IPSEC Tunnel Fails 2x Cisco 2921
IPSEC Tunnel Fails 2x2921
I tried putting a routing statement but no change. NO PRIVATE INFO: I'll change the crypto key once I get this working.
ip route 192.168.175.0 255.255.255.0 192.168.176.1
ip route 192.168.176.0 255.255.255.0 192.168.175.1
!!!@@@@@@@@@@@@@@@@@@@@@@@
localrtr#sh run
hostname localrtr
boot-start-marker
boot-end-marker
enable secret 5 $1$A3Kg$TZeqZI6QF3r.S4nu80
no aaa new-model
!
ip domain name mydomain.com
ip cef
!
multilink bundle-name authenticated
username cisco privilege 0 password 7 05190900355E41060D
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 192.168.168.236
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.168.236
set transform-set TS
match address VPN_TRAFFIC
!
interface GigabitEthernet0/0
description OUTSIDE
ip address 192.168.168.235 255.255.255.0
duplex auto
speed auto
crypto map CMAP
!
interface GigabitEthernet0/1
description INSIDE
ip address 192.168.175.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0/0
description MGNT_10_10_10_15
switchport access vlan 200
no ip address
!
interface Vlan200
ip address 10.10.10.15 255.255.255.224
!
ip access-list extended VPN_TRAFFIC
permit ip 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.255
!
control-plane
!
line con 0
line vty 0 4
login local
transport input ssh
!
end
---------------------=====
localrtr#ping 192.168.176.1 so gi0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.176.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.175.1
.....
Success rate is 0 percent (0/5)
localrtr#
localrtr#ping 192.168.168.236
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.168.236, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
localrtr#
---------------------=====
localrtr# debug crypto cond peer ipv4 192.168.176.1
localrtr# debug crypto ipsec
localrtr# debug crypto isakmp
localrtr# term mon
localrtr# sh cry isa pol
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
localrtr#
localrtr#sh crypto map
Crypto Map IPv4 "CMAP" 10 ipsec-isakmp
Peer = 192.168.168.236
Extended IP access list VPN_TRAFFIC
access-list VPN_TRAFFIC permit ip 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.255
Current peer: 192.168.168.236
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TS: { esp-3des esp-md5-hmac } ,
}
Interfaces using crypto map CMAP:
GigabitEthernet0/0
localrtr#
localrtr#sh crypto session
Crypto session current status
Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 192.168.168.236 port 500 localrtr#sh crypto session
Crypto session current status
Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 192.168.168.236 port 500
IPSEC FLOW: permit ip 192.168.175.0/255.255.255.
Active SAs: 0, origin: crypto map
localrtr#
Dec 14 17:43:46.005: No peer struct to get peer description
localrtr#
--------------------------
!!!@@@@@@@@@@@@@@@@@@@@@@@
remotertr#sh run
hostname remotertr
boot-start-marker
boot-end-marker
enable secret 5 $1$m3qS$tiNd8YH.rmhKzGoRqa
no aaa new-model
!
ip domain name mydomain.com
!
multilink bundle-name authenticated
username cisco privilege 0 password 7 105C061611051D0418
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 192.168.168.235
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.168.235
set transform-set TS
match address VPN_TRAFFIC
!
interface GigabitEthernet0/0
description OUTSIDE
ip address 192.168.168.236 255.255.255.0
duplex auto
speed auto
crypto map CMAP
!
interface GigabitEthernet0/1
description INSIDE
ip address 192.168.176.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2
description MNGT
ip address 10.10.10.16 255.255.255.224
duplex auto
speed auto
!
ip access-list extended VPN_TRAFFIC
permit ip 192.168.176.0 0.0.0.255 192.168.175.0 0.0.0.255
!
control-plane
!
line con 0
line vty 0 4
login local
transport input ssh
!
end
--------------------------
remotertr#ping 192.168.175.1 so gi0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.175.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.176.1
.....
Success rate is 0 percent (0/5)
remotertr#
remotertr#ping 192.168.168.235
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.168.235, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
remotertr#
--------------------------
remotertr#debug crypto cond peer ipv4 192.168.175.1
remotertr#debug crypto ipsec
remotertr#debug crypto isakmp
remotertr#term mon
remotertr#sh cry isa pol
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
remotertr#
remotertr#sh crypto map
Crypto Map IPv4 "CMAP" 10 ipsec-isakmp
Peer = 192.168.168.235
Extended IP access list VPN_TRAFFIC
access-list VPN_TRAFFIC permit ip 192.168.176.0 0.0.0.255 192.168.175.0 0.0.0.255
Current peer: 192.168.168.235
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
TS: { esp-3des esp-md5-hmac } ,
}
Interfaces using crypto map CMAP:
GigabitEthernet0/0
Interfaces using crypto map NiStTeSt1:
remotertr#
remotertr#sh crypto map
Crypto Map IPv4 "CMAP" 10 ipsec-isakmp
Peer = 192.168.168.235
Extended IP access list VPN_TRAFFIC
access-list VPN_TRAFFIC permit ip 192.168.176.0 0.0.0.255 192.168.175.0 0.0.0.255
Current peer: 192.168.168.235
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
TS: { esp-3des esp-md5-hmac } ,
}
Interfaces using crypto map CMAP:
GigabitEthernet0/0
Interfaces using crypto map NiStTeSt1:
remotertr#
remotertr#sh crypto session
Crypto session current status
Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 192.168.168.235 port 500
IPSEC FLOW: permit ip 192.168.176.0/255.255.255.
Active SAs: 0, origin: crypto map
remotertr#
*Dec 14 17:18:13.423: No peer struct to get peer description
remotertr#
I tried putting a routing statement but no change. NO PRIVATE INFO: I'll change the crypto key once I get this working.
ip route 192.168.175.0 255.255.255.0 192.168.176.1
ip route 192.168.176.0 255.255.255.0 192.168.175.1
!!!@@@@@@@@@@@@@@@@@@@@@@@localrtr#sh run
hostname localrtr
boot-start-marker
boot-end-marker
enable secret 5 $1$A3Kg$TZeqZI6QF3r.S4nu80
no aaa new-model
!
ip domain name mydomain.com
ip cef
!
multilink bundle-name authenticated
username cisco privilege 0 password 7 05190900355E41060D
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 192.168.168.236
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.168.236
set transform-set TS
match address VPN_TRAFFIC
!
interface GigabitEthernet0/0
description OUTSIDE
ip address 192.168.168.235 255.255.255.0
duplex auto
speed auto
crypto map CMAP
!
interface GigabitEthernet0/1
description INSIDE
ip address 192.168.175.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0/0
description MGNT_10_10_10_15
switchport access vlan 200
no ip address
!
interface Vlan200
ip address 10.10.10.15 255.255.255.224
!
ip access-list extended VPN_TRAFFIC
permit ip 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.255
!
control-plane
!
line con 0
line vty 0 4
login local
transport input ssh
!
end
---------------------=====
localrtr#ping 192.168.176.1 so gi0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.176.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.175.1
.....
Success rate is 0 percent (0/5)
localrtr#
localrtr#ping 192.168.168.236
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.168.236, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
localrtr#
---------------------=====
localrtr# debug crypto cond peer ipv4 192.168.176.1
localrtr# debug crypto ipsec
localrtr# debug crypto isakmp
localrtr# term mon
localrtr# sh cry isa pol
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
localrtr#
localrtr#sh crypto map
Crypto Map IPv4 "CMAP" 10 ipsec-isakmp
Peer = 192.168.168.236
Extended IP access list VPN_TRAFFIC
access-list VPN_TRAFFIC permit ip 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.255
Current peer: 192.168.168.236
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TS: { esp-3des esp-md5-hmac } ,
}
Interfaces using crypto map CMAP:
GigabitEthernet0/0
localrtr#
localrtr#sh crypto session
Crypto session current status
Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 192.168.168.236 port 500 localrtr#sh crypto session
Crypto session current status
Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 192.168.168.236 port 500
IPSEC FLOW: permit ip 192.168.175.0/255.255.255.
Active SAs: 0, origin: crypto map
localrtr#
Dec 14 17:43:46.005: No peer struct to get peer description
localrtr#
--------------------------
!!!@@@@@@@@@@@@@@@@@@@@@@@
remotertr#sh run
hostname remotertr
boot-start-marker
boot-end-marker
enable secret 5 $1$m3qS$tiNd8YH.rmhKzGoRqa
no aaa new-model
!
ip domain name mydomain.com
!
multilink bundle-name authenticated
username cisco privilege 0 password 7 105C061611051D0418
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 192.168.168.235
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.168.235
set transform-set TS
match address VPN_TRAFFIC
!
interface GigabitEthernet0/0
description OUTSIDE
ip address 192.168.168.236 255.255.255.0
duplex auto
speed auto
crypto map CMAP
!
interface GigabitEthernet0/1
description INSIDE
ip address 192.168.176.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2
description MNGT
ip address 10.10.10.16 255.255.255.224
duplex auto
speed auto
!
ip access-list extended VPN_TRAFFIC
permit ip 192.168.176.0 0.0.0.255 192.168.175.0 0.0.0.255
!
control-plane
!
line con 0
line vty 0 4
login local
transport input ssh
!
end
--------------------------
remotertr#ping 192.168.175.1 so gi0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.175.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.176.1
.....
Success rate is 0 percent (0/5)
remotertr#
remotertr#ping 192.168.168.235
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.168.235, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
remotertr#
--------------------------
remotertr#debug crypto cond peer ipv4 192.168.175.1
remotertr#debug crypto ipsec
remotertr#debug crypto isakmp
remotertr#term mon
remotertr#sh cry isa pol
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
remotertr#
remotertr#sh crypto map
Crypto Map IPv4 "CMAP" 10 ipsec-isakmp
Peer = 192.168.168.235
Extended IP access list VPN_TRAFFIC
access-list VPN_TRAFFIC permit ip 192.168.176.0 0.0.0.255 192.168.175.0 0.0.0.255
Current peer: 192.168.168.235
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
TS: { esp-3des esp-md5-hmac } ,
}
Interfaces using crypto map CMAP:
GigabitEthernet0/0
Interfaces using crypto map NiStTeSt1:
remotertr#
remotertr#sh crypto map
Crypto Map IPv4 "CMAP" 10 ipsec-isakmp
Peer = 192.168.168.235
Extended IP access list VPN_TRAFFIC
access-list VPN_TRAFFIC permit ip 192.168.176.0 0.0.0.255 192.168.175.0 0.0.0.255
Current peer: 192.168.168.235
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
TS: { esp-3des esp-md5-hmac } ,
}
Interfaces using crypto map CMAP:
GigabitEthernet0/0
Interfaces using crypto map NiStTeSt1:
remotertr#
remotertr#sh crypto session
Crypto session current status
Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 192.168.168.235 port 500
IPSEC FLOW: permit ip 192.168.176.0/255.255.255.
Active SAs: 0, origin: crypto map
remotertr#
*Dec 14 17:18:13.423: No peer struct to get peer description
remotertr#
Last Comment
ASKER
I was missing a routing statement
R1 #ip route 0.0.0.0 0.0.0.0 192.168.168.236
R2 #ip route 0.0.0.0 0.0.0.0 192.168.168.235
R1 #ip route 0.0.0.0 0.0.0.0 192.168.168.236
R2 #ip route 0.0.0.0 0.0.0.0 192.168.168.235
ASKER
I've put in specific routing statements into the configs so now I can move ahead and add the overload NAT and incoming PAT.
R1 ip route 192.168.176.0 255.255.255.0 192.168.168.236
R2 ip route 192.168.175.0 255.255.255.0 192.168.168.235
I found a really good example for multiple IPSEC tunnels that helped me. https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14133-ios-hub-spoke.pdf
R1 ip route 192.168.176.0 255.255.255.0 192.168.168.236
R2 ip route 192.168.175.0 255.255.255.0 192.168.168.235
I found a really good example for multiple IPSEC tunnels that helped me. https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14133-ios-hub-spoke.pdf
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Routers
A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.
49K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
ASKER
localrtr(config)#no ip access-list extended VPN_TRAFFIC
localrtr(config)#ip access-list extended VPN_TRAFFIC
localrtr(config-ext-nacl)#
localrtr(config-ext-nacl)#
localrtr#sh cry ses
Crypto session current status
Interface: GigabitEthernet0/0
Session status: UP-ACTIVE
Peer: 192.168.168.236 port 500
IKEv1 SA: local 192.168.168.235/500 remote 192.168.168.236/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
localrtr#