.0 0.0.1.255

inter e0/0
! IPSec
crypto map imap
no shut

**********************************************
Router1#sho crypto ipsec sa

interface: Ethernet0/0
    Crypto map tag: imap, local addr. 10.0.1.1

   protected vrf:
   local  ident (addr/mask/prot/port): (172.24.8.0/255.255.254.0/6/0)
   remote ident (addr/mask/prot/port): (172.24.10.0/255.255.254.0/6/0)
   current_peer: 10.0.1.129:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.0.1.1, remote crypto endpt.: 10.0.1.129
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Router1#sho crypto isakmp policy

Global IKE policy
Protection suite of priority 1
        encryption algorithm:   Three key triple DES
        hash algorithm:         Message Digest 5
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit

Router1#sho crypto map
Crypto Map "imap" 5 ipsec-isakmp
        Peer = 10.0.1.129
        Extended IP access list 110
            access-list 110 permit tcp 172.24.8.0 0.0.1.255 172.24.10.0 0.0.1.255
        Current peer: 10.0.1.129
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                iset,
        }
        Interfaces using crypto map imap:
                Ethernet0/0

Router2#sho crypto ipsec sa

interface: Ethernet0/0
    Crypto map tag: imap, local addr. 10.0.1.129

   protected vrf:
   local  ident (addr/mask/prot/port): (172.24.10.0/255.255.254.0/6/0)
   remote ident (addr/mask/prot/port): (172.24.8.0/255.255.254.0/6/0)
   current_peer: 10.0.1.1:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.0.1.129, remote crypto endpt.: 10.0.1.1
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Router2#sho crypto isakmp policy

Global IKE policy
Protection suite of priority 1
        encryption algorithm:   Three key triple DES
        hash algorithm:         Message Digest 5
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit

Router2#sho crypto map
Crypto Map "imap" 5 ipsec-isakmp
        Peer = 10.0.1.1
        Extended IP access list 110
            access-list 110 permit tcp 172.24.10.0 0.0.1.255 172.24.8.0 0.0.1.255
        Current peer: 10.0.1.1
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                iset,
        }
        Interfaces using crypto map imap:
                Ethernet0/0
0
Comment
Question by:Joshua7
  • 2
4 Comments
 
LVL 15

Expert Comment

by:Frabble
ID: 16482820
You've defined your access lists for which encryption occurs for tcp only. Use ip for all traffic.

Router1:
no access-list 110
access-list 110 permit ip 172.24.8.0 0.0.1.255 172.24.10.0 0.0.1.255

Router2:
no access-list 110
access-list 110 permit ip 172.24.10.0 0.0.1.255 172.24.8.0 0.0.1.255
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 16491090
Here's the other obvious question- are you on the console when you look? I'f you're telnetted in then you need to type "term mon" in your telnet session...
0
 
LVL 1

Author Comment

by:Joshua7
ID: 16504908
I only want tcp traffic encrypted, but I thought that ping and / or tftp use tcp, and should therefore trigger encryption.

I am connected directly into the console port with a rollover cable.

Any idea why this wouldn't work ?
0
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 500 total points
ID: 16508746
ping is icmp and tftp is udp. Try telnet or even windows file sharing.
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question