?
Solved

IPSEC vpn tunnel setup

Posted on 2009-04-05
9
Medium Priority
?
746 Views
Last Modified: 2012-05-06
I am trying to learn how to setup IPSEC tunnel between routers connected via cable (emulating the cloud). I can ping the two ends fine, but the ping fails if the interesting traffic tries to flow thro' it. Please see the conf below for the setup.

ping to 3.1 from remote is ok
ping to 2.1/2.2 from remote not ok
ping to 1.1/1.2 from remote ok

ping to 3.2 from local is ok
ping to 1.1/1/2 from local not ok
ping to 2.1/2.2 from local ok

Remote
----------
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key cisco address 192.168.3.1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set 10 esp-3des esp-sha-hmac 
!
crypto map to-cisco_local 10 ipsec-isakmp 
 set peer 192.168.3.1
 set transform-set 10 
 match address 100
 
interface GigabitEthernet0/0
 description inside_to_procurve
 ip address 192.168.2.1 255.255.255.0
 duplex auto
 speed auto
 crypto map to-cisco_local
!         
interface GigabitEthernet0/1
 description to-cisco_local
 ip address 192.168.3.2 255.255.255.252
 duplex auto
 speed auto
!         
ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/1
 
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 permit ip 192.168.3.0 0.0.0.255 any
Local:
--------
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2  
crypto isakmp key cisco address 192.168.3.2
!         
crypto ipsec security-association lifetime seconds 86400
!         
crypto ipsec transform-set 10 esp-3des esp-sha-hmac 
!         
crypto map to-cisco_remote 10 ipsec-isakmp 
 set peer 192.168.3.2
 set transform-set 10 
 match address 100
!         
!         
!         
!         
interface GigabitEthernet0/0
 description Inside_Interface
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
 crypto map to-cisco_remote
!         
interface GigabitEthernet0/1
 description to-cisco_remote
 ip address 192.168.3.1 255.255.255.252
 duplex auto
 speed auto 
 
interface Vlan1
 no ip address
!         
ip route 192.168.2.0 255.255.255.252 GigabitEthernet0/1
!         
!         
ip http server
no ip http secure-server
!         
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.3.0 0.0.0.255 any

Open in new window

0
Comment
Question by:totaram
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 7

Expert Comment

by:Ilir Mitrushi
ID: 24074534
Apply the crypto map to-cisco_remote to outside interface GigabitEthernet0/1 instead of the inside interface
0
 
LVL 7

Expert Comment

by:Ilir Mitrushi
ID: 24074557
The same on the remote router apply the crypto route map to-cisco_local on the ouside interface i.e. the interface facing the other side router
0
 

Author Comment

by:totaram
ID: 24090154
After putting the crypto route map to-cisco_local on the ouside interface, I chnged the access-list as

Remote:
access-list 100 permit ip any 192.168.3.0 0.0.0.255
Local:
access-list 100 permit ip 192.168.3.0 0.0.0.255 any

The pings are possible now, but have couple of questions:
1. Don't understand why any & 3.0/24 would need to switched? Also, the interesting traffic is between the switches, should that network subnet (1.0 & 2.0) be part of the access-lists??
2. How to make sure that the ping traffic is flowing thro' the tunnel or if the tunnel is getting setup to begin with??
0
Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

 
LVL 7

Expert Comment

by:Ilir Mitrushi
ID: 24090455
192.168.3.0/24 subnet must not be part of acl 100. this acl is used to define which subnets are going to be encrypted and routed through the tunnel. In your example you want to encrypt and send through the tunnel traffic from  .1/24 to .2/24 and vice versa. you can use show crypto isakmp sa and show crypto ipsec sa to get info on the status of vpns. you can use debug crypto isakmp and debug crypto ipsec to see syslog messages generated during the vpn setup procedure.
0
 

Author Comment

by:totaram
ID: 24091159
Hi Mitrushi;
I changed the ACL, so the new acl looks like
(Pl conform if it is OK?)

For Remote:  (included the other subnet )
 10 permit ip 192.168.1.0 0.0.0.255 any

For Local:  (included the other subnet )
 10 permit ip 192.168.2.0 0.0.0.255 any

Also, with the command that you provided:
2851_remote#show crypto isakmp sa                      
dst             src             state          conn-id slot status
192.168.3.2     192.168.3.1     QM_IDLE              1    0 ACTIVE

The output is same on both routers, so who decided dst & src???
0
 
LVL 7

Expert Comment

by:Ilir Mitrushi
ID: 24091416
On site to site vpn both endpoints can initiate the vpn tunnel if interesting traffic has been generated. It would be better to restrict your acls to have as destination the remote subnet not any.
Follow this link to find a good series of article on site to site vpn. http://www.nil.com/ipcorner
0
 

Author Comment

by:totaram
ID: 24103662
I agree with what you are saying, but both routers have the same dst & src, who is controlling it?
They should have been switched based on the ACLs on the two...

2851_remote#show crypto isakmp sa                      
dst             src             state          conn-id slot status
192.168.3.2     192.168.3.1     QM_IDLE              1    0 ACTIVE
0
 
LVL 7

Accepted Solution

by:
Ilir Mitrushi earned 2000 total points
ID: 24104785
No one is controlling it. both routers have to build SA (security associations) for each phase. If the IKE phase 1 starts from r1 the isakmp sa will have as source r1 and as destination r2. if IKE phase 1 is triggered by traffic from r2 it will have r2 as source and r1 as destination.
0
 

Author Closing Comment

by:totaram
ID: 31566891
Thanks, it works.
0

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question