Solved

Cisco 1721 router IPSec Issues

Posted on 2009-07-14
10
510 Views
Last Modified: 2012-05-07
I have a Cisco 1721 router, with current IOS c1700-k9o3sy7-mz.122-11.T.bin

Everything is up and running fine, minus anything IPSec.

When the IPSec is setup it seems to refuse to pass traffic over the tunnel we create.  Absolutely no debugging information is show as well with the debug turned on.  Even after trying with multiple devices on the other side, still, no luck.

Here is my config (IP and names modified) and what the show crypto ipsec sa produces

Thanks.
Current configuration : 1719 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname contoso
!
boot system flash:c1700-bk9no3r2sy7-mz.122-13.T.bin
enable secret
enable password contoso
!
ip subnet-zero
!
!
ip dhcp excluded-address 192.168.50.100	192.168.50.105
!
ip dhcp pool contoso
   network 192.168.50.0 255.255.255.0
   domain-name contoso.com
   default-router 192.168.50.1
   dns-server 192.168.50.10
   lease 7
!
ip audit notify log
ip audit po max-events 100
!
!
crypto ca trustpoint verisign-ca
 enrollment url http://ciscoca-ultra:80
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key contoso address 88.36.55.22
!
!
crypto ipsec transform-set contoso esp-3des esp-md5-hmac
!
crypto map contoso 10 ipsec-isakmp
 set peer 88.36.55.22
 set transform-set contoso
 match address 105
!
!
!
!
interface FastEthernet0
 description inside
 ip address 192.168.50.1 255.255.255.0
 ip nat inside
 speed auto
!
interface Serial0
 description Gateway
 ip address 60.23.54.2 255.255.255.252
 ip nat outside
 crypto map contoso
!
ip nat inside source route-map contoso interface Serial0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
!
access-list 105 permit ip 192.168.50.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 175 deny   ip 192.168.50.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 175 permit ip 192.168.50.0 0.0.0.255 any
!
route-map contoso permit 1
 match ip address 175
!
!
line con 0
line aux 0
line vty 0 4
 password contoso
 login
!
no scheduler allocate
end
 
 
contoso#show crypto ipsec sa
 
interface: Serial0
    Crypto map tag: contoso, local addr. 60.23.54.2
 
   local  ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer: 88.36.55.22
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
 
     local crypto endpt.: 60.23.54.2, remote crypto endpt.: 88.36.55.22
     path mtu 1500, media mtu 1500
     current outbound spi: 0
 
     inbound esp sas:
 
     inbound ah sas:
 
     inbound pcp sas:
 
     outbound esp sas:
 
     outbound ah sas:
 
     outbound pcp sas:

Open in new window

0
Comment
Question by:MainStaySolutions
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 

Expert Comment

by:csmolen
ID: 24849928
Can you show the output of a "Show crypto isakmp sa" and "Show ip nat trans"
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 24849941
Is the access-list (105) an exact inverse match of the one listed above?

Do the encryption and hash match?
0
 

Author Comment

by:MainStaySolutions
ID: 24850049
Here is the output of the two commands.

contoso#show crypto isakmp sa
dst             src             state           conn-id    slot
 
contoso#show ip nat trans
 
contoso#

Open in new window

0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 

Author Comment

by:MainStaySolutions
ID: 24850494
You mean for the other side?

The only thing that is slightly different that instead of it being a class C subnet like the router shows it's actually a class B subnet.

All the encryption protocols do match.  We even tried instead of 3DES, DES.  And still nothing.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 24850744
The access lists need to be an *exact* inverse match of each other as applied to the crypto peer config.
0
 

Author Comment

by:MainStaySolutions
ID: 24851979
Everything now matches, and still no luck.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 24852158
term mon
debug crypto isakmp
debug crypto ipsec

sh crypto isakmp sa
        -> show SAs between two peers

sh crypto ipsec sa
        -> show IPsec SAs built between peers

sh crypto engine connection active
        -> show each phase 2 SA built
0
 

Author Comment

by:MainStaySolutions
ID: 24853627
Okay, after much fighting the tunnel is up, however, I can't ping anything on the other side now.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 24853724
What did debug and/or the log data indicate?
0
 

Accepted Solution

by:
MainStaySolutions earned 0 total points
ID: 24935141
We got it figured out.  The issue was with the device on the other side.  
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question