Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

PROBLEM SETUP ROUTER-TO-ROUTER VPN CONNECTION

Posted on 2006-07-12
7
Medium Priority
?
203 Views
Last Modified: 2010-04-17
Hi,

   I am trying to a Router-to-Router VPN connection between the New York router and the Boston router. I already configured both routers to use IPsec to encrypt traffic from router to router using a GRE tunnel. I am trying to see if my configuration was correct my issuing the show crypto isakmp sa command to see the active connections, however I do not see any. I do not know if there is something wrong in my configurations or maybe I am just testing it incorrectly. Can someone help me out?  Below is a copy of both routers configs. If you need a diagram of the network please just let me know.

Thank You,
vreyesii

New York Router

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname New_York
!
boot-start-marker
boot-end-marker
!
no logging on
enable secret 5 $1$xRV8$QqRNy5C3ziXaxBBczHL0a/
enable password 7 XXXXXXXXXXXXXX
!
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username vmr2 password 7 XXXXXXXXXXXXXX
!
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key TUNNELKEY01 address 20.40.0.2 no-xauth
!
!
crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-3des esp-sha-hmac
 mode transport
!
crypto map TUNNELMAP 10 ipsec-isakmp
 set peer 20.40.0.2
 set transform-set TUNNEL-TRANSFORM
 match address 116
!
!
!
!
interface Tunnel5
 ip address 192.168.66.5 255.255.255.252
 tunnel source 20.40.0.1
 tunnel destination 20.40.0.2
!
interface Ethernet0/0
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 full-duplex
 no keepalive
!
interface Serial0/0
 ip address 20.40.0.1 255.255.255.0
 ip access-group 167 out
 ip nat outside
 encapsulation ppp
 no fair-queue
 crypto map TUNNELMAP
!
interface Ethernet0/1
 no ip address
 shutdown
 full-duplex
 no keepalive
!
router eigrp 500
 network 20.0.0.0
 network 192.168.10.0
 auto-summary
!
ip nat inside source list 15 interface Ethernet0/0 overload
no ip http server
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 5.0.2.2
ip route 0.0.0.0 0.0.0.0 20.40.0.2
!
!
access-list 116 permit gre host 20.40.0.1 host 20.40.0.2
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 exec-timeout 60 0
 password 7 XXXXXXXXXXXX
 login
!
!
end

Boston Router

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Boston
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$tb/q$Hz3zrU1/0yTYBOY/OiOdO.
enable password 7 XXXXXXXXXXXX
!
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
!
ip inspect name suddam tcp
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key TUNNELKEY01 address 20.40.0.1 no-xauth
!
!
crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-3des esp-sha-hmac
 mode transport
!
crypto map TUNNELMAP 10 ipsec-isakmp
 set peer 20.40.0.1
 set transform-set TUNNEL-TRANSFORM
 match address 116
!
!
!
!
interface Tunnel5
 ip address 192.168.66.6 255.255.255.252
 tunnel source 20.40.0.2
 tunnel destination 20.40.0.1
!
interface Ethernet0/0
 ip address 10.1.1.10 255.255.255.0
 full-duplex
!
interface Serial0/0
 ip address 20.40.0.2 255.255.255.0
 ip inspect suddam in
 encapsulation ppp
 no fair-queue
 crypto map TUNNELMAP
!
router eigrp 500
 network 10.0.0.0
 network 20.0.0.0
 auto-summary
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
!
access-list 116 permit gre host 20.40.0.2 host 20.40.0.1
!
!
!
!
!
banner motd ^C
This system is solely for the use of authorized users for offical purposes. You have no expectation
of
privacy in its use and to ensure that the system is function properly, individuals using this comput
er
system are subject to having all of their activites monitored and recorded by system personnel. Use
of this system evidences an express consent to such monitoring and agreement that if such monitoring
 reveals
evidence of possible abuse or ciminal activity, system personnel may provide the results of such
monitoring to appropriate officials.^C
!
line con 0
line aux 0
line vty 0 4
 password 7 XXXXXXXXXXXXXXXXXX
 login
!
!
end
0
Comment
Question by:vreyesii
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17096526
interface Serial0/0
 ip address 20.40.0.1 255.255.255.0
 ip access-group 167 out
 ip nat outside

and

ip nat inside source list 15 interface Ethernet0/0 overload

these 2 statements refferenceing access-lists that I don't see access-group 167 out does not appear which means by default it will deny all outbound traffic.  Deny any any by default

same with source list 15 because it is not defined nothing is getting NATed.

are parts of these configs missing?

Thanks
Scott
0
 

Author Comment

by:vreyesii
ID: 17096596
No there are not parts of the config missing. Thos nat statements are not in use anymore. I removed them right now. Below is a copy of the current config on both routers. Sorry about that.

thank you,
vreyesii

New York Router

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname New_York
!
boot-start-marker
boot-end-marker
!
no logging on
enable secret 5 $1$xRV8$QqRNy5C3ziXaxBBczHL0a/
enable password 7 XXXXXXXXXXXXXX
!
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username vmr2 password 7 XXXXXXXXXXXX
!
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key TUNNELKEY01 address 20.40.0.2 no-xauth
!
!
crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-3des esp-sha-hmac
 mode transport
!
crypto map TUNNELMAP 10 ipsec-isakmp
 set peer 20.40.0.2
 set transform-set TUNNEL-TRANSFORM
 match address 116
!
!
!
!
interface Tunnel5
 ip address 192.168.66.5 255.255.255.252
 tunnel source 20.40.0.1
 tunnel destination 20.40.0.2
!
interface Ethernet0/0
 ip address 192.168.10.1 255.255.255.0
 full-duplex
 no keepalive
!
interface Serial0/0
 ip address 20.40.0.1 255.255.255.0
 encapsulation ppp
 no fair-queue
 crypto map TUNNELMAP
!
interface Ethernet0/1
 no ip address
 shutdown
 full-duplex
 no keepalive
!
router eigrp 500
 network 20.0.0.0
 network 192.168.10.0
 auto-summary
!
no ip http server
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 5.0.2.2
ip route 0.0.0.0 0.0.0.0 20.40.0.2
!
!
access-list 116 permit gre host 20.40.0.1 host 20.40.0.2
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 exec-timeout 60 0
 password 7 XXXXXXXXXXXXXX
 login
!
!
end

Boston Router

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Boston
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$tb/q$Hz3zrU1/0yTYBOY/OiOdO.
enable password 7 XXXXXXXXXXXXXXX
!
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key TUNNELKEY01 address 20.40.0.1 no-xauth
!
!
crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-3des esp-sha-hmac
 mode transport
!
crypto map TUNNELMAP 10 ipsec-isakmp
 set peer 20.40.0.1
 set transform-set TUNNEL-TRANSFORM
 match address 116
!
!
!
!
interface Tunnel5
 ip address 192.168.66.6 255.255.255.252
 tunnel source 20.40.0.2
 tunnel destination 20.40.0.1
!
interface Ethernet0/0
 ip address 10.1.1.10 255.255.255.0
 full-duplex
!
interface Serial0/0
 ip address 20.40.0.2 255.255.255.0
 encapsulation ppp
 no fair-queue
 crypto map TUNNELMAP
!
router eigrp 500
 network 10.0.0.0
 network 20.0.0.0
 auto-summary
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
!
access-list 116 permit gre host 20.40.0.2 host 20.40.0.1
!
!
!
!
!
banner motd ^C
This system is solely for the use of authorized users for offical purposes. You have no expectation
of
privacy in its use and to ensure that the system is function properly, individuals using this comput
er
system are subject to having all of their activites monitored and recorded by system personnel. Use
of this system evidences an express consent to such monitoring and agreement that if such monitoring
 reveals
evidence of possible abuse or ciminal activity, system personnel may provide the results of such
monitoring to appropriate officials.^C
!
line con 0
line aux 0
line vty 0 4
 password 7 XXXXXXXXXXXXX
 login
!
!
end

0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17126074
so by removing them did it fix the problem therefore my answer was correct?

Thanks
scott
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:vreyesii
ID: 17126534
No that did not fix the problem.

vreyesii
0
 

Author Comment

by:vreyesii
ID: 17137886
The correct solution was that I had to add the Tunnel subnet into EIGRP too.

vreyesii
0
 
LVL 5

Accepted Solution

by:
Netminder earned 0 total points
ID: 17156870
Closed, 500 points refunded.
Netminder
Site Admin
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question