Solved

Cannot establish ipsec tunnel between two routers

Posted on 2010-09-17
10
799 Views
Last Modified: 2012-05-10
I having been trying to establish an ipsec tunnel between the two router below but I have been unsuccessful. Below are the configurations for both routers. What am I missing?

Thank you

R1 Config

crypto isakmp policy 5
 encr aes
 authentication pre-share
 group 5
crypto isakmp key grace address 100.100.12.2
!
!
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
!
crypto map MAP1 5 ipsec-isakmp
 set peer 100.100.12.2
 set transform-set TRANS
 match address 101


interface Serial0/0
 ip address 100.100.12.1 255.255.255.0
 encapsulation frame-relay
 clock rate 2000000
 crypto map MAP1

router rip
 version 2
 network 2.0.0.0
 network 100.0.0.0
 no auto-summary

interface Loopback0
 ip address 1.1.1.1 255.255.255.0

R2 Config


crypto isakmp policy 5
 encr aes
 authentication pre-share
 group 5
crypto isakmp key grace address 100.100.12.1
!
!
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
!
crypto map MAP1 5 ipsec-isakmp
 set peer 100.100.12.1
 set transform-set TRANS
 match address 101


interface Serial0/0
 ip address 100.100.12.2 255.255.255.0
 encapsulation frame-relay
 clock rate 2000000
 crypto map MAP1

interface Loopback0
 ip address 2.2.2.2 255.255.255.0

router rip
 version 2
 network 2.0.0.0
 network 100.0.0.0
 no auto-summary

0
Comment
Question by:vreyesii
  • 5
  • 2
  • 2
  • +1
10 Comments
 
LVL 6

Expert Comment

by:wpharaon
ID: 33707211
What about ACL 101 ?
0
 
LVL 3

Expert Comment

by:gremwell
ID: 33707218
Do you have access lists 101 you mention in the crypto-map?
0
 

Author Comment

by:vreyesii
ID: 33707729
Sorry about that I forgot to post it. Here it is:

R1 -
access-list 101 permit tcp 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 eq 1944

R2 -
access-list 101 permit tcp 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255 eq 1944
0
 
LVL 3

Expert Comment

by:gremwell
ID: 33708114
Does your router supports AES? IOS will let you configure AES even if the hardware does not support it, I had it with my C826 router. Try changing it to DES, just to test it.

Try enabling debugging in IOS, generate some traffic which will hit ACL 101 and see what will happen. You must turn on the debug as well as turn on the debug monitor, which is normally the terminal you are logged in on:

Router# debug crypto verbose
Router# debug crypto isakmp
Router# term monitor

To disable debugging:

Router# nodebug all
Router# term no monitor
0
 

Author Comment

by:vreyesii
ID: 33708588
I changed the encryption to DES and I still cannot get the ipsec tunnel up. Phase I comes up fine but Phase II does not come up.  Below is how I am generating traffic to bring up the ipsec tunnel. Below is also the debug from isakmp Phase I and Phase II.

R2#telnet 1.1.1.1 1944 /source-interface lo0
Trying 1.1.1.1, 1944 ...
*Mar  1 12:48:32.112: ISAKMP: set new node 0 to QM_IDLE
*Mar  1 12:48:32.116: SA has outstanding requests  (local 102.2.72.136 port 500, remote 102.2.72.108 port 500)
*Mar  1 12:48:32.120: ISAKMP:(1001): sitting IDLE. Starting QM immediately (QM_IDLE      )
*Mar  1 12:48:32.124: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of 1109342845
*Mar  1 12:48:32.124: ISAKMP:(1001):QM Initiator gets spi
*Mar  1 12:48:32.128: ISAKMP:(1001): sending packet to 100.100.12.1 my_port 500 peer_port 500 (I) QM_IDLE
*Mar  1 12:48:32.128: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Mar  1 12:48:32.128: ISAKMP:(1001):Node 1109342845, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar  1 12:48:32.128: ISAKMP:(1001):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Mar  1 12:48:32.144: ISAKMP (0:1001): received packet from 100.100.12.1 dport 500 sport 500 Global (I) QM_IDLE
*Mar  1 12:48:32.144: ISAKMP: set new node -1854547655 to QM_IDLE
*Mar  1 12:48:32.152: ISAKMP:(1001): processing HASH payload. message ID = -1854547655
*Mar  1 12:48:32.152: ISAKMP:(1001): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 1191281056, message ID = -1854547655, sa = 66024724
*Mar  1 12:48:32.156: ISAKMP:(1001): deleting spi 1191281056 message ID = 1109342845
*Mar  1 12:48:32.160: ISAKMP:(1001):deleting node 1109342845 error TRUE reason "Delete Larval"
*Mar  1 12:48:32.164: ISAKMP:(1001):deleting node -1854547655 error FALSE reason "Informational (in) state 1"
*Mar  1 12:48:32.164: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar  1 12:48:32.164: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE



R2#telnet 1.1.1.1 1944 /source-interface lo0
Trying 1.1.1.1, 1944 ...
*Mar  1 12:55:51.608: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 100.100.12.2, remote= 100.100.12.1,
    local_proxy= 2.2.2.0/255.255.255.0/6/0 (type=4),
    remote_proxy= 1.1.1.0/255.255.255.0/6/1944 (type=4),
    protocol= ESP, transform= esp-des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 6

Accepted Solution

by:
kuoh earned 300 total points
ID: 33709456
I wonder if the addition of port numbers in the ACL has an affect?  I'm not sure the ACLs are exact mirrors of each other right now.  Can you try taking out the port operator or adding the following?

R1 -
access-list 101 permit tcp 1.1.1.0 0.0.0.255 eq 1944 2.2.2.0 0.0.0.255

R2 -
access-list 101 permit tcp 2.2.2.0 0.0.0.255 eq 1944 1.1.1.0 0.0.0.255
0
 

Author Comment

by:vreyesii
ID: 33710096
I removed the previous access-list and I first tried to replace it with the ACL you suggested and it didn't work. I then removed the port operator. And I was finally able to bring up Phase II. Why isn't the ipsec tunnel coming up using the port operator?

Below is the ACL I used.

R1:

access-list 101 permit tcp 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

R2:

access-list 101 permit tcp 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
0
 
LVL 6

Expert Comment

by:kuoh
ID: 33710119
Actually, I was suggesting that you add my ACLs to yours, not replace.  I'm not sure that you can use ports in crypto ACLs, but I'm guessing that the original ACL didn't work before because while the IPs were mirror opposites on each side, the ports weren't.  The ones I suggested were to provide the matching ones for yours so a common proposal could be chosen.
0
 

Author Comment

by:vreyesii
ID: 33710169
You were right the ports where not mirror of each side. I added the ACL which I first had, and then added what you had suggested and the tunnel came up using the port numbers. So below are the ACLs which I am using on each router. Thanks for the help!

R1:

access-list 101 permit tcp 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 eq 1944
access-list 101 permit tcp 1.1.1.0 0.0.0.255 eq 1944 2.2.2.0 0.0.0.255

R2:

access-list 101 permit tcp 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255 eq 1944
access-list 101 permit tcp 2.2.2.0 0.0.0.255 eq 1944 1.1.1.0 0.0.0.255
0
 

Author Closing Comment

by:vreyesii
ID: 33710170
My question was answered.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now