10-02-2009 01:53 PM - edited 02-21-2020 04:20 PM
Hi,
I'm practicing a little with 2 routers CISCO 2811 and 2621. I made the basic configuration for an IPSec connection but the tunnel doesn't seem to come up. Also, I can ping each other router's external interface but I can't ping the inside network behind each one. Any Ideas? The outside interface are connected via croosover UTP cable. These are the sh run of each one:
Router 2621:
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname RPrueba2
!
logging buffered 51200 warnings
enable secret 5 $1$oNw1$SQaqP.FazBuaiVZ3MHte70
!
username supervisor privilege 15 password 7 07062F49420C1A110513
voice-card 1
!
ip subnet-zero
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key Inelectra address 20.20.20.21
!
!
crypto ipsec transform-set basic esp-des esp-md5-hmac
!
crypto map armadillo 1 ipsec-isakmp
set peer 20.20.20.21
set security-association lifetime seconds 4000
set transform-set basic
set pfs group1
match address 101
!
call rsvp-sync
!
!
!
!
!
!
controller E1 1/0
!
!
!
interface FastEthernet0/0
ip address 192.168.250.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address 20.20.20.1 255.255.255.0
duplex auto
speed auto
crypto map armadillo
!
interface Serial0/1
no ip address
shutdown
!
interface Serial0/2
no ip address
shutdown
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 20.20.20.21
ip http server
!
!
!
!
!
!
!
!
!
access-list 101 permit ip 192.168.250.0 0.0.0.255 any
access-list 102 permit ip 192.168.250.0 0.0.0.255 192.168.240.0 0.0.0.255
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
password 7 020F0A5E07030C355E4F
login
line aux 0
line vty 0 4
privilege level 15
password 7 12100B121E0E0F10382A
login
transport input telnet ssh
!
end
Router 2811:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RPrueba
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$oNw1$SQaqP.FazBuaiVZ3MHte70
!
no aaa new-model
!
resource policy
!
memory-size iomem 15
no network-clock-participate wic 1
ip subnet-zero
!
!
ip cef
!
!
!
!
voice-card 0
no dspfarm
!
username supervisor privilege 15 password 7 07062F49420C1A110513
!
!
controller E1 0/1/0
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key Inelectra address 20.20.20.1
!
!
crypto ipsec transform-set Ineset ah-md5-hmac esp-des
crypto ipsec transform-set basic esp-des esp-md5-hmac
!
crypto map armadillo 1 ipsec-isakmp
set peer 20.20.20.1
set security-association lifetime seconds 4000
set transform-set basic
set pfs group1
match address 102
!
!
!
!
interface FastEthernet0/0
ip address 192.168.240.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 20.20.20.21 255.255.255.0
duplex auto
speed auto
crypto map armadillo
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
ip classless
ip route 0.0.0.0 0.0.0.0 20.20.20.1
!
!
ip http server
no ip http secure-server
!
access-list 101 permit ip 192.168.240.0 0.0.0.255 any
access-list 102 permit ip 192.168.240.0 0.0.0.255 192.168.250.0 0.0.0.255
!
control-plane
!
line con 0
password 7 020F0A5E07030C355E4F
login
line aux 0
line vty 0 4
privilege level 15
password 7 12100B121E0E0F10382A
login
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
I also tried the show crypto isakmp sa and there is nothing on the tables. Thanks for any help.
Gustavo
Solved! Go to Solution.
10-02-2009 08:46 PM
Under crypto map armadilloin Router 2621 =
Use the crypto ACL 102 instead of 101.
match address 102
And then clear the isakmp sa and ipsec sa
then try to ping.
10-02-2009 08:46 PM
Under crypto map armadilloin Router 2621 =
Use the crypto ACL 102 instead of 101.
match address 102
And then clear the isakmp sa and ipsec sa
then try to ping.
10-05-2009 10:24 AM
I did the changes to match ACL 102 and clear both SA. I tried to ping but still doesn't work. Any other thoughts?
Gustavo
10-05-2009 11:45 AM
It actually work, my bad... :P
Thanks a lot.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: