Manuel
asked on
PROBLEM SETUP ROUTER-TO-ROUTER VPN CONNECTION
Hi,
I am trying to a Router-to-Router VPN connection between the New York router and the Boston router. I already configured both routers to use IPsec to encrypt traffic from router to router using a GRE tunnel. I am trying to see if my configuration was correct my issuing the show crypto isakmp sa command to see the active connections, however I do not see any. I do not know if there is something wrong in my configurations or maybe I am just testing it incorrectly. Can someone help me out? Below is a copy of both routers configs. If you need a diagram of the network please just let me know.
Thank You,
vreyesii
New York Router
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname New_York
!
boot-start-marker
boot-end-marker
!
no logging on
enable secret 5 $1$xRV8$QqRNy5C3ziXaxBBczH L0a/
enable password 7 XXXXXXXXXXXXXX
!
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username vmr2 password 7 XXXXXXXXXXXXXX
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key TUNNELKEY01 address 20.40.0.2 no-xauth
!
!
crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-3des esp-sha-hmac
mode transport
!
crypto map TUNNELMAP 10 ipsec-isakmp
set peer 20.40.0.2
set transform-set TUNNEL-TRANSFORM
match address 116
!
!
!
!
interface Tunnel5
ip address 192.168.66.5 255.255.255.252
tunnel source 20.40.0.1
tunnel destination 20.40.0.2
!
interface Ethernet0/0
ip address 192.168.10.1 255.255.255.0
ip nat inside
full-duplex
no keepalive
!
interface Serial0/0
ip address 20.40.0.1 255.255.255.0
ip access-group 167 out
ip nat outside
encapsulation ppp
no fair-queue
crypto map TUNNELMAP
!
interface Ethernet0/1
no ip address
shutdown
full-duplex
no keepalive
!
router eigrp 500
network 20.0.0.0
network 192.168.10.0
auto-summary
!
ip nat inside source list 15 interface Ethernet0/0 overload
no ip http server
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 5.0.2.2
ip route 0.0.0.0 0.0.0.0 20.40.0.2
!
!
access-list 116 permit gre host 20.40.0.1 host 20.40.0.2
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 60 0
password 7 XXXXXXXXXXXX
login
!
!
end
Boston Router
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Boston
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$tb/q$Hz3zrU1/0yTYBOY/Oi OdO.
enable password 7 XXXXXXXXXXXX
!
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
!
ip inspect name suddam tcp
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key TUNNELKEY01 address 20.40.0.1 no-xauth
!
!
crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-3des esp-sha-hmac
mode transport
!
crypto map TUNNELMAP 10 ipsec-isakmp
set peer 20.40.0.1
set transform-set TUNNEL-TRANSFORM
match address 116
!
!
!
!
interface Tunnel5
ip address 192.168.66.6 255.255.255.252
tunnel source 20.40.0.2
tunnel destination 20.40.0.1
!
interface Ethernet0/0
ip address 10.1.1.10 255.255.255.0
full-duplex
!
interface Serial0/0
ip address 20.40.0.2 255.255.255.0
ip inspect suddam in
encapsulation ppp
no fair-queue
crypto map TUNNELMAP
!
router eigrp 500
network 10.0.0.0
network 20.0.0.0
auto-summary
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
!
access-list 116 permit gre host 20.40.0.2 host 20.40.0.1
!
!
!
!
!
banner motd ^C
This system is solely for the use of authorized users for offical purposes. You have no expectation
of
privacy in its use and to ensure that the system is function properly, individuals using this comput
er
system are subject to having all of their activites monitored and recorded by system personnel. Use
of this system evidences an express consent to such monitoring and agreement that if such monitoring
reveals
evidence of possible abuse or ciminal activity, system personnel may provide the results of such
monitoring to appropriate officials.^C
!
line con 0
line aux 0
line vty 0 4
password 7 XXXXXXXXXXXXXXXXXX
login
!
!
end
I am trying to a Router-to-Router VPN connection between the New York router and the Boston router. I already configured both routers to use IPsec to encrypt traffic from router to router using a GRE tunnel. I am trying to see if my configuration was correct my issuing the show crypto isakmp sa command to see the active connections, however I do not see any. I do not know if there is something wrong in my configurations or maybe I am just testing it incorrectly. Can someone help me out? Below is a copy of both routers configs. If you need a diagram of the network please just let me know.
Thank You,
vreyesii
New York Router
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname New_York
!
boot-start-marker
boot-end-marker
!
no logging on
enable secret 5 $1$xRV8$QqRNy5C3ziXaxBBczH
enable password 7 XXXXXXXXXXXXXX
!
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username vmr2 password 7 XXXXXXXXXXXXXX
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key TUNNELKEY01 address 20.40.0.2 no-xauth
!
!
crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-3des esp-sha-hmac
mode transport
!
crypto map TUNNELMAP 10 ipsec-isakmp
set peer 20.40.0.2
set transform-set TUNNEL-TRANSFORM
match address 116
!
!
!
!
interface Tunnel5
ip address 192.168.66.5 255.255.255.252
tunnel source 20.40.0.1
tunnel destination 20.40.0.2
!
interface Ethernet0/0
ip address 192.168.10.1 255.255.255.0
ip nat inside
full-duplex
no keepalive
!
interface Serial0/0
ip address 20.40.0.1 255.255.255.0
ip access-group 167 out
ip nat outside
encapsulation ppp
no fair-queue
crypto map TUNNELMAP
!
interface Ethernet0/1
no ip address
shutdown
full-duplex
no keepalive
!
router eigrp 500
network 20.0.0.0
network 192.168.10.0
auto-summary
!
ip nat inside source list 15 interface Ethernet0/0 overload
no ip http server
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 5.0.2.2
ip route 0.0.0.0 0.0.0.0 20.40.0.2
!
!
access-list 116 permit gre host 20.40.0.1 host 20.40.0.2
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 60 0
password 7 XXXXXXXXXXXX
login
!
!
end
Boston Router
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Boston
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$tb/q$Hz3zrU1/0yTYBOY/Oi
enable password 7 XXXXXXXXXXXX
!
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
!
ip inspect name suddam tcp
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key TUNNELKEY01 address 20.40.0.1 no-xauth
!
!
crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-3des esp-sha-hmac
mode transport
!
crypto map TUNNELMAP 10 ipsec-isakmp
set peer 20.40.0.1
set transform-set TUNNEL-TRANSFORM
match address 116
!
!
!
!
interface Tunnel5
ip address 192.168.66.6 255.255.255.252
tunnel source 20.40.0.2
tunnel destination 20.40.0.1
!
interface Ethernet0/0
ip address 10.1.1.10 255.255.255.0
full-duplex
!
interface Serial0/0
ip address 20.40.0.2 255.255.255.0
ip inspect suddam in
encapsulation ppp
no fair-queue
crypto map TUNNELMAP
!
router eigrp 500
network 10.0.0.0
network 20.0.0.0
auto-summary
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
!
access-list 116 permit gre host 20.40.0.2 host 20.40.0.1
!
!
!
!
!
banner motd ^C
This system is solely for the use of authorized users for offical purposes. You have no expectation
of
privacy in its use and to ensure that the system is function properly, individuals using this comput
er
system are subject to having all of their activites monitored and recorded by system personnel. Use
of this system evidences an express consent to such monitoring and agreement that if such monitoring
reveals
evidence of possible abuse or ciminal activity, system personnel may provide the results of such
monitoring to appropriate officials.^C
!
line con 0
line aux 0
line vty 0 4
password 7 XXXXXXXXXXXXXXXXXX
login
!
!
end
ASKER
No there are not parts of the config missing. Thos nat statements are not in use anymore. I removed them right now. Below is a copy of the current config on both routers. Sorry about that.
thank you,
vreyesii
New York Router
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname New_York
!
boot-start-marker
boot-end-marker
!
no logging on
enable secret 5 $1$xRV8$QqRNy5C3ziXaxBBczH L0a/
enable password 7 XXXXXXXXXXXXXX
!
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username vmr2 password 7 XXXXXXXXXXXX
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key TUNNELKEY01 address 20.40.0.2 no-xauth
!
!
crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-3des esp-sha-hmac
mode transport
!
crypto map TUNNELMAP 10 ipsec-isakmp
set peer 20.40.0.2
set transform-set TUNNEL-TRANSFORM
match address 116
!
!
!
!
interface Tunnel5
ip address 192.168.66.5 255.255.255.252
tunnel source 20.40.0.1
tunnel destination 20.40.0.2
!
interface Ethernet0/0
ip address 192.168.10.1 255.255.255.0
full-duplex
no keepalive
!
interface Serial0/0
ip address 20.40.0.1 255.255.255.0
encapsulation ppp
no fair-queue
crypto map TUNNELMAP
!
interface Ethernet0/1
no ip address
shutdown
full-duplex
no keepalive
!
router eigrp 500
network 20.0.0.0
network 192.168.10.0
auto-summary
!
no ip http server
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 5.0.2.2
ip route 0.0.0.0 0.0.0.0 20.40.0.2
!
!
access-list 116 permit gre host 20.40.0.1 host 20.40.0.2
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 60 0
password 7 XXXXXXXXXXXXXX
login
!
!
end
Boston Router
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Boston
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$tb/q$Hz3zrU1/0yTYBOY/Oi OdO.
enable password 7 XXXXXXXXXXXXXXX
!
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key TUNNELKEY01 address 20.40.0.1 no-xauth
!
!
crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-3des esp-sha-hmac
mode transport
!
crypto map TUNNELMAP 10 ipsec-isakmp
set peer 20.40.0.1
set transform-set TUNNEL-TRANSFORM
match address 116
!
!
!
!
interface Tunnel5
ip address 192.168.66.6 255.255.255.252
tunnel source 20.40.0.2
tunnel destination 20.40.0.1
!
interface Ethernet0/0
ip address 10.1.1.10 255.255.255.0
full-duplex
!
interface Serial0/0
ip address 20.40.0.2 255.255.255.0
encapsulation ppp
no fair-queue
crypto map TUNNELMAP
!
router eigrp 500
network 10.0.0.0
network 20.0.0.0
auto-summary
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
!
access-list 116 permit gre host 20.40.0.2 host 20.40.0.1
!
!
!
!
!
banner motd ^C
This system is solely for the use of authorized users for offical purposes. You have no expectation
of
privacy in its use and to ensure that the system is function properly, individuals using this comput
er
system are subject to having all of their activites monitored and recorded by system personnel. Use
of this system evidences an express consent to such monitoring and agreement that if such monitoring
reveals
evidence of possible abuse or ciminal activity, system personnel may provide the results of such
monitoring to appropriate officials.^C
!
line con 0
line aux 0
line vty 0 4
password 7 XXXXXXXXXXXXX
login
!
!
end
thank you,
vreyesii
New York Router
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname New_York
!
boot-start-marker
boot-end-marker
!
no logging on
enable secret 5 $1$xRV8$QqRNy5C3ziXaxBBczH
enable password 7 XXXXXXXXXXXXXX
!
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username vmr2 password 7 XXXXXXXXXXXX
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key TUNNELKEY01 address 20.40.0.2 no-xauth
!
!
crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-3des esp-sha-hmac
mode transport
!
crypto map TUNNELMAP 10 ipsec-isakmp
set peer 20.40.0.2
set transform-set TUNNEL-TRANSFORM
match address 116
!
!
!
!
interface Tunnel5
ip address 192.168.66.5 255.255.255.252
tunnel source 20.40.0.1
tunnel destination 20.40.0.2
!
interface Ethernet0/0
ip address 192.168.10.1 255.255.255.0
full-duplex
no keepalive
!
interface Serial0/0
ip address 20.40.0.1 255.255.255.0
encapsulation ppp
no fair-queue
crypto map TUNNELMAP
!
interface Ethernet0/1
no ip address
shutdown
full-duplex
no keepalive
!
router eigrp 500
network 20.0.0.0
network 192.168.10.0
auto-summary
!
no ip http server
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 5.0.2.2
ip route 0.0.0.0 0.0.0.0 20.40.0.2
!
!
access-list 116 permit gre host 20.40.0.1 host 20.40.0.2
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 60 0
password 7 XXXXXXXXXXXXXX
login
!
!
end
Boston Router
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Boston
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$tb/q$Hz3zrU1/0yTYBOY/Oi
enable password 7 XXXXXXXXXXXXXXX
!
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key TUNNELKEY01 address 20.40.0.1 no-xauth
!
!
crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-3des esp-sha-hmac
mode transport
!
crypto map TUNNELMAP 10 ipsec-isakmp
set peer 20.40.0.1
set transform-set TUNNEL-TRANSFORM
match address 116
!
!
!
!
interface Tunnel5
ip address 192.168.66.6 255.255.255.252
tunnel source 20.40.0.2
tunnel destination 20.40.0.1
!
interface Ethernet0/0
ip address 10.1.1.10 255.255.255.0
full-duplex
!
interface Serial0/0
ip address 20.40.0.2 255.255.255.0
encapsulation ppp
no fair-queue
crypto map TUNNELMAP
!
router eigrp 500
network 10.0.0.0
network 20.0.0.0
auto-summary
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
!
access-list 116 permit gre host 20.40.0.2 host 20.40.0.1
!
!
!
!
!
banner motd ^C
This system is solely for the use of authorized users for offical purposes. You have no expectation
of
privacy in its use and to ensure that the system is function properly, individuals using this comput
er
system are subject to having all of their activites monitored and recorded by system personnel. Use
of this system evidences an express consent to such monitoring and agreement that if such monitoring
reveals
evidence of possible abuse or ciminal activity, system personnel may provide the results of such
monitoring to appropriate officials.^C
!
line con 0
line aux 0
line vty 0 4
password 7 XXXXXXXXXXXXX
login
!
!
end
so by removing them did it fix the problem therefore my answer was correct?
Thanks
scott
Thanks
scott
ASKER
No that did not fix the problem.
vreyesii
vreyesii
ASKER
The correct solution was that I had to add the Tunnel subnet into EIGRP too.
vreyesii
vreyesii
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ip address 20.40.0.1 255.255.255.0
ip access-group 167 out
ip nat outside
and
ip nat inside source list 15 interface Ethernet0/0 overload
these 2 statements refferenceing access-lists that I don't see access-group 167 out does not appear which means by default it will deny all outbound traffic. Deny any any by default
same with source list 15 because it is not defined nothing is getting NATed.
are parts of these configs missing?
Thanks
Scott