Ipsec site to site

Answered Question
Aug 9th, 2008
User Badges:

Hi,

Am using Ipsec between two Routers (site to site) in lab environment for testing.

. The Router A local LNA is not pinging to remote Router B and crypto section is showing down. Please provide the solution for making up this scenario.

The detailed configuration is as follows



Router B


Building configuration...


Current configuration : 957 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname AIRTEL-DELHI

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

ip cef

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco123 address 192.168.10.2

!

!

crypto ipsec transform-set manju ah-sha-hmac esp-des

!

crypto map 1 10 ipsec-isakmp

set peer 192.168.10.2

set transform-set manju

match address 110

!

!

!

!

interface FastEthernet0

ip address 10.97.37.212 255.255.255.0

speed auto

crypto map 1

!

interface Serial0

description AIRTEL-BANG [192.168.10.2]

ip address 192.168.10.1 255.255.255.252

!

!

!

no ip http server

no ip http secure-server

!

access-list 110 permit ip host 192.168.10.1 host 192.168.10.2

!

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 3

login

line vty 4

password cisco

login

!

end


Router A

Building configuration...


Current configuration : 955 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname AIRTEL-BANG

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

ip cef

!

!

!

!

!

multilink bundle-name authenticated

!


!

!

!

!

!

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco123 address 192.168.10.1

!

!

crypto ipsec transform-set manju ah-sha-hmac esp-des

!

crypto map 1 10 ipsec-isakmp

set peer 192.168.10.1

set transform-set manju

match address 110

!

!

!

!

interface FastEthernet0

ip address 172.26.8.10 255.255.255.0

speed auto

crypto map 1

!

interface Serial0

description AIRTEL-DELHI[192.168.10.1]

ip address 192.168.10.2 255.255.255.252

!

interface Serial1

no ip address

shutdown

!

!

!

no ip http server

no ip http secure-server

!

access-list 110 permit ip host 192.168.10.2 host 192.168.10.1

!

!

!

control-plane

!

line con 0

line aux 0

line vty 0 4

login

!

end




Correct Answer by thiru.vel10 about 8 years 8 months ago

Try this command sh ip crypto isakmp sa


Then check the status


Correct Answer by rsgamage1 about 8 years 8 months ago

Hi,


I suppose your interesting traffic is between 10.97.37.0/24 and 172.26.8.0/24 networks, and your peers are 192.168.10.1 and 192.168.10.2 respectively.


Isn't it something like the following that you are looking for?


Try pinging between these networks and see whether it is through the tunnel(debug crypto <> options)




Router B


Building configuration...

Current configuration : 957 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname AIRTEL-DELHI

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

ip cef

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco123 address 192.168.10.2

!

!

crypto ipsec transform-set manju ah-sha-hmac esp-des

!

crypto map 1 10 ipsec-isakmp

set peer 192.168.10.2

set transform-set manju

match address 110

!

!

!

!

interface FastEthernet0

ip address 10.97.37.212 255.255.255.0

speed auto


!

interface Serial0

description AIRTEL-BANG [192.168.10.2]

ip address 192.168.10.1 255.255.255.252

crypto map 1

!

!

!

no ip http server

no ip http secure-server

!

access-list 110 permit ip 10.97.37.212 0.0.0.255 172.26.8.10 0.0.0.255

ip route 172.26.8.0 255.255.255.0 192.168.10.2

!

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 3

login

line vty 4

password cisco

login

!

end


Router A

Building configuration...


Current configuration : 955 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname AIRTEL-BANG

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

ip cef

!

!

!

!

!

multilink bundle-name authenticated

!


!

!

!

!

!

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco123 address 192.168.10.1

!

!

crypto ipsec transform-set manju ah-sha-hmac esp-des

!

crypto map 1 10 ipsec-isakmp

set peer 192.168.10.1

set transform-set manju

match address 110

!

!

!

!

interface FastEthernet0

ip address 172.26.8.10 255.255.255.0

speed auto

!

interface Serial0

description AIRTEL-DELHI[192.168.10.1]

ip address 192.168.10.2 255.255.255.252

crypto map 1

!

interface Serial1

no ip address

shutdown

!

!

!

no ip http server

no ip http secure-server

!

access-list 110 permit ip 172.26.8.10 0.0.0.255 10.97.37.212 0.0.0.255

ip route 10.97.37.0 255.255.255.0 192.168.10.1

!

!

!

control-plane

!

line con 0

line aux 0

line vty 0 4

login

!

end



HTH

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (3 ratings)
Loading.
Edison Ortiz Sat, 08/09/2008 - 04:44
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

The 'interesting' traffic in your ACL should be your LAN subnets, not the serial links.


For instance:


Router B:


access-list 110 permit ip 10.97.37.0 0.0.0.255 172.26.8.0 0.0.0.255


Router A:


access-list 110 permit ip 172.26.8.0 0.0.0.255 10.97.37.0 0.0.0.255


HTH,


__


Edison.


Please rate helpful posts



Correct Answer
rsgamage1 Sat, 08/09/2008 - 04:47
User Badges:
  • Bronze, 100 points or more

Hi,


I suppose your interesting traffic is between 10.97.37.0/24 and 172.26.8.0/24 networks, and your peers are 192.168.10.1 and 192.168.10.2 respectively.


Isn't it something like the following that you are looking for?


Try pinging between these networks and see whether it is through the tunnel(debug crypto <> options)




Router B


Building configuration...

Current configuration : 957 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname AIRTEL-DELHI

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

ip cef

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco123 address 192.168.10.2

!

!

crypto ipsec transform-set manju ah-sha-hmac esp-des

!

crypto map 1 10 ipsec-isakmp

set peer 192.168.10.2

set transform-set manju

match address 110

!

!

!

!

interface FastEthernet0

ip address 10.97.37.212 255.255.255.0

speed auto


!

interface Serial0

description AIRTEL-BANG [192.168.10.2]

ip address 192.168.10.1 255.255.255.252

crypto map 1

!

!

!

no ip http server

no ip http secure-server

!

access-list 110 permit ip 10.97.37.212 0.0.0.255 172.26.8.10 0.0.0.255

ip route 172.26.8.0 255.255.255.0 192.168.10.2

!

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 3

login

line vty 4

password cisco

login

!

end


Router A

Building configuration...


Current configuration : 955 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname AIRTEL-BANG

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

ip cef

!

!

!

!

!

multilink bundle-name authenticated

!


!

!

!

!

!

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco123 address 192.168.10.1

!

!

crypto ipsec transform-set manju ah-sha-hmac esp-des

!

crypto map 1 10 ipsec-isakmp

set peer 192.168.10.1

set transform-set manju

match address 110

!

!

!

!

interface FastEthernet0

ip address 172.26.8.10 255.255.255.0

speed auto

!

interface Serial0

description AIRTEL-DELHI[192.168.10.1]

ip address 192.168.10.2 255.255.255.252

crypto map 1

!

interface Serial1

no ip address

shutdown

!

!

!

no ip http server

no ip http secure-server

!

access-list 110 permit ip 172.26.8.10 0.0.0.255 10.97.37.212 0.0.0.255

ip route 10.97.37.0 255.255.255.0 192.168.10.1

!

!

!

control-plane

!

line con 0

line aux 0

line vty 0 4

login

!

end



HTH

ntmanjunath Sat, 08/09/2008 - 05:47
User Badges:

Hi,


After doing above said configuration the output is as follows.


Router#sh crypto session

Interface: Serial0

Session status: UP-IDLE

Peer: 192.168.10.1 port 500

IKE SA: local 192.168.10.2/500 remote 192.168.10.1/500 Active

IPSEC FLOW: permit ip 172.26.8.0/255.255.255.0 10.97.37.0/255.255.255.0

Active SAs: 0, origin: crypto map


How to check the secured tunnel between to peers.


rsgamage1 Sat, 08/09/2008 - 08:06
User Badges:
  • Bronze, 100 points or more

For you've setup a testbed, it would be interesting to study the output of debug crypto in order to have a better understanding.


HTH.



thiru.vel10 Sat, 08/09/2008 - 04:54
User Badges:



Hi there is there is no routing between the LAN Subnets so. Please try to add this


Router A


IP route 10.97.37.0 255.255.255.0 192.168.10.1


Router B

IP route 172.26.8.0 255.255.255.0 192.168.10.2


rsgamage1 Mon, 08/11/2008 - 00:24
User Badges:
  • Bronze, 100 points or more

Did you manage to perform required tests successfully?

ntmanjunath Mon, 08/11/2008 - 00:40
User Badges:

Yes I did .After successful configuration the site was working and session was up. Unexpectedly I used clear crypto isakmp common and session never came up and still its showing down only

rsgamage1 Mon, 08/11/2008 - 00:49
User Badges:
  • Bronze, 100 points or more

Even when you try to put some interesting traffic (e.g. by pinging from one internal network to the other) ?


Have you tried debug crypto {isakmp/ipsec/verbose} to see what they say?



ntmanjunath Mon, 08/11/2008 - 01:25
User Badges:

I tried for pinging from local Ethernet to remote and still it's showing the same status.



Do u know how to enable display for debug.

When I try the command debug crypto isakmp nothing is display.


Correct Answer
thiru.vel10 Mon, 08/11/2008 - 04:21
User Badges:

Try this command sh ip crypto isakmp sa


Then check the status


Actions

This Discussion