IPSEC Tunnel Fails 2x Cisco 2921

IPSEC Tunnel Fails 2x2921

I tried putting a routing statement but no change.  NO PRIVATE INFO: I'll change the crypto key once I get this working.

ip route 192.168.175.0 255.255.255.0 192.168.176.1

ip route 192.168.176.0 255.255.255.0 192.168.175.1
Diagram!!!@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ SITE 1 @@@@@@@@@@@@@@@@@@@@@@@@!!!!
localrtr#sh run
hostname localrtr
boot-start-marker
boot-end-marker
enable secret 5 $1$A3Kg$TZeqZI6QF3r.S4nu80fZJ1
no aaa new-model
!
ip domain name mydomain.com
ip cef
!
multilink bundle-name authenticated
username cisco privilege 0 password 7 05190900355E41060D
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key firewallcx address 192.168.168.236
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
 set peer 192.168.168.236
 set transform-set TS
 match address VPN_TRAFFIC
!
interface GigabitEthernet0/0
 description OUTSIDE
 ip address 192.168.168.235 255.255.255.0
 duplex auto
 speed auto
 crypto map CMAP
!
interface GigabitEthernet0/1
 description INSIDE
 ip address 192.168.175.1 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0/0
 description MGNT_10_10_10_15
 switchport access vlan 200
 no ip address
!
interface Vlan200
 ip address 10.10.10.15 255.255.255.224
!
ip access-list extended VPN_TRAFFIC
 permit ip 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.255
!
control-plane
!
line con 0
line vty 0 4
 login local
 transport input ssh
!
end
---------------------================================-----------------------------
localrtr#ping 192.168.176.1 so gi0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.176.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.175.1
.....
Success rate is 0 percent (0/5)
localrtr#
localrtr#ping 192.168.168.236
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.168.236, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
localrtr#

---------------------================================-----------------------------
localrtr# debug crypto cond peer ipv4 192.168.176.1
localrtr# debug crypto ipsec
localrtr# debug crypto isakmp
localrtr# term mon

localrtr# sh cry isa pol

Global IKE policy
Protection suite of priority 1
    encryption algorithm:    Three key triple DES
    hash algorithm:        Message Digest 5
    authentication method:    Pre-Shared Key
    Diffie-Hellman group:    #2 (1024 bit)
    lifetime:        86400 seconds, no volume limit
localrtr#
localrtr#sh crypto map
Crypto Map IPv4 "CMAP" 10 ipsec-isakmp
    Peer = 192.168.168.236
    Extended IP access list VPN_TRAFFIC
        access-list VPN_TRAFFIC permit ip 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.255
    Current peer: 192.168.168.236
    Security association lifetime: 4608000 kilobytes/3600 seconds
    Responder-Only (Y/N): N
    PFS (Y/N): N
    Transform sets={
        TS:  { esp-3des esp-md5-hmac  } ,
    }
    Interfaces using crypto map CMAP:
        GigabitEthernet0/0

localrtr#


localrtr#sh crypto session
Crypto session current status

Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 192.168.168.236 port 500 localrtr#sh crypto session
Crypto session current status

Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 192.168.168.236 port 500
  IPSEC FLOW: permit ip 192.168.175.0/255.255.255.0 192.168.176.0/255.255.255.0
        Active SAs: 0, origin: crypto map

localrtr#
Dec 14 17:43:46.005: No peer struct to get peer description
localrtr#

---------------------------==========================------------------------
!!!@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ SITE 2 @@@@@@@@@@@@@@@@@@@@@@@@@!!!!
remotertr#sh run
hostname remotertr
boot-start-marker
boot-end-marker
enable secret 5 $1$m3qS$tiNd8YH.rmhKzGoRqa2970
no aaa new-model
!
ip domain name mydomain.com
!
multilink bundle-name authenticated
username cisco privilege 0 password 7 105C061611051D0418
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key firewallcx address 192.168.168.235
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
 mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
 set peer 192.168.168.235
 set transform-set TS
 match address VPN_TRAFFIC
!
interface GigabitEthernet0/0
 description OUTSIDE
 ip address 192.168.168.236 255.255.255.0
 duplex auto
 speed auto
 crypto map CMAP
!
interface GigabitEthernet0/1
 description INSIDE
 ip address 192.168.176.1 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 description MNGT
 ip address 10.10.10.16 255.255.255.224
 duplex auto
 speed auto
!
ip access-list extended VPN_TRAFFIC
 permit ip 192.168.176.0 0.0.0.255 192.168.175.0 0.0.0.255
!
control-plane
!
line con 0
line vty 0 4
 login local
 transport input ssh
!
end

-----------------------------======================-----------------------
remotertr#ping 192.168.175.1 so gi0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.175.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.176.1
.....
Success rate is 0 percent (0/5)
remotertr#
remotertr#ping 192.168.168.235
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.168.235, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
remotertr#

-----------------------------======================-----------------------
remotertr#debug crypto cond peer ipv4 192.168.175.1
remotertr#debug crypto ipsec
remotertr#debug crypto isakmp
remotertr#term mon

remotertr#sh cry isa pol

Global IKE policy
Protection suite of priority 1
    encryption algorithm:    Three key triple DES
    hash algorithm:        Message Digest 5
    authentication method:    Pre-Shared Key
    Diffie-Hellman group:    #2 (1024 bit)
    lifetime:        86400 seconds, no volume limit
remotertr#
remotertr#sh crypto map
Crypto Map IPv4 "CMAP" 10 ipsec-isakmp
    Peer = 192.168.168.235
    Extended IP access list VPN_TRAFFIC
        access-list VPN_TRAFFIC permit ip 192.168.176.0 0.0.0.255 192.168.175.0 0.0.0.255
    Current peer: 192.168.168.235
    Security association lifetime: 4608000 kilobytes/3600 seconds
    Responder-Only (Y/N): N
    PFS (Y/N): N
    Mixed-mode : Disabled
    Transform sets={
        TS:  { esp-3des esp-md5-hmac  } ,
    }
    Interfaces using crypto map CMAP:
        GigabitEthernet0/0

    Interfaces using crypto map NiStTeSt1:

remotertr#


remotertr#sh crypto map
Crypto Map IPv4 "CMAP" 10 ipsec-isakmp
    Peer = 192.168.168.235
    Extended IP access list VPN_TRAFFIC
        access-list VPN_TRAFFIC permit ip 192.168.176.0 0.0.0.255 192.168.175.0 0.0.0.255
    Current peer: 192.168.168.235
    Security association lifetime: 4608000 kilobytes/3600 seconds
    Responder-Only (Y/N): N
    PFS (Y/N): N
    Mixed-mode : Disabled
    Transform sets={
        TS:  { esp-3des esp-md5-hmac  } ,
    }
    Interfaces using crypto map CMAP:
        GigabitEthernet0/0

    Interfaces using crypto map NiStTeSt1:

remotertr#

remotertr#sh crypto session
Crypto session current status

Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 192.168.168.235 port 500
  IPSEC FLOW: permit ip 192.168.176.0/255.255.255.0 192.168.175.0/255.255.255.0
        Active SAs: 0, origin: crypto map

remotertr#
*Dec 14 17:18:13.423: No peer struct to get peer description
remotertr#
huffmanaSystem Admin and Network EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

huffmanaSystem Admin and Network EngineerAuthor Commented:
WHAT???????

localrtr(config)#no ip access-list extended VPN_TRAFFIC
localrtr(config)#ip access-list extended VPN_TRAFFIC
localrtr(config-ext-nacl)#  permit ip any any
localrtr(config-ext-nacl)#end
localrtr#sh cry ses      
Crypto session current status

Interface: GigabitEthernet0/0
Session status: UP-ACTIVE    
Peer: 192.168.168.236 port 500
  IKEv1 SA: local 192.168.168.235/500 remote 192.168.168.236/500 Active
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 2, origin: crypto map

localrtr#
huffmanaSystem Admin and Network EngineerAuthor Commented:
I was missing a routing statement
R1 #ip route 0.0.0.0 0.0.0.0 192.168.168.236
R2 #ip route 0.0.0.0 0.0.0.0 192.168.168.235
huffmanaSystem Admin and Network EngineerAuthor Commented:
I've put in specific routing statements into the configs so now I can move ahead and add the overload NAT and incoming PAT.

R1 ip route 192.168.176.0 255.255.255.0 192.168.168.236
R2 ip route 192.168.175.0 255.255.255.0 192.168.168.235

I found a really good example for multiple IPSEC tunnels that helped me.   https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14133-ios-hub-spoke.pdf
huffmanaSystem Admin and Network EngineerAuthor Commented:
I've put in specific routing statements into the configs so now I can move ahead and add the overload NAT and incoming PAT.

R1 ip route 192.168.176.0 255.255.255.0 192.168.168.236
R2 ip route 192.168.175.0 255.255.255.0 192.168.168.235

I found a really good example for multiple IPSEC tunnels that helped me.   https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14133-ios-hub-spoke.pdf

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.