IP sec issue

arupbiet2006 · ‎09-08-2008

hi all,

i had configure ip sec but link can't up so,could you help me to configure ipsee

satish_zanjurne · ‎09-08-2008

Hi,

1.Don't start with IPSec configuration directly.

2.First see the whether link is up between peers & peer can ping each other.

3.Use show interface to see the interface status..

HTH..rate if helpful..

arupbiet2006 · ‎09-08-2008

hello...every thing is ok...could u send me a ip sec config

satish_zanjurne · ‎09-08-2008

1.tell me on which devices you are trying to establish the IPsec ??

arupbiet2006 · ‎09-08-2008

ip sec between router to router

satish_zanjurne · ‎09-09-2008

First Router Config

---------------------------------------

hostname R2

crypto isakmp policy 10

authentication pre-share

!

crypto isakmp key ciscokey address 200.1.1.1

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto map myvpn 10 ipsec-isakmp

set peer 200.1.1.1

set transform-set myset

!--- Include the private-network-to-private-network traffic

!--- in the encryption process:

match address 101

!

interface Ethernet0/0

description------LAN Interface-----

ip address 172.16.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

interface Ethernet1/0

description----WAN interface where other peer is connected---

ip address 100.1.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly

crypto map myvpn

ip route 0.0.0.0 0.0.0.0 100.1.1.254

!--- Except the private network from the NAT process:

ip nat inside source list 175 interface Ethernet1/0 overload

!--- Include the private-network-to-private-network traffic

!--- in the encryption process:

access-list 101 permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255

!--- Except the private network from the NAT process:

access-list 175 deny ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 175 permit ip 172.16.1.0 0.0.0.255 any

--------------------------------------------Router R3

hostname R3

crypto isakmp policy 10

authentication pre-share

crypto isakmp key ciscokey address 100.1.1.1

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto map myvpn 10 ipsec-isakmp

set peer 100.1.1.1

set transform-set myset

!--- Include the private-network-to-private-network traffic

!--- in the encryption process:

match address 101

!

interface Ethernet0/0

descrption-----LAN Interface----

ip address 10.1.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Ethernet1/0

description---WAN Interface

ip address 200.1.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly

crypto map myvpn

!

ip route 0.0.0.0 0.0.0.0 200.1.1.254

!--- Except the private network from the NAT process:

ip nat inside source list 122 interface Ethernet1/0 overload

!--- Except the static-NAT traffic from the NAT process if destined

!--- over the encrypted tunnel:

!

access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

!--- Except the private network from the NAT process:

access-list 122 deny ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 122 permit ip 10.1.1.0 0.0.0.255 any

!--- Except the static-NAT traffic from the NAT process if destined

!--- over the encrypted tunnel:

-------------------------------------------

HTH...rate if helpful...

satish_zanjurne · ‎09-09-2008

Make sure you are adding proper default routes..

arupbiet2006 · ‎09-09-2008

when i prompt crypto ipsec transform-set command then i can't enter this myset esp-3des esp-md5-hmac

!

satish_zanjurne · ‎09-09-2008

hi,

myset is the name of transform set, so you need to type it as it is. It is not the keyword, but esp-3des & esp-md5-hmac are keyword, you can get this by using "?" or pressing tab.

arupbiet2006 · ‎09-09-2008

Thank you satish.