cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
494
Views
3
Helpful
14
Replies

Ipsec site to site

ntmanjunath
Level 1
Level 1

Hi,

Am using Ipsec between two Routers (site to site) in lab environment for testing.

. The Router A local LNA is not pinging to remote Router B and crypto section is showing down. Please provide the solution for making up this scenario.

The detailed configuration is as follows

Router B

Building configuration...

Current configuration : 957 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname AIRTEL-DELHI

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

ip cef

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco123 address 192.168.10.2

!

!

crypto ipsec transform-set manju ah-sha-hmac esp-des

!

crypto map 1 10 ipsec-isakmp

set peer 192.168.10.2

set transform-set manju

match address 110

!

!

!

!

interface FastEthernet0

ip address 10.97.37.212 255.255.255.0

speed auto

crypto map 1

!

interface Serial0

description AIRTEL-BANG [192.168.10.2]

ip address 192.168.10.1 255.255.255.252

!

!

!

no ip http server

no ip http secure-server

!

access-list 110 permit ip host 192.168.10.1 host 192.168.10.2

!

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 3

login

line vty 4

password cisco

login

!

end

Router A

Building configuration...

Current configuration : 955 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname AIRTEL-BANG

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

ip cef

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco123 address 192.168.10.1

!

!

crypto ipsec transform-set manju ah-sha-hmac esp-des

!

crypto map 1 10 ipsec-isakmp

set peer 192.168.10.1

set transform-set manju

match address 110

!

!

!

!

interface FastEthernet0

ip address 172.26.8.10 255.255.255.0

speed auto

crypto map 1

!

interface Serial0

description AIRTEL-DELHI[192.168.10.1]

ip address 192.168.10.2 255.255.255.252

!

interface Serial1

no ip address

shutdown

!

!

!

no ip http server

no ip http secure-server

!

access-list 110 permit ip host 192.168.10.2 host 192.168.10.1

!

!

!

control-plane

!

line con 0

line aux 0

line vty 0 4

login

!

end

2 Accepted Solutions

Accepted Solutions

rsgamage1
Level 3
Level 3

Hi,

I suppose your interesting traffic is between 10.97.37.0/24 and 172.26.8.0/24 networks, and your peers are 192.168.10.1 and 192.168.10.2 respectively.

Isn't it something like the following that you are looking for?

Try pinging between these networks and see whether it is through the tunnel(debug crypto <> options)

Router B

Building configuration...

Current configuration : 957 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname AIRTEL-DELHI

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

ip cef

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco123 address 192.168.10.2

!

!

crypto ipsec transform-set manju ah-sha-hmac esp-des

!

crypto map 1 10 ipsec-isakmp

set peer 192.168.10.2

set transform-set manju

match address 110

!

!

!

!

interface FastEthernet0

ip address 10.97.37.212 255.255.255.0

speed auto

!

interface Serial0

description AIRTEL-BANG [192.168.10.2]

ip address 192.168.10.1 255.255.255.252

crypto map 1

!

!

!

no ip http server

no ip http secure-server

!

access-list 110 permit ip 10.97.37.212 0.0.0.255 172.26.8.10 0.0.0.255

ip route 172.26.8.0 255.255.255.0 192.168.10.2

!

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 3

login

line vty 4

password cisco

login

!

end

Router A

Building configuration...

Current configuration : 955 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname AIRTEL-BANG

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

ip cef

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco123 address 192.168.10.1

!

!

crypto ipsec transform-set manju ah-sha-hmac esp-des

!

crypto map 1 10 ipsec-isakmp

set peer 192.168.10.1

set transform-set manju

match address 110

!

!

!

!

interface FastEthernet0

ip address 172.26.8.10 255.255.255.0

speed auto

!

interface Serial0

description AIRTEL-DELHI[192.168.10.1]

ip address 192.168.10.2 255.255.255.252

crypto map 1

!

interface Serial1

no ip address

shutdown

!

!

!

no ip http server

no ip http secure-server

!

access-list 110 permit ip 172.26.8.10 0.0.0.255 10.97.37.212 0.0.0.255

ip route 10.97.37.0 255.255.255.0 192.168.10.1

!

!

!

control-plane

!

line con 0

line aux 0

line vty 0 4

login

!

end

HTH

View solution in original post

Try this command sh ip crypto isakmp sa

Then check the status

View solution in original post

14 Replies 14

Edison Ortiz
Hall of Fame
Hall of Fame

The 'interesting' traffic in your ACL should be your LAN subnets, not the serial links.

For instance:

Router B:

access-list 110 permit ip 10.97.37.0 0.0.0.255 172.26.8.0 0.0.0.255

Router A:

access-list 110 permit ip 172.26.8.0 0.0.0.255 10.97.37.0 0.0.0.255

HTH,

__

Edison.

Please rate helpful posts

rsgamage1
Level 3
Level 3

Hi,

I suppose your interesting traffic is between 10.97.37.0/24 and 172.26.8.0/24 networks, and your peers are 192.168.10.1 and 192.168.10.2 respectively.

Isn't it something like the following that you are looking for?

Try pinging between these networks and see whether it is through the tunnel(debug crypto <> options)

Router B

Building configuration...

Current configuration : 957 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname AIRTEL-DELHI

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

ip cef

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco123 address 192.168.10.2

!

!

crypto ipsec transform-set manju ah-sha-hmac esp-des

!

crypto map 1 10 ipsec-isakmp

set peer 192.168.10.2

set transform-set manju

match address 110

!

!

!

!

interface FastEthernet0

ip address 10.97.37.212 255.255.255.0

speed auto

!

interface Serial0

description AIRTEL-BANG [192.168.10.2]

ip address 192.168.10.1 255.255.255.252

crypto map 1

!

!

!

no ip http server

no ip http secure-server

!

access-list 110 permit ip 10.97.37.212 0.0.0.255 172.26.8.10 0.0.0.255

ip route 172.26.8.0 255.255.255.0 192.168.10.2

!

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 3

login

line vty 4

password cisco

login

!

end

Router A

Building configuration...

Current configuration : 955 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname AIRTEL-BANG

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

ip cef

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco123 address 192.168.10.1

!

!

crypto ipsec transform-set manju ah-sha-hmac esp-des

!

crypto map 1 10 ipsec-isakmp

set peer 192.168.10.1

set transform-set manju

match address 110

!

!

!

!

interface FastEthernet0

ip address 172.26.8.10 255.255.255.0

speed auto

!

interface Serial0

description AIRTEL-DELHI[192.168.10.1]

ip address 192.168.10.2 255.255.255.252

crypto map 1

!

interface Serial1

no ip address

shutdown

!

!

!

no ip http server

no ip http secure-server

!

access-list 110 permit ip 172.26.8.10 0.0.0.255 10.97.37.212 0.0.0.255

ip route 10.97.37.0 255.255.255.0 192.168.10.1

!

!

!

control-plane

!

line con 0

line aux 0

line vty 0 4

login

!

end

HTH

Hi,

After doing above said configuration the output is as follows.

Router#sh crypto session

Interface: Serial0

Session status: UP-IDLE

Peer: 192.168.10.1 port 500

IKE SA: local 192.168.10.2/500 remote 192.168.10.1/500 Active

IPSEC FLOW: permit ip 172.26.8.0/255.255.255.0 10.97.37.0/255.255.255.0

Active SAs: 0, origin: crypto map

How to check the secured tunnel between to peers.

show crypto ipsec sa is the command I use the most.

More commands and explanation can be found at:

http://www.cisco.com/warp/public/707/20.html

HTH,

__

Edison.

For you've setup a testbed, it would be interesting to study the output of debug crypto in order to have a better understanding.

HTH.

Hi ,

Thank for your support....My rating is 5

thiru.vel10
Level 1
Level 1

Hi there is there is no routing between the LAN Subnets so. Please try to add this

Router A

IP route 10.97.37.0 255.255.255.0 192.168.10.1

Router B

IP route 172.26.8.0 255.255.255.0 192.168.10.2

rsgamage1
Level 3
Level 3

Did you manage to perform required tests successfully?

Yes I did .After successful configuration the site was working and session was up. Unexpectedly I used clear crypto isakmp common and session never came up and still its showing down only

Even when you try to put some interesting traffic (e.g. by pinging from one internal network to the other) ?

Have you tried debug crypto {isakmp/ipsec/verbose} to see what they say?

I tried for pinging from local Ethernet to remote and still it's showing the same status.

Do u know how to enable display for debug.

When I try the command debug crypto isakmp nothing is display.

Try this command sh ip crypto isakmp sa

Then check the status

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco