Unable to create VPN tunnel on ospf environment.

siddindia · ‎10-09-2008

Hi,

i'm stuggling from last 1 week to create successful VPN tunnel between each router in a tree type router network.I've tried md5 with 3des but i'm failed.someone suggest me to use gre tunnel with ipsec from this forum.Now i'm still unable to create successful gre tunnel between two routers in ospf routing environment.

I'm sending my configuration.Kindly check it if it is wrong give me right configuration of VPN tunnel in ospf routing environment between tro routers.

Marwan ALshawi · ‎10-09-2008

add this on the routers

crypto isakmp policy 10

encryption des

now u have problem with ur ospf

u need to advertise the internal netowrk and the tunnels networks as well only

u done need to include the external IP address

remove it and add the tuneel network

also for the gre ACL i would suggest u to make source from internal network to remote site internal network

good luck

if helpful Rate

siddindia · ‎10-10-2008

sir,

I have tried to follow your suggestions.actaully i'm very new in VPN tunnel.I'm sending my current tried configuration.

Now i'm able to create ipsec tunnel with GRE but data is not encrypted or decrypted and also a error message comes in 56 sec.

%cypto-6-isakmp_mode_failure:processing of informational mode failed with peer at xx.xx.xx.xx .

Dear Sir,Kindly help me to currect my configuration.Please update in my configuration.

singhsaju · ‎10-10-2008

Hi Siddhartha,

Add following Static routes on the FHQ and Gandhinagar routers and posts results:

hostname FHQ

ip route 170.143.0.0 255.255.255.0 Serial0/0/1

hostname Gandhinagar

ip route 200.100.1.1 255.255.255.0 Serial0/0/0

HTH

Saju

Pls rate helpful posts

siddindia · ‎10-10-2008

I'm still unable to short out problem.

same error is coming and data is not encrypted or decrypted.

My humble request to test these senarios and then suggest me.

i'm waiting your reply.

singhsaju · ‎10-14-2008

Hi Siddhartha,

If you have added the two routes as i mentioned above , can you remove following commands from the the two routers and then check:

FHQ

no crypto map mymap local-address FastEthernet0/1

Gandhinagar

no crypto map mymap local-address GigabitEthernet0/0

gcsnetexpert · ‎10-15-2008

Hi Siddhartha,

According to me there is a lot of mistakes in your config. If you really want to sort this out just give me a time from 11:00am to 1:00pm tuesday to sunday so that we can chat on my yahoo masenger my id is gcsnetexpert@yahoo.in or call me on +91-9412222016 cos i have to ask a lot of question to sort this matter.

Regards,

Anurag

siddindia · ‎10-17-2008

saju,

kindly send me a sample configuration of GRE tunnel with IPSEC between two routers.that will be very helpful to me...

waiting for your response....

regds

siddhartha

Marwan ALshawi · ‎10-11-2008

try to do the following

on BOTH routers

crypto isakmp identity address

crypto isakmp policy 10

hash md5

authentication pre-share

encryption des

group 2

change the ACLs as following:

access-list 100 permit gre 200.100.1.0.0.0.255 170.143.0.0 0.0.0.255

on the other router:

access-list 100 permit gre 170.143.0.0 0.0.0.255 200.100.1.0 0.0.0.255

good luck

gcsnetexpert · ‎10-11-2008

As per my knowledge there is some problem with access-list 100 you should use intrusting traffic source and destination addresses in access-list 100 rather then peer address because this is a vpn access-list no the normnal access-list applied on any ionterface.

ariesc_33 · ‎10-16-2008

isnt ipsec has issue with multicast? ospf uses muliticast to discover a neighbor.

siddindia · ‎10-17-2008

hi,

kindly send me a tested configuration sample of gre tunnel with IPSEC between two routers.That will be very helpful to me.

ariesc_33 · ‎10-20-2008

hope this helps.

just a little tweak on firewall and router.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml