IPSEC Tunnel Fails 2x Cisco 2921

huffmana
huffmana used Ask the Experts™
on
IPSEC Tunnel Fails 2x2921

I tried putting a routing statement but no change.  NO PRIVATE INFO: I'll change the crypto key once I get this working.

ip route 192.168.175.0 255.255.255.0 192.168.176.1

ip route 192.168.176.0 255.255.255.0 192.168.175.1
Diagram!!!@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ SITE 1 @@@@@@@@@@@@@@@@@@@@@@@@!!!!
localrtr#sh run
hostname localrtr
boot-start-marker
boot-end-marker
enable secret 5 $1$A3Kg$TZeqZI6QF3r.S4nu80fZJ1
no aaa new-model
!
ip domain name mydomain.com
ip cef
!
multilink bundle-name authenticated
username cisco privilege 0 password 7 05190900355E41060D
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key firewallcx address 192.168.168.236
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
 set peer 192.168.168.236
 set transform-set TS
 match address VPN_TRAFFIC
!
interface GigabitEthernet0/0
 description OUTSIDE
 ip address 192.168.168.235 255.255.255.0
 duplex auto
 speed auto
 crypto map CMAP
!
interface GigabitEthernet0/1
 description INSIDE
 ip address 192.168.175.1 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0/0
 description MGNT_10_10_10_15
 switchport access vlan 200
 no ip address
!
interface Vlan200
 ip address 10.10.10.15 255.255.255.224
!
ip access-list extended VPN_TRAFFIC
 permit ip 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.255
!
control-plane
!
line con 0
line vty 0 4
 login local
 transport input ssh
!
end
---------------------================================-----------------------------
localrtr#ping 192.168.176.1 so gi0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.176.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.175.1
.....
Success rate is 0 percent (0/5)
localrtr#
localrtr#ping 192.168.168.236
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.168.236, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
localrtr#

---------------------================================-----------------------------
localrtr# debug crypto cond peer ipv4 192.168.176.1
localrtr# debug crypto ipsec
localrtr# debug crypto isakmp
localrtr# term mon

localrtr# sh cry isa pol

Global IKE policy
Protection suite of priority 1
    encryption algorithm:    Three key triple DES
    hash algorithm:        Message Digest 5
    authentication method:    Pre-Shared Key
    Diffie-Hellman group:    #2 (1024 bit)
    lifetime:        86400 seconds, no volume limit
localrtr#
localrtr#sh crypto map
Crypto Map IPv4 "CMAP" 10 ipsec-isakmp
    Peer = 192.168.168.236
    Extended IP access list VPN_TRAFFIC
        access-list VPN_TRAFFIC permit ip 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.255
    Current peer: 192.168.168.236
    Security association lifetime: 4608000 kilobytes/3600 seconds
    Responder-Only (Y/N): N
    PFS (Y/N): N
    Transform sets={
        TS:  { esp-3des esp-md5-hmac  } ,
    }
    Interfaces using crypto map CMAP:
        GigabitEthernet0/0

localrtr#


localrtr#sh crypto session
Crypto session current status

Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 192.168.168.236 port 500 localrtr#sh crypto session
Crypto session current status

Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 192.168.168.236 port 500
  IPSEC FLOW: permit ip 192.168.175.0/255.255.255.0 192.168.176.0/255.255.255.0
        Active SAs: 0, origin: crypto map

localrtr#
Dec 14 17:43:46.005: No peer struct to get peer description
localrtr#

---------------------------==========================------------------------
!!!@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ SITE 2 @@@@@@@@@@@@@@@@@@@@@@@@@!!!!
remotertr#sh run
hostname remotertr
boot-start-marker
boot-end-marker
enable secret 5 $1$m3qS$tiNd8YH.rmhKzGoRqa2970
no aaa new-model
!
ip domain name mydomain.com
!
multilink bundle-name authenticated
username cisco privilege 0 password 7 105C061611051D0418
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key firewallcx address 192.168.168.235
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
 mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
 set peer 192.168.168.235
 set transform-set TS
 match address VPN_TRAFFIC
!
interface GigabitEthernet0/0
 description OUTSIDE
 ip address 192.168.168.236 255.255.255.0
 duplex auto
 speed auto
 crypto map CMAP
!
interface GigabitEthernet0/1
 description INSIDE
 ip address 192.168.176.1 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 description MNGT
 ip address 10.10.10.16 255.255.255.224
 duplex auto
 speed auto
!
ip access-list extended VPN_TRAFFIC
 permit ip 192.168.176.0 0.0.0.255 192.168.175.0 0.0.0.255
!
control-plane
!
line con 0
line vty 0 4
 login local
 transport input ssh
!
end

-----------------------------======================-----------------------
remotertr#ping 192.168.175.1 so gi0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.175.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.176.1
.....
Success rate is 0 percent (0/5)
remotertr#
remotertr#ping 192.168.168.235
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.168.235, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
remotertr#

-----------------------------======================-----------------------
remotertr#debug crypto cond peer ipv4 192.168.175.1
remotertr#debug crypto ipsec
remotertr#debug crypto isakmp
remotertr#term mon

remotertr#sh cry isa pol

Global IKE policy
Protection suite of priority 1
    encryption algorithm:    Three key triple DES
    hash algorithm:        Message Digest 5
    authentication method:    Pre-Shared Key
    Diffie-Hellman group:    #2 (1024 bit)
    lifetime:        86400 seconds, no volume limit
remotertr#
remotertr#sh crypto map
Crypto Map IPv4 "CMAP" 10 ipsec-isakmp
    Peer = 192.168.168.235
    Extended IP access list VPN_TRAFFIC
        access-list VPN_TRAFFIC permit ip 192.168.176.0 0.0.0.255 192.168.175.0 0.0.0.255
    Current peer: 192.168.168.235
    Security association lifetime: 4608000 kilobytes/3600 seconds
    Responder-Only (Y/N): N
    PFS (Y/N): N
    Mixed-mode : Disabled
    Transform sets={
        TS:  { esp-3des esp-md5-hmac  } ,
    }
    Interfaces using crypto map CMAP:
        GigabitEthernet0/0

    Interfaces using crypto map NiStTeSt1:

remotertr#


remotertr#sh crypto map
Crypto Map IPv4 "CMAP" 10 ipsec-isakmp
    Peer = 192.168.168.235
    Extended IP access list VPN_TRAFFIC
        access-list VPN_TRAFFIC permit ip 192.168.176.0 0.0.0.255 192.168.175.0 0.0.0.255
    Current peer: 192.168.168.235
    Security association lifetime: 4608000 kilobytes/3600 seconds
    Responder-Only (Y/N): N
    PFS (Y/N): N
    Mixed-mode : Disabled
    Transform sets={
        TS:  { esp-3des esp-md5-hmac  } ,
    }
    Interfaces using crypto map CMAP:
        GigabitEthernet0/0

    Interfaces using crypto map NiStTeSt1:

remotertr#

remotertr#sh crypto session
Crypto session current status

Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 192.168.168.235 port 500
  IPSEC FLOW: permit ip 192.168.176.0/255.255.255.0 192.168.175.0/255.255.255.0
        Active SAs: 0, origin: crypto map

remotertr#
*Dec 14 17:18:13.423: No peer struct to get peer description
remotertr#
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
huffmanaSystem Admin and Network Engineer

Author

Commented:
WHAT???????

localrtr(config)#no ip access-list extended VPN_TRAFFIC
localrtr(config)#ip access-list extended VPN_TRAFFIC
localrtr(config-ext-nacl)#  permit ip any any
localrtr(config-ext-nacl)#end
localrtr#sh cry ses      
Crypto session current status

Interface: GigabitEthernet0/0
Session status: UP-ACTIVE    
Peer: 192.168.168.236 port 500
  IKEv1 SA: local 192.168.168.235/500 remote 192.168.168.236/500 Active
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 2, origin: crypto map

localrtr#
huffmanaSystem Admin and Network Engineer

Author

Commented:
I was missing a routing statement
R1 #ip route 0.0.0.0 0.0.0.0 192.168.168.236
R2 #ip route 0.0.0.0 0.0.0.0 192.168.168.235
huffmanaSystem Admin and Network Engineer

Author

Commented:
I've put in specific routing statements into the configs so now I can move ahead and add the overload NAT and incoming PAT.

R1 ip route 192.168.176.0 255.255.255.0 192.168.168.236
R2 ip route 192.168.175.0 255.255.255.0 192.168.168.235

I found a really good example for multiple IPSEC tunnels that helped me.   https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14133-ios-hub-spoke.pdf
System Admin and Network Engineer
Commented:
I've put in specific routing statements into the configs so now I can move ahead and add the overload NAT and incoming PAT.

R1 ip route 192.168.176.0 255.255.255.0 192.168.168.236
R2 ip route 192.168.175.0 255.255.255.0 192.168.168.235

I found a really good example for multiple IPSEC tunnels that helped me.   https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14133-ios-hub-spoke.pdf

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial