Solved

PROBLEM SETUP ROUTER-TO-ROUTER VPN CONNECTION

Posted on 2006-07-12
7
197 Views
Last Modified: 2010-04-17
Hi,

   I am trying to a Router-to-Router VPN connection between the New York router and the Boston router. I already configured both routers to use IPsec to encrypt traffic from router to router using a GRE tunnel. I am trying to see if my configuration was correct my issuing the show crypto isakmp sa command to see the active connections, however I do not see any. I do not know if there is something wrong in my configurations or maybe I am just testing it incorrectly. Can someone help me out?  Below is a copy of both routers configs. If you need a diagram of the network please just let me know.

Thank You,
vreyesii

New York Router

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname New_York
!
boot-start-marker
boot-end-marker
!
no logging on
enable secret 5 $1$xRV8$QqRNy5C3ziXaxBBczHL0a/
enable password 7 XXXXXXXXXXXXXX
!
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username vmr2 password 7 XXXXXXXXXXXXXX
!
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key TUNNELKEY01 address 20.40.0.2 no-xauth
!
!
crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-3des esp-sha-hmac
 mode transport
!
crypto map TUNNELMAP 10 ipsec-isakmp
 set peer 20.40.0.2
 set transform-set TUNNEL-TRANSFORM
 match address 116
!
!
!
!
interface Tunnel5
 ip address 192.168.66.5 255.255.255.252
 tunnel source 20.40.0.1
 tunnel destination 20.40.0.2
!
interface Ethernet0/0
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 full-duplex
 no keepalive
!
interface Serial0/0
 ip address 20.40.0.1 255.255.255.0
 ip access-group 167 out
 ip nat outside
 encapsulation ppp
 no fair-queue
 crypto map TUNNELMAP
!
interface Ethernet0/1
 no ip address
 shutdown
 full-duplex
 no keepalive
!
router eigrp 500
 network 20.0.0.0
 network 192.168.10.0
 auto-summary
!
ip nat inside source list 15 interface Ethernet0/0 overload
no ip http server
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 5.0.2.2
ip route 0.0.0.0 0.0.0.0 20.40.0.2
!
!
access-list 116 permit gre host 20.40.0.1 host 20.40.0.2
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 exec-timeout 60 0
 password 7 XXXXXXXXXXXX
 login
!
!
end

Boston Router

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Boston
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$tb/q$Hz3zrU1/0yTYBOY/OiOdO.
enable password 7 XXXXXXXXXXXX
!
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
!
ip inspect name suddam tcp
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key TUNNELKEY01 address 20.40.0.1 no-xauth
!
!
crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-3des esp-sha-hmac
 mode transport
!
crypto map TUNNELMAP 10 ipsec-isakmp
 set peer 20.40.0.1
 set transform-set TUNNEL-TRANSFORM
 match address 116
!
!
!
!
interface Tunnel5
 ip address 192.168.66.6 255.255.255.252
 tunnel source 20.40.0.2
 tunnel destination 20.40.0.1
!
interface Ethernet0/0
 ip address 10.1.1.10 255.255.255.0
 full-duplex
!
interface Serial0/0
 ip address 20.40.0.2 255.255.255.0
 ip inspect suddam in
 encapsulation ppp
 no fair-queue
 crypto map TUNNELMAP
!
router eigrp 500
 network 10.0.0.0
 network 20.0.0.0
 auto-summary
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
!
access-list 116 permit gre host 20.40.0.2 host 20.40.0.1
!
!
!
!
!
banner motd ^C
This system is solely for the use of authorized users for offical purposes. You have no expectation
of
privacy in its use and to ensure that the system is function properly, individuals using this comput
er
system are subject to having all of their activites monitored and recorded by system personnel. Use
of this system evidences an express consent to such monitoring and agreement that if such monitoring
 reveals
evidence of possible abuse or ciminal activity, system personnel may provide the results of such
monitoring to appropriate officials.^C
!
line con 0
line aux 0
line vty 0 4
 password 7 XXXXXXXXXXXXXXXXXX
 login
!
!
end
0
Comment
Question by:vreyesii
  • 3
  • 2
7 Comments
 
LVL 12

Expert Comment

by:Scotty_cisco
Comment Utility
interface Serial0/0
 ip address 20.40.0.1 255.255.255.0
 ip access-group 167 out
 ip nat outside

and

ip nat inside source list 15 interface Ethernet0/0 overload

these 2 statements refferenceing access-lists that I don't see access-group 167 out does not appear which means by default it will deny all outbound traffic.  Deny any any by default

same with source list 15 because it is not defined nothing is getting NATed.

are parts of these configs missing?

Thanks
Scott
0
 

Author Comment

by:vreyesii
Comment Utility
No there are not parts of the config missing. Thos nat statements are not in use anymore. I removed them right now. Below is a copy of the current config on both routers. Sorry about that.

thank you,
vreyesii

New York Router

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname New_York
!
boot-start-marker
boot-end-marker
!
no logging on
enable secret 5 $1$xRV8$QqRNy5C3ziXaxBBczHL0a/
enable password 7 XXXXXXXXXXXXXX
!
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username vmr2 password 7 XXXXXXXXXXXX
!
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key TUNNELKEY01 address 20.40.0.2 no-xauth
!
!
crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-3des esp-sha-hmac
 mode transport
!
crypto map TUNNELMAP 10 ipsec-isakmp
 set peer 20.40.0.2
 set transform-set TUNNEL-TRANSFORM
 match address 116
!
!
!
!
interface Tunnel5
 ip address 192.168.66.5 255.255.255.252
 tunnel source 20.40.0.1
 tunnel destination 20.40.0.2
!
interface Ethernet0/0
 ip address 192.168.10.1 255.255.255.0
 full-duplex
 no keepalive
!
interface Serial0/0
 ip address 20.40.0.1 255.255.255.0
 encapsulation ppp
 no fair-queue
 crypto map TUNNELMAP
!
interface Ethernet0/1
 no ip address
 shutdown
 full-duplex
 no keepalive
!
router eigrp 500
 network 20.0.0.0
 network 192.168.10.0
 auto-summary
!
no ip http server
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 5.0.2.2
ip route 0.0.0.0 0.0.0.0 20.40.0.2
!
!
access-list 116 permit gre host 20.40.0.1 host 20.40.0.2
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 exec-timeout 60 0
 password 7 XXXXXXXXXXXXXX
 login
!
!
end

Boston Router

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Boston
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$tb/q$Hz3zrU1/0yTYBOY/OiOdO.
enable password 7 XXXXXXXXXXXXXXX
!
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key TUNNELKEY01 address 20.40.0.1 no-xauth
!
!
crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-3des esp-sha-hmac
 mode transport
!
crypto map TUNNELMAP 10 ipsec-isakmp
 set peer 20.40.0.1
 set transform-set TUNNEL-TRANSFORM
 match address 116
!
!
!
!
interface Tunnel5
 ip address 192.168.66.6 255.255.255.252
 tunnel source 20.40.0.2
 tunnel destination 20.40.0.1
!
interface Ethernet0/0
 ip address 10.1.1.10 255.255.255.0
 full-duplex
!
interface Serial0/0
 ip address 20.40.0.2 255.255.255.0
 encapsulation ppp
 no fair-queue
 crypto map TUNNELMAP
!
router eigrp 500
 network 10.0.0.0
 network 20.0.0.0
 auto-summary
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
!
access-list 116 permit gre host 20.40.0.2 host 20.40.0.1
!
!
!
!
!
banner motd ^C
This system is solely for the use of authorized users for offical purposes. You have no expectation
of
privacy in its use and to ensure that the system is function properly, individuals using this comput
er
system are subject to having all of their activites monitored and recorded by system personnel. Use
of this system evidences an express consent to such monitoring and agreement that if such monitoring
 reveals
evidence of possible abuse or ciminal activity, system personnel may provide the results of such
monitoring to appropriate officials.^C
!
line con 0
line aux 0
line vty 0 4
 password 7 XXXXXXXXXXXXX
 login
!
!
end

0
 
LVL 12

Expert Comment

by:Scotty_cisco
Comment Utility
so by removing them did it fix the problem therefore my answer was correct?

Thanks
scott
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:vreyesii
Comment Utility
No that did not fix the problem.

vreyesii
0
 

Author Comment

by:vreyesii
Comment Utility
The correct solution was that I had to add the Tunnel subnet into EIGRP too.

vreyesii
0
 
LVL 5

Accepted Solution

by:
Netminder earned 0 total points
Comment Utility
Closed, 500 points refunded.
Netminder
Site Admin
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now