Manuel
asked on
Cannot establish ipsec tunnel between two routers
I having been trying to establish an ipsec tunnel between the two router below but I have been unsuccessful. Below are the configurations for both routers. What am I missing?
Thank you
R1 Config
crypto isakmp policy 5
encr aes
authentication pre-share
group 5
crypto isakmp key grace address 100.100.12.2
!
!
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
!
crypto map MAP1 5 ipsec-isakmp
set peer 100.100.12.2
set transform-set TRANS
match address 101
interface Serial0/0
ip address 100.100.12.1 255.255.255.0
encapsulation frame-relay
clock rate 2000000
crypto map MAP1
router rip
version 2
network 2.0.0.0
network 100.0.0.0
no auto-summary
interface Loopback0
ip address 1.1.1.1 255.255.255.0
R2 Config
crypto isakmp policy 5
encr aes
authentication pre-share
group 5
crypto isakmp key grace address 100.100.12.1
!
!
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
!
crypto map MAP1 5 ipsec-isakmp
set peer 100.100.12.1
set transform-set TRANS
match address 101
interface Serial0/0
ip address 100.100.12.2 255.255.255.0
encapsulation frame-relay
clock rate 2000000
crypto map MAP1
interface Loopback0
ip address 2.2.2.2 255.255.255.0
router rip
version 2
network 2.0.0.0
network 100.0.0.0
no auto-summary
Thank you
R1 Config
crypto isakmp policy 5
encr aes
authentication pre-share
group 5
crypto isakmp key grace address 100.100.12.2
!
!
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
!
crypto map MAP1 5 ipsec-isakmp
set peer 100.100.12.2
set transform-set TRANS
match address 101
interface Serial0/0
ip address 100.100.12.1 255.255.255.0
encapsulation frame-relay
clock rate 2000000
crypto map MAP1
router rip
version 2
network 2.0.0.0
network 100.0.0.0
no auto-summary
interface Loopback0
ip address 1.1.1.1 255.255.255.0
R2 Config
crypto isakmp policy 5
encr aes
authentication pre-share
group 5
crypto isakmp key grace address 100.100.12.1
!
!
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
!
crypto map MAP1 5 ipsec-isakmp
set peer 100.100.12.1
set transform-set TRANS
match address 101
interface Serial0/0
ip address 100.100.12.2 255.255.255.0
encapsulation frame-relay
clock rate 2000000
crypto map MAP1
interface Loopback0
ip address 2.2.2.2 255.255.255.0
router rip
version 2
network 2.0.0.0
network 100.0.0.0
no auto-summary
What about ACL 101 ?
Do you have access lists 101 you mention in the crypto-map?
ASKER
Sorry about that I forgot to post it. Here it is:
R1 -
access-list 101 permit tcp 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 eq 1944
R2 -
access-list 101 permit tcp 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255 eq 1944
R1 -
access-list 101 permit tcp 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 eq 1944
R2 -
access-list 101 permit tcp 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255 eq 1944
Does your router supports AES? IOS will let you configure AES even if the hardware does not support it, I had it with my C826 router. Try changing it to DES, just to test it.
Try enabling debugging in IOS, generate some traffic which will hit ACL 101 and see what will happen. You must turn on the debug as well as turn on the debug monitor, which is normally the terminal you are logged in on:
Router# debug crypto verbose
Router# debug crypto isakmp
Router# term monitor
To disable debugging:
Router# nodebug all
Router# term no monitor
Try enabling debugging in IOS, generate some traffic which will hit ACL 101 and see what will happen. You must turn on the debug as well as turn on the debug monitor, which is normally the terminal you are logged in on:
Router# debug crypto verbose
Router# debug crypto isakmp
Router# term monitor
To disable debugging:
Router# nodebug all
Router# term no monitor
ASKER
I changed the encryption to DES and I still cannot get the ipsec tunnel up. Phase I comes up fine but Phase II does not come up. Below is how I am generating traffic to bring up the ipsec tunnel. Below is also the debug from isakmp Phase I and Phase II.
R2#telnet 1.1.1.1 1944 /source-interface lo0
Trying 1.1.1.1, 1944 ...
*Mar 1 12:48:32.112: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 12:48:32.116: SA has outstanding requests (local 102.2.72.136 port 500, remote 102.2.72.108 port 500)
*Mar 1 12:48:32.120: ISAKMP:(1001): sitting IDLE. Starting QM immediately (QM_IDLE )
*Mar 1 12:48:32.124: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of 1109342845
*Mar 1 12:48:32.124: ISAKMP:(1001):QM Initiator gets spi
*Mar 1 12:48:32.128: ISAKMP:(1001): sending packet to 100.100.12.1 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 1 12:48:32.128: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Mar 1 12:48:32.128: ISAKMP:(1001):Node 1109342845, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar 1 12:48:32.128: ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Mar 1 12:48:32.144: ISAKMP (0:1001): received packet from 100.100.12.1 dport 500 sport 500 Global (I) QM_IDLE
*Mar 1 12:48:32.144: ISAKMP: set new node -1854547655 to QM_IDLE
*Mar 1 12:48:32.152: ISAKMP:(1001): processing HASH payload. message ID = -1854547655
*Mar 1 12:48:32.152: ISAKMP:(1001): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1191281056, message ID = -1854547655, sa = 66024724
*Mar 1 12:48:32.156: ISAKMP:(1001): deleting spi 1191281056 message ID = 1109342845
*Mar 1 12:48:32.160: ISAKMP:(1001):deleting node 1109342845 error TRUE reason "Delete Larval"
*Mar 1 12:48:32.164: ISAKMP:(1001):deleting node -1854547655 error FALSE reason "Informational (in) state 1"
*Mar 1 12:48:32.164: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 1 12:48:32.164: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
R2#telnet 1.1.1.1 1944 /source-interface lo0
Trying 1.1.1.1, 1944 ...
*Mar 1 12:55:51.608: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 100.100.12.2, remote= 100.100.12.1,
local_proxy= 2.2.2.0/255.255.255.0/6/0 (type=4),
remote_proxy= 1.1.1.0/255.255.255.0/6/19 44 (type=4),
protocol= ESP, transform= esp-des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
R2#telnet 1.1.1.1 1944 /source-interface lo0
Trying 1.1.1.1, 1944 ...
*Mar 1 12:48:32.112: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 12:48:32.116: SA has outstanding requests (local 102.2.72.136 port 500, remote 102.2.72.108 port 500)
*Mar 1 12:48:32.120: ISAKMP:(1001): sitting IDLE. Starting QM immediately (QM_IDLE )
*Mar 1 12:48:32.124: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of 1109342845
*Mar 1 12:48:32.124: ISAKMP:(1001):QM Initiator gets spi
*Mar 1 12:48:32.128: ISAKMP:(1001): sending packet to 100.100.12.1 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 1 12:48:32.128: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Mar 1 12:48:32.128: ISAKMP:(1001):Node 1109342845, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar 1 12:48:32.128: ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Mar 1 12:48:32.144: ISAKMP (0:1001): received packet from 100.100.12.1 dport 500 sport 500 Global (I) QM_IDLE
*Mar 1 12:48:32.144: ISAKMP: set new node -1854547655 to QM_IDLE
*Mar 1 12:48:32.152: ISAKMP:(1001): processing HASH payload. message ID = -1854547655
*Mar 1 12:48:32.152: ISAKMP:(1001): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1191281056, message ID = -1854547655, sa = 66024724
*Mar 1 12:48:32.156: ISAKMP:(1001): deleting spi 1191281056 message ID = 1109342845
*Mar 1 12:48:32.160: ISAKMP:(1001):deleting node 1109342845 error TRUE reason "Delete Larval"
*Mar 1 12:48:32.164: ISAKMP:(1001):deleting node -1854547655 error FALSE reason "Informational (in) state 1"
*Mar 1 12:48:32.164: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 1 12:48:32.164: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
R2#telnet 1.1.1.1 1944 /source-interface lo0
Trying 1.1.1.1, 1944 ...
*Mar 1 12:55:51.608: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 100.100.12.2, remote= 100.100.12.1,
local_proxy= 2.2.2.0/255.255.255.0/6/0 (type=4),
remote_proxy= 1.1.1.0/255.255.255.0/6/19
protocol= ESP, transform= esp-des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I removed the previous access-list and I first tried to replace it with the ACL you suggested and it didn't work. I then removed the port operator. And I was finally able to bring up Phase II. Why isn't the ipsec tunnel coming up using the port operator?
Below is the ACL I used.
R1:
access-list 101 permit tcp 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
R2:
access-list 101 permit tcp 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
Below is the ACL I used.
R1:
access-list 101 permit tcp 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
R2:
access-list 101 permit tcp 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
Actually, I was suggesting that you add my ACLs to yours, not replace. I'm not sure that you can use ports in crypto ACLs, but I'm guessing that the original ACL didn't work before because while the IPs were mirror opposites on each side, the ports weren't. The ones I suggested were to provide the matching ones for yours so a common proposal could be chosen.
ASKER
You were right the ports where not mirror of each side. I added the ACL which I first had, and then added what you had suggested and the tunnel came up using the port numbers. So below are the ACLs which I am using on each router. Thanks for the help!
R1:
access-list 101 permit tcp 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 eq 1944
access-list 101 permit tcp 1.1.1.0 0.0.0.255 eq 1944 2.2.2.0 0.0.0.255
R2:
access-list 101 permit tcp 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255 eq 1944
access-list 101 permit tcp 2.2.2.0 0.0.0.255 eq 1944 1.1.1.0 0.0.0.255
R1:
access-list 101 permit tcp 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 eq 1944
access-list 101 permit tcp 1.1.1.0 0.0.0.255 eq 1944 2.2.2.0 0.0.0.255
R2:
access-list 101 permit tcp 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255 eq 1944
access-list 101 permit tcp 2.2.2.0 0.0.0.255 eq 1944 1.1.1.0 0.0.0.255
ASKER
My question was answered.