Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
509
Views
0
Helpful
3
Replies

IPSec tunnel doesn't work

Go to solution
gustavo-salazar
Level 1
Level 1

‎10-02-2009 01:53 PM - edited ‎02-21-2020 04:20 PM

Hi,

I'm practicing a little with 2 routers CISCO 2811 and 2621. I made the basic configuration for an IPSec connection but the tunnel doesn't seem to come up. Also, I can ping each other router's external interface but I can't ping the inside network behind each one. Any Ideas? The outside interface are connected via croosover UTP cable. These are the sh run of each one:

Router 2621:

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname RPrueba2

!

logging buffered 51200 warnings

enable secret 5 $1$oNw1$SQaqP.FazBuaiVZ3MHte70

!

username supervisor privilege 15 password 7 07062F49420C1A110513

voice-card 1

!

ip subnet-zero

!

!

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key Inelectra address 20.20.20.21

!

!

crypto ipsec transform-set basic esp-des esp-md5-hmac

!

crypto map armadillo 1 ipsec-isakmp

set peer 20.20.20.21

set security-association lifetime seconds 4000

set transform-set basic

set pfs group1

match address 101

!

call rsvp-sync

!

!

!

!

!

!

controller E1 1/0

!

!

!

interface FastEthernet0/0

ip address 192.168.250.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

no ip address

shutdown

!

interface FastEthernet0/1

ip address 20.20.20.1 255.255.255.0

duplex auto

speed auto

crypto map armadillo

!

interface Serial0/1

no ip address

shutdown

!

interface Serial0/2

no ip address

shutdown

!

!

ip classless

ip route 0.0.0.0 0.0.0.0 20.20.20.21

ip http server

!

!

!

!

!

!

!

!

!

access-list 101 permit ip 192.168.250.0 0.0.0.255 any

access-list 102 permit ip 192.168.250.0 0.0.0.255 192.168.240.0 0.0.0.255

!

!

dial-peer cor custom

!

!

!

!

!

line con 0

password 7 020F0A5E07030C355E4F

login

line aux 0

line vty 0 4

privilege level 15

password 7 12100B121E0E0F10382A

login

transport input telnet ssh

!

end

Router 2811:

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname RPrueba

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 $1$oNw1$SQaqP.FazBuaiVZ3MHte70

!

no aaa new-model

!

resource policy

!

memory-size iomem 15

no network-clock-participate wic 1

ip subnet-zero

!

!

ip cef

!

!

!

!

voice-card 0

no dspfarm

!

username supervisor privilege 15 password 7 07062F49420C1A110513

!

!

controller E1 0/1/0

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key Inelectra address 20.20.20.1

!

!

crypto ipsec transform-set Ineset ah-md5-hmac esp-des

crypto ipsec transform-set basic esp-des esp-md5-hmac

!

crypto map armadillo 1 ipsec-isakmp

set peer 20.20.20.1

set security-association lifetime seconds 4000

set transform-set basic

set pfs group1

match address 102

!

!

!

!

interface FastEthernet0/0

ip address 192.168.240.1 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 20.20.20.21 255.255.255.0

duplex auto

speed auto

crypto map armadillo

!

interface Serial0/0/0

no ip address

shutdown

no fair-queue

clock rate 2000000

!

interface Serial0/0/1

no ip address

shutdown

clock rate 2000000

!

ip classless

ip route 0.0.0.0 0.0.0.0 20.20.20.1

!

!

ip http server

no ip http secure-server

!

access-list 101 permit ip 192.168.240.0 0.0.0.255 any

access-list 102 permit ip 192.168.240.0 0.0.0.255 192.168.250.0 0.0.0.255

!

control-plane

!

line con 0

password 7 020F0A5E07030C355E4F

login

line aux 0

line vty 0 4

privilege level 15

password 7 12100B121E0E0F10382A

login

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

I also tried the show crypto isakmp sa and there is nothing on the tables. Thanks for any help.

Gustavo

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dhananjoy chowdhury
Level 5
Level 5

‎10-02-2009 08:46 PM

Under crypto map armadilloin Router 2621 =

Use the crypto ACL 102 instead of 101.

match address 102

And then clear the isakmp sa and ipsec sa

then try to ping.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
dhananjoy chowdhury
Level 5
Level 5

‎10-02-2009 08:46 PM

Under crypto map armadilloin Router 2621 =

Use the crypto ACL 102 instead of 101.

match address 102

And then clear the isakmp sa and ipsec sa

then try to ping.

0 Helpful

Go to solution
gustavo-salazar
Level 1
Level 1
In response to dhananjoy chowdhury

‎10-05-2009 10:24 AM

I did the changes to match ACL 102 and clear both SA. I tried to ping but still doesn't work. Any other thoughts?

Gustavo

0 Helpful

Go to solution
gustavo-salazar
Level 1
Level 1
In response to dhananjoy chowdhury

‎10-05-2009 11:45 AM

It actually work, my bad... :P

Thanks a lot.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents