site to site ipsec vpn with 3845 and 2821

Unanswered Question
May 29th, 2008
User Badges:

Hi, I m building a test vpn site to site for my lab test


routers are 3845 with aim module enabled and 2821


vpn configured with loopback interfaces :


interface Loopback0

ip address 172.16.1.1 255.255.255.0


crypto isakmp policy 1

encr 3des

authentication pre-share

group 2


crypto isakmp key test123 address 0.0.0.0 0.0.0.0 no-xauth


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac


crypto map vpnlist 1 ipsec-isakmp

set peer 91.103.35.20

set transform-set ESP-3DES-SHA

match address 102


access-list 102 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255


router 2


interface Loopback0

ip address 172.16.2.1 255.255.255.0


rypto isakmp policy 1

encr 3des

authentication pre-share

group 2


crypto isakmp key test123 address 0.0.0.0 0.0.0.0 no-xauth


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac


crypto map vpnlist 1 ipsec-isakmp

set peer 91.103.35.24

set transform-set ESP-3DES-SHA

match address 102


access-list 102 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255



i can ping each peer from each router


but i can t ping one of the router's loopback interface 172.16.1.1 via the command:


ping 172.16.1.1 source 172.16.2.2


I turn on debug mode for cyp ipsec , isakmp engine but thre is nothing coming up!



I precise I ve go a AIM vpn module within the router 3845 and sh cry engine configuration is :


crypto engine name: Virtual Private Network (VPN) Module


crypto engine type: hardware


State: Enabled


Location: aim 0


VPN Module in slot: 0


and from 2821:


crypto engine name: Virtual Private Network (VPN) Module


crypto engine type: hardware


State: Enabled


Location: onboard 0


Product Name: Onboard-VPN


Middleware Version: v1.2.0


Firmware Version: v2.2.0


Crypto Adjacency Counts:


Lock Count: 0


Unlock Count: 0


crypto lib version: 19.0.0



I don t undestand why those vpn are not up and running ... is there a way to check whether or not aim module is correctly set up?




sh cry map :


Crypto Map "vpnlist" 1 ipsec-isakmp


Peer = 91.103.35.24


Extended IP access list 102


access-list 102 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255


Current peer: 91.103.35.24


Security association lifetime: 4608000 kilobytes/3600 seconds


PFS (Y/N): N


Transform sets={


ESP-3DES-SHA,


}


Interfaces using crypto map vpnlist:


GigabitEthernet0/0.412




sh cry map router 1:


Crypto Map "vpnlist" 1 ipsec-isakmp


Peer = 91.103.35.20


Extended IP access list 102


access-list 102 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255


Current peer: 91.103.35.20


Security association lifetime: 4608000 kilobytes/3600 seconds


PFS (Y/N): N


Transform sets={


ESP-3DES-SHA,


}


Interfaces using crypto map vpnlist:


GigabitEthernet0/0.1














  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Thu, 05/29/2008 - 10:48
User Badges:
  • Blue, 1500 points or more

i can't tell from your config, where did you apply the crypto map?


try setting your isakmp keys for the specific peers, instead of 0.0.0.0


try debugg crypto isakmp/debug crypto ipsec


...make sure basic routing is set up also. in the very least, you need a default route, even if it's the other peer.

durale1789 Fri, 05/30/2008 - 01:13
User Badges:

my crypto map is attached to th outside interface under :


interface GigabitEthernet0/0.92

encapsulation dot1Q 92

ip address 92.103.32.126 255.255.255.128


interface GigabitEthernet0/0.412

encapsulation dot1Q 412

ip address 91.103.35.20 255.255.255.240

crypto map vpnlist


ip route 0.0.0.0 0.0.0.0 91.103.35.24


and now it is working it was the default route! and because i changed the crypto map from interface 0/0.92 to 0/0.412


However i doesn t resolve my problem I still want to assign crypto map to interface 0/0.92 and route via interface 0/0.412 but this way is not working ..why?


I could understand the default to catch encrypted traffic but i don t undesrstand whu i can t use the other network as outside interface ?

It would mean that i can t use subinterface and vlan to assign different crypto map!


Would i need to use vrf ?


ah and thank you very much for your help it makes me progressing a lot !


regards,


alex




srue Fri, 05/30/2008 - 04:15
User Badges:
  • Blue, 1500 points or more

try putting in a route to the remote network to leave your subinterface...

interface GigabitEthernet0/0.92

crypto map vpnlist


interface GigabitEthernet0/0.412

no crypto map vpnlist


ip route 172.16.2.0 255.255.255.0 GigabitEthernet0/0.92

durale1789 Fri, 05/30/2008 - 05:56
User Badges:

This is exactly what i ve noticed you need to make routes for each encryption domain with the destination as your outside interface.


so i did:


ip route 172.16.4.1 255.255.255.255 GigabitEthernet0/0.92

access-list 104 permit ip host 172.16.2.1 host 172.16.4.1


and it works perfectly


So now i will try to add a couple of vpn with different outside interfaces and check how it goes..


Thank you very much for your help indeed


I m wondering if can use ipsec tunnels within vrf ?


regards,


alex


Actions

This Discussion