05-29-2008 03:30 AM - edited 02-21-2020 03:44 PM
Hi, I m building a test vpn site to site for my lab test
routers are 3845 with aim module enabled and 2821
vpn configured with loopback interfaces :
interface Loopback0
ip address 172.16.1.1 255.255.255.0
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key test123 address 0.0.0.0 0.0.0.0 no-xauth
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map vpnlist 1 ipsec-isakmp
set peer 91.103.35.20
set transform-set ESP-3DES-SHA
match address 102
access-list 102 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
router 2
interface Loopback0
ip address 172.16.2.1 255.255.255.0
rypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key test123 address 0.0.0.0 0.0.0.0 no-xauth
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map vpnlist 1 ipsec-isakmp
set peer 91.103.35.24
set transform-set ESP-3DES-SHA
match address 102
access-list 102 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
i can ping each peer from each router
but i can t ping one of the router's loopback interface 172.16.1.1 via the command:
ping 172.16.1.1 source 172.16.2.2
I turn on debug mode for cyp ipsec , isakmp engine but thre is nothing coming up!
I precise I ve go a AIM vpn module within the router 3845 and sh cry engine configuration is :
crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware
State: Enabled
Location: aim 0
VPN Module in slot: 0
and from 2821:
crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware
State: Enabled
Location: onboard 0
Product Name: Onboard-VPN
Middleware Version: v1.2.0
Firmware Version: v2.2.0
Crypto Adjacency Counts:
Lock Count: 0
Unlock Count: 0
crypto lib version: 19.0.0
I don t undestand why those vpn are not up and running ... is there a way to check whether or not aim module is correctly set up?
sh cry map :
Crypto Map "vpnlist" 1 ipsec-isakmp
Peer = 91.103.35.24
Extended IP access list 102
access-list 102 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
Current peer: 91.103.35.24
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
ESP-3DES-SHA,
}
Interfaces using crypto map vpnlist:
GigabitEthernet0/0.412
sh cry map router 1:
Crypto Map "vpnlist" 1 ipsec-isakmp
Peer = 91.103.35.20
Extended IP access list 102
access-list 102 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
Current peer: 91.103.35.20
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
ESP-3DES-SHA,
}
Interfaces using crypto map vpnlist:
GigabitEthernet0/0.1
05-29-2008 10:48 AM
i can't tell from your config, where did you apply the crypto map?
try setting your isakmp keys for the specific peers, instead of 0.0.0.0
try debugg crypto isakmp/debug crypto ipsec
...make sure basic routing is set up also. in the very least, you need a default route, even if it's the other peer.
05-30-2008 01:13 AM
my crypto map is attached to th outside interface under :
interface GigabitEthernet0/0.92
encapsulation dot1Q 92
ip address 92.103.32.126 255.255.255.128
interface GigabitEthernet0/0.412
encapsulation dot1Q 412
ip address 91.103.35.20 255.255.255.240
crypto map vpnlist
ip route 0.0.0.0 0.0.0.0 91.103.35.24
and now it is working it was the default route! and because i changed the crypto map from interface 0/0.92 to 0/0.412
However i doesn t resolve my problem I still want to assign crypto map to interface 0/0.92 and route via interface 0/0.412 but this way is not working ..why?
I could understand the default to catch encrypted traffic but i don t undesrstand whu i can t use the other network as outside interface ?
It would mean that i can t use subinterface and vlan to assign different crypto map!
Would i need to use vrf ?
ah and thank you very much for your help it makes me progressing a lot !
regards,
alex
05-30-2008 04:15 AM
try putting in a route to the remote network to leave your subinterface...
interface GigabitEthernet0/0.92
crypto map vpnlist
interface GigabitEthernet0/0.412
no crypto map vpnlist
ip route 172.16.2.0 255.255.255.0 GigabitEthernet0/0.92
05-30-2008 05:56 AM
This is exactly what i ve noticed you need to make routes for each encryption domain with the destination as your outside interface.
so i did:
ip route 172.16.4.1 255.255.255.255 GigabitEthernet0/0.92
access-list 104 permit ip host 172.16.2.1 host 172.16.4.1
and it works perfectly
So now i will try to add a couple of vpn with different outside interfaces and check how it goes..
Thank you very much for your help indeed
I m wondering if can use ipsec tunnels within vrf ?
regards,
alex
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: