site to site ipsec vpn with 3845 and 2821

Unanswered Question
May 29th, 2008

Hi, I m building a test vpn site to site for my lab test

routers are 3845 with aim module enabled and 2821

vpn configured with loopback interfaces :

interface Loopback0

ip address 172.16.1.1 255.255.255.0

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key test123 address 0.0.0.0 0.0.0.0 no-xauth

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map vpnlist 1 ipsec-isakmp

set peer 91.103.35.20

set transform-set ESP-3DES-SHA

match address 102

access-list 102 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255

router 2

interface Loopback0

ip address 172.16.2.1 255.255.255.0

rypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key test123 address 0.0.0.0 0.0.0.0 no-xauth

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map vpnlist 1 ipsec-isakmp

set peer 91.103.35.24

set transform-set ESP-3DES-SHA

match address 102

access-list 102 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

i can ping each peer from each router

but i can t ping one of the router's loopback interface 172.16.1.1 via the command:

ping 172.16.1.1 source 172.16.2.2

I turn on debug mode for cyp ipsec , isakmp engine but thre is nothing coming up!

I precise I ve go a AIM vpn module within the router 3845 and sh cry engine configuration is :

crypto engine name: Virtual Private Network (VPN) Module

crypto engine type: hardware

State: Enabled

Location: aim 0

VPN Module in slot: 0

and from 2821:

crypto engine name: Virtual Private Network (VPN) Module

crypto engine type: hardware

State: Enabled

Location: onboard 0

Product Name: Onboard-VPN

Middleware Version: v1.2.0

Firmware Version: v2.2.0

Crypto Adjacency Counts:

Lock Count: 0

Unlock Count: 0

crypto lib version: 19.0.0

I don t undestand why those vpn are not up and running ... is there a way to check whether or not aim module is correctly set up?

sh cry map :

Crypto Map "vpnlist" 1 ipsec-isakmp

Peer = 91.103.35.24

Extended IP access list 102

access-list 102 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

Current peer: 91.103.35.24

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

ESP-3DES-SHA,

}

Interfaces using crypto map vpnlist:

GigabitEthernet0/0.412

sh cry map router 1:

Crypto Map "vpnlist" 1 ipsec-isakmp

Peer = 91.103.35.20

Extended IP access list 102

access-list 102 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255

Current peer: 91.103.35.20

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

ESP-3DES-SHA,

}

Interfaces using crypto map vpnlist:

GigabitEthernet0/0.1

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Thu, 05/29/2008 - 10:48

i can't tell from your config, where did you apply the crypto map?

try setting your isakmp keys for the specific peers, instead of 0.0.0.0

try debugg crypto isakmp/debug crypto ipsec

...make sure basic routing is set up also. in the very least, you need a default route, even if it's the other peer.

durale1789 Fri, 05/30/2008 - 01:13

my crypto map is attached to th outside interface under :

interface GigabitEthernet0/0.92

encapsulation dot1Q 92

ip address 92.103.32.126 255.255.255.128

interface GigabitEthernet0/0.412

encapsulation dot1Q 412

ip address 91.103.35.20 255.255.255.240

crypto map vpnlist

ip route 0.0.0.0 0.0.0.0 91.103.35.24

and now it is working it was the default route! and because i changed the crypto map from interface 0/0.92 to 0/0.412

However i doesn t resolve my problem I still want to assign crypto map to interface 0/0.92 and route via interface 0/0.412 but this way is not working ..why?

I could understand the default to catch encrypted traffic but i don t undesrstand whu i can t use the other network as outside interface ?

It would mean that i can t use subinterface and vlan to assign different crypto map!

Would i need to use vrf ?

ah and thank you very much for your help it makes me progressing a lot !

regards,

alex

srue Fri, 05/30/2008 - 04:15

try putting in a route to the remote network to leave your subinterface...

interface GigabitEthernet0/0.92

crypto map vpnlist

interface GigabitEthernet0/0.412

no crypto map vpnlist

ip route 172.16.2.0 255.255.255.0 GigabitEthernet0/0.92

durale1789 Fri, 05/30/2008 - 05:56

This is exactly what i ve noticed you need to make routes for each encryption domain with the destination as your outside interface.

so i did:

ip route 172.16.4.1 255.255.255.255 GigabitEthernet0/0.92

access-list 104 permit ip host 172.16.2.1 host 172.16.4.1

and it works perfectly

So now i will try to add a couple of vpn with different outside interfaces and check how it goes..

Thank you very much for your help indeed

I m wondering if can use ipsec tunnels within vrf ?

regards,

alex

Actions

This Discussion