IPSEC vpn tunnel setup
I am trying to learn how to setup IPSEC tunnel between routers connected via cable (emulating the cloud). I can ping the two ends fine, but the ping fails if the interesting traffic tries to flow thro' it. Please see the conf below for the setup.
ping to 3.1 from remote is ok
ping to 2.1/2.2 from remote not ok
ping to 1.1/1.2 from remote ok
ping to 3.2 from local is ok
ping to 1.1/1/2 from local not ok
ping to 2.1/2.2 from local ok
ping to 3.1 from remote is ok
ping to 2.1/2.2 from remote not ok
ping to 1.1/1.2 from remote ok
ping to 3.2 from local is ok
ping to 1.1/1/2 from local not ok
ping to 2.1/2.2 from local ok
Remote
----------
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.3.1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set 10 esp-3des esp-sha-hmac
!
crypto map to-cisco_local 10 ipsec-isakmp
set peer 192.168.3.1
set transform-set 10
match address 100
interface GigabitEthernet0/0
description inside_to_procurve
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
crypto map to-cisco_local
!
interface GigabitEthernet0/1
description to-cisco_local
ip address 192.168.3.2 255.255.255.252
duplex auto
speed auto
!
ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/1
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 permit ip 192.168.3.0 0.0.0.255 any
Local:
--------
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.3.2
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set 10 esp-3des esp-sha-hmac
!
crypto map to-cisco_remote 10 ipsec-isakmp
set peer 192.168.3.2
set transform-set 10
match address 100
!
!
!
!
interface GigabitEthernet0/0
description Inside_Interface
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
crypto map to-cisco_remote
!
interface GigabitEthernet0/1
description to-cisco_remote
ip address 192.168.3.1 255.255.255.252
duplex auto
speed auto
interface Vlan1
no ip address
!
ip route 192.168.2.0 255.255.255.252 GigabitEthernet0/1
!
!
ip http server
no ip http secure-server
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.3.0 0.0.0.255 any
Ilir Mitrushi
Apply the crypto map to-cisco_remote to outside interface GigabitEthernet0/1 instead of the inside interface
The same on the remote router apply the crypto route map to-cisco_local on the ouside interface i.e. the interface facing the other side router
ASKER
After putting the crypto route map to-cisco_local on the ouside interface, I chnged the access-list as
Remote:
access-list 100 permit ip any 192.168.3.0 0.0.0.255
Local:
access-list 100 permit ip 192.168.3.0 0.0.0.255 any
The pings are possible now, but have couple of questions:
1. Don't understand why any & 3.0/24 would need to switched? Also, the interesting traffic is between the switches, should that network subnet (1.0 & 2.0) be part of the access-lists??
2. How to make sure that the ping traffic is flowing thro' the tunnel or if the tunnel is getting setup to begin with??
Remote:
access-list 100 permit ip any 192.168.3.0 0.0.0.255
Local:
access-list 100 permit ip 192.168.3.0 0.0.0.255 any
The pings are possible now, but have couple of questions:
1. Don't understand why any & 3.0/24 would need to switched? Also, the interesting traffic is between the switches, should that network subnet (1.0 & 2.0) be part of the access-lists??
2. How to make sure that the ping traffic is flowing thro' the tunnel or if the tunnel is getting setup to begin with??
192.168.3.0/24 subnet must not be part of acl 100. this acl is used to define which subnets are going to be encrypted and routed through the tunnel. In your example you want to encrypt and send through the tunnel traffic from .1/24 to .2/24 and vice versa. you can use show crypto isakmp sa and show crypto ipsec sa to get info on the status of vpns. you can use debug crypto isakmp and debug crypto ipsec to see syslog messages generated during the vpn setup procedure.
ASKER
Hi Mitrushi;
I changed the ACL, so the new acl looks like
(Pl conform if it is OK?)
For Remote: (included the other subnet )
10 permit ip 192.168.1.0 0.0.0.255 any
For Local: (included the other subnet )
10 permit ip 192.168.2.0 0.0.0.255 any
Also, with the command that you provided:
2851_remote#show crypto isakmp sa
dst src state conn-id slot status
192.168.3.2 192.168.3.1 QM_IDLE 1 0 ACTIVE
The output is same on both routers, so who decided dst & src???
I changed the ACL, so the new acl looks like
(Pl conform if it is OK?)
For Remote: (included the other subnet )
10 permit ip 192.168.1.0 0.0.0.255 any
For Local: (included the other subnet )
10 permit ip 192.168.2.0 0.0.0.255 any
Also, with the command that you provided:
2851_remote#show crypto isakmp sa
dst src state conn-id slot status
192.168.3.2 192.168.3.1 QM_IDLE 1 0 ACTIVE
The output is same on both routers, so who decided dst & src???
On site to site vpn both endpoints can initiate the vpn tunnel if interesting traffic has been generated. It would be better to restrict your acls to have as destination the remote subnet not any.
Follow this link to find a good series of article on site to site vpn. http://www.nil.com/ipcorner
Follow this link to find a good series of article on site to site vpn. http://www.nil.com/ipcorner
ASKER
I agree with what you are saying, but both routers have the same dst & src, who is controlling it?
They should have been switched based on the ACLs on the two...
2851_remote#show crypto isakmp sa
dst src state conn-id slot status
192.168.3.2 192.168.3.1 QM_IDLE 1 0 ACTIVE
They should have been switched based on the ACLs on the two...
2851_remote#show crypto isakmp sa
dst src state conn-id slot status
192.168.3.2 192.168.3.1 QM_IDLE 1 0 ACTIVE
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, it works.