Solved

Cannot establish ipsec tunnel between two routers

Posted on 2010-09-17
10
803 Views
Last Modified: 2012-05-10
I having been trying to establish an ipsec tunnel between the two router below but I have been unsuccessful. Below are the configurations for both routers. What am I missing?

Thank you

R1 Config

crypto isakmp policy 5
 encr aes
 authentication pre-share
 group 5
crypto isakmp key grace address 100.100.12.2
!
!
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
!
crypto map MAP1 5 ipsec-isakmp
 set peer 100.100.12.2
 set transform-set TRANS
 match address 101


interface Serial0/0
 ip address 100.100.12.1 255.255.255.0
 encapsulation frame-relay
 clock rate 2000000
 crypto map MAP1

router rip
 version 2
 network 2.0.0.0
 network 100.0.0.0
 no auto-summary

interface Loopback0
 ip address 1.1.1.1 255.255.255.0

R2 Config


crypto isakmp policy 5
 encr aes
 authentication pre-share
 group 5
crypto isakmp key grace address 100.100.12.1
!
!
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
!
crypto map MAP1 5 ipsec-isakmp
 set peer 100.100.12.1
 set transform-set TRANS
 match address 101


interface Serial0/0
 ip address 100.100.12.2 255.255.255.0
 encapsulation frame-relay
 clock rate 2000000
 crypto map MAP1

interface Loopback0
 ip address 2.2.2.2 255.255.255.0

router rip
 version 2
 network 2.0.0.0
 network 100.0.0.0
 no auto-summary

0
Comment
Question by:vreyesii
  • 5
  • 2
  • 2
  • +1
10 Comments
 
LVL 6

Expert Comment

by:wpharaon
ID: 33707211
What about ACL 101 ?
0
 
LVL 3

Expert Comment

by:gremwell
ID: 33707218
Do you have access lists 101 you mention in the crypto-map?
0
 

Author Comment

by:vreyesii
ID: 33707729
Sorry about that I forgot to post it. Here it is:

R1 -
access-list 101 permit tcp 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 eq 1944

R2 -
access-list 101 permit tcp 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255 eq 1944
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 
LVL 3

Expert Comment

by:gremwell
ID: 33708114
Does your router supports AES? IOS will let you configure AES even if the hardware does not support it, I had it with my C826 router. Try changing it to DES, just to test it.

Try enabling debugging in IOS, generate some traffic which will hit ACL 101 and see what will happen. You must turn on the debug as well as turn on the debug monitor, which is normally the terminal you are logged in on:

Router# debug crypto verbose
Router# debug crypto isakmp
Router# term monitor

To disable debugging:

Router# nodebug all
Router# term no monitor
0
 

Author Comment

by:vreyesii
ID: 33708588
I changed the encryption to DES and I still cannot get the ipsec tunnel up. Phase I comes up fine but Phase II does not come up.  Below is how I am generating traffic to bring up the ipsec tunnel. Below is also the debug from isakmp Phase I and Phase II.

R2#telnet 1.1.1.1 1944 /source-interface lo0
Trying 1.1.1.1, 1944 ...
*Mar  1 12:48:32.112: ISAKMP: set new node 0 to QM_IDLE
*Mar  1 12:48:32.116: SA has outstanding requests  (local 102.2.72.136 port 500, remote 102.2.72.108 port 500)
*Mar  1 12:48:32.120: ISAKMP:(1001): sitting IDLE. Starting QM immediately (QM_IDLE      )
*Mar  1 12:48:32.124: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of 1109342845
*Mar  1 12:48:32.124: ISAKMP:(1001):QM Initiator gets spi
*Mar  1 12:48:32.128: ISAKMP:(1001): sending packet to 100.100.12.1 my_port 500 peer_port 500 (I) QM_IDLE
*Mar  1 12:48:32.128: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Mar  1 12:48:32.128: ISAKMP:(1001):Node 1109342845, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar  1 12:48:32.128: ISAKMP:(1001):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Mar  1 12:48:32.144: ISAKMP (0:1001): received packet from 100.100.12.1 dport 500 sport 500 Global (I) QM_IDLE
*Mar  1 12:48:32.144: ISAKMP: set new node -1854547655 to QM_IDLE
*Mar  1 12:48:32.152: ISAKMP:(1001): processing HASH payload. message ID = -1854547655
*Mar  1 12:48:32.152: ISAKMP:(1001): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 1191281056, message ID = -1854547655, sa = 66024724
*Mar  1 12:48:32.156: ISAKMP:(1001): deleting spi 1191281056 message ID = 1109342845
*Mar  1 12:48:32.160: ISAKMP:(1001):deleting node 1109342845 error TRUE reason "Delete Larval"
*Mar  1 12:48:32.164: ISAKMP:(1001):deleting node -1854547655 error FALSE reason "Informational (in) state 1"
*Mar  1 12:48:32.164: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar  1 12:48:32.164: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE



R2#telnet 1.1.1.1 1944 /source-interface lo0
Trying 1.1.1.1, 1944 ...
*Mar  1 12:55:51.608: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 100.100.12.2, remote= 100.100.12.1,
    local_proxy= 2.2.2.0/255.255.255.0/6/0 (type=4),
    remote_proxy= 1.1.1.0/255.255.255.0/6/1944 (type=4),
    protocol= ESP, transform= esp-des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
0
 
LVL 6

Accepted Solution

by:
kuoh earned 300 total points
ID: 33709456
I wonder if the addition of port numbers in the ACL has an affect?  I'm not sure the ACLs are exact mirrors of each other right now.  Can you try taking out the port operator or adding the following?

R1 -
access-list 101 permit tcp 1.1.1.0 0.0.0.255 eq 1944 2.2.2.0 0.0.0.255

R2 -
access-list 101 permit tcp 2.2.2.0 0.0.0.255 eq 1944 1.1.1.0 0.0.0.255
0
 

Author Comment

by:vreyesii
ID: 33710096
I removed the previous access-list and I first tried to replace it with the ACL you suggested and it didn't work. I then removed the port operator. And I was finally able to bring up Phase II. Why isn't the ipsec tunnel coming up using the port operator?

Below is the ACL I used.

R1:

access-list 101 permit tcp 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

R2:

access-list 101 permit tcp 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
0
 
LVL 6

Expert Comment

by:kuoh
ID: 33710119
Actually, I was suggesting that you add my ACLs to yours, not replace.  I'm not sure that you can use ports in crypto ACLs, but I'm guessing that the original ACL didn't work before because while the IPs were mirror opposites on each side, the ports weren't.  The ones I suggested were to provide the matching ones for yours so a common proposal could be chosen.
0
 

Author Comment

by:vreyesii
ID: 33710169
You were right the ports where not mirror of each side. I added the ACL which I first had, and then added what you had suggested and the tunnel came up using the port numbers. So below are the ACLs which I am using on each router. Thanks for the help!

R1:

access-list 101 permit tcp 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 eq 1944
access-list 101 permit tcp 1.1.1.0 0.0.0.255 eq 1944 2.2.2.0 0.0.0.255

R2:

access-list 101 permit tcp 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255 eq 1944
access-list 101 permit tcp 2.2.2.0 0.0.0.255 eq 1944 1.1.1.0 0.0.0.255
0
 

Author Closing Comment

by:vreyesii
ID: 33710170
My question was answered.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question