?
Solved

Cannot establish ipsec tunnel between two routers

Posted on 2010-09-17
10
Medium Priority
?
812 Views
Last Modified: 2012-05-10
I having been trying to establish an ipsec tunnel between the two router below but I have been unsuccessful. Below are the configurations for both routers. What am I missing?

Thank you

R1 Config

crypto isakmp policy 5
 encr aes
 authentication pre-share
 group 5
crypto isakmp key grace address 100.100.12.2
!
!
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
!
crypto map MAP1 5 ipsec-isakmp
 set peer 100.100.12.2
 set transform-set TRANS
 match address 101


interface Serial0/0
 ip address 100.100.12.1 255.255.255.0
 encapsulation frame-relay
 clock rate 2000000
 crypto map MAP1

router rip
 version 2
 network 2.0.0.0
 network 100.0.0.0
 no auto-summary

interface Loopback0
 ip address 1.1.1.1 255.255.255.0

R2 Config


crypto isakmp policy 5
 encr aes
 authentication pre-share
 group 5
crypto isakmp key grace address 100.100.12.1
!
!
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
!
crypto map MAP1 5 ipsec-isakmp
 set peer 100.100.12.1
 set transform-set TRANS
 match address 101


interface Serial0/0
 ip address 100.100.12.2 255.255.255.0
 encapsulation frame-relay
 clock rate 2000000
 crypto map MAP1

interface Loopback0
 ip address 2.2.2.2 255.255.255.0

router rip
 version 2
 network 2.0.0.0
 network 100.0.0.0
 no auto-summary

0
Comment
Question by:vreyesii
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +1
10 Comments
 
LVL 6

Expert Comment

by:wpharaon
ID: 33707211
What about ACL 101 ?
0
 
LVL 3

Expert Comment

by:gremwell
ID: 33707218
Do you have access lists 101 you mention in the crypto-map?
0
 

Author Comment

by:vreyesii
ID: 33707729
Sorry about that I forgot to post it. Here it is:

R1 -
access-list 101 permit tcp 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 eq 1944

R2 -
access-list 101 permit tcp 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255 eq 1944
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 3

Expert Comment

by:gremwell
ID: 33708114
Does your router supports AES? IOS will let you configure AES even if the hardware does not support it, I had it with my C826 router. Try changing it to DES, just to test it.

Try enabling debugging in IOS, generate some traffic which will hit ACL 101 and see what will happen. You must turn on the debug as well as turn on the debug monitor, which is normally the terminal you are logged in on:

Router# debug crypto verbose
Router# debug crypto isakmp
Router# term monitor

To disable debugging:

Router# nodebug all
Router# term no monitor
0
 

Author Comment

by:vreyesii
ID: 33708588
I changed the encryption to DES and I still cannot get the ipsec tunnel up. Phase I comes up fine but Phase II does not come up.  Below is how I am generating traffic to bring up the ipsec tunnel. Below is also the debug from isakmp Phase I and Phase II.

R2#telnet 1.1.1.1 1944 /source-interface lo0
Trying 1.1.1.1, 1944 ...
*Mar  1 12:48:32.112: ISAKMP: set new node 0 to QM_IDLE
*Mar  1 12:48:32.116: SA has outstanding requests  (local 102.2.72.136 port 500, remote 102.2.72.108 port 500)
*Mar  1 12:48:32.120: ISAKMP:(1001): sitting IDLE. Starting QM immediately (QM_IDLE      )
*Mar  1 12:48:32.124: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of 1109342845
*Mar  1 12:48:32.124: ISAKMP:(1001):QM Initiator gets spi
*Mar  1 12:48:32.128: ISAKMP:(1001): sending packet to 100.100.12.1 my_port 500 peer_port 500 (I) QM_IDLE
*Mar  1 12:48:32.128: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Mar  1 12:48:32.128: ISAKMP:(1001):Node 1109342845, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar  1 12:48:32.128: ISAKMP:(1001):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Mar  1 12:48:32.144: ISAKMP (0:1001): received packet from 100.100.12.1 dport 500 sport 500 Global (I) QM_IDLE
*Mar  1 12:48:32.144: ISAKMP: set new node -1854547655 to QM_IDLE
*Mar  1 12:48:32.152: ISAKMP:(1001): processing HASH payload. message ID = -1854547655
*Mar  1 12:48:32.152: ISAKMP:(1001): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 1191281056, message ID = -1854547655, sa = 66024724
*Mar  1 12:48:32.156: ISAKMP:(1001): deleting spi 1191281056 message ID = 1109342845
*Mar  1 12:48:32.160: ISAKMP:(1001):deleting node 1109342845 error TRUE reason "Delete Larval"
*Mar  1 12:48:32.164: ISAKMP:(1001):deleting node -1854547655 error FALSE reason "Informational (in) state 1"
*Mar  1 12:48:32.164: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar  1 12:48:32.164: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE



R2#telnet 1.1.1.1 1944 /source-interface lo0
Trying 1.1.1.1, 1944 ...
*Mar  1 12:55:51.608: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 100.100.12.2, remote= 100.100.12.1,
    local_proxy= 2.2.2.0/255.255.255.0/6/0 (type=4),
    remote_proxy= 1.1.1.0/255.255.255.0/6/1944 (type=4),
    protocol= ESP, transform= esp-des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
0
 
LVL 6

Accepted Solution

by:
kuoh earned 1200 total points
ID: 33709456
I wonder if the addition of port numbers in the ACL has an affect?  I'm not sure the ACLs are exact mirrors of each other right now.  Can you try taking out the port operator or adding the following?

R1 -
access-list 101 permit tcp 1.1.1.0 0.0.0.255 eq 1944 2.2.2.0 0.0.0.255

R2 -
access-list 101 permit tcp 2.2.2.0 0.0.0.255 eq 1944 1.1.1.0 0.0.0.255
0
 

Author Comment

by:vreyesii
ID: 33710096
I removed the previous access-list and I first tried to replace it with the ACL you suggested and it didn't work. I then removed the port operator. And I was finally able to bring up Phase II. Why isn't the ipsec tunnel coming up using the port operator?

Below is the ACL I used.

R1:

access-list 101 permit tcp 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

R2:

access-list 101 permit tcp 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
0
 
LVL 6

Expert Comment

by:kuoh
ID: 33710119
Actually, I was suggesting that you add my ACLs to yours, not replace.  I'm not sure that you can use ports in crypto ACLs, but I'm guessing that the original ACL didn't work before because while the IPs were mirror opposites on each side, the ports weren't.  The ones I suggested were to provide the matching ones for yours so a common proposal could be chosen.
0
 

Author Comment

by:vreyesii
ID: 33710169
You were right the ports where not mirror of each side. I added the ACL which I first had, and then added what you had suggested and the tunnel came up using the port numbers. So below are the ACLs which I am using on each router. Thanks for the help!

R1:

access-list 101 permit tcp 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 eq 1944
access-list 101 permit tcp 1.1.1.0 0.0.0.255 eq 1944 2.2.2.0 0.0.0.255

R2:

access-list 101 permit tcp 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255 eq 1944
access-list 101 permit tcp 2.2.2.0 0.0.0.255 eq 1944 1.1.1.0 0.0.0.255
0
 

Author Closing Comment

by:vreyesii
ID: 33710170
My question was answered.
0

Featured Post

Get MongoDB database support online, now!

At Percona’s web store you can order your MongoDB database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card. Handle your MongoDB database support now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question