Solved: Site to site IPSec help

th3rub3x1 · ‎12-01-2014

I'm trying to establish a site to site VPN in packet tracer. I followed the instructions from a website, but can't seem to get it working. The site said that it would break OSPF updates and I would need to set up a GRE tunnel. So far it broke all traffic except OSPF updates...show ip route shows all the needed routes. I've uploaded the packet tracer as well as both router configs. (Packet tracer file extension is png, you'll have to change it back to .pkt)

Lovleen Arora · ‎12-01-2014

Just briefly checking your config:

Pre-shared-key is missing.

S2Router is missing PFS2 in crypto map.

Crypto ACL SECURED_TRAFFIC MUST BE AN EXACT REPLICA (in-reverse) on each router.

once you fix these basic vpn issues, if it still doesn't work, we can look into advanced troubleshooting. at this stage its just your config which needs to be correct.

And you better use GNs3 etc for this sort of test, or physical hardware if possible. PAcket-tracer is very basic for vpn thing i guess.

Regards

Plz mark answer as correct if it is of any help.

View solution in original post

Lovleen Arora · ‎12-01-2014

Just briefly checking your config:

Pre-shared-key is missing.

S2Router is missing PFS2 in crypto map.

Crypto ACL SECURED_TRAFFIC MUST BE AN EXACT REPLICA (in-reverse) on each router.

once you fix these basic vpn issues, if it still doesn't work, we can look into advanced troubleshooting. at this stage its just your config which needs to be correct.

And you better use GNs3 etc for this sort of test, or physical hardware if possible. PAcket-tracer is very basic for vpn thing i guess.

Regards

Plz mark answer as correct if it is of any help.

th3rub3x1 · ‎12-01-2014

Thanks that works :-) For the record I'm pretty much forced to use packet tracer as this is a project for class where I have to design a network. It could be done in GNS3 but I'd have to save all configs, upload to real racks, and it would be kind of a pain to setup and demonstrate to the class :-p Believe me I hate PT with a passion after this project lol

th3rub3x1 · ‎12-01-2014

As it turns out I had the ACL wrong. When I fix the ACL and the traffic is matching, it does not work. Here are the two configs. It seems as if any traffic that is unmatched by the ACL successfully goes through.

> Pre-shared-key is missing.

Isn't the preshared key simply "0":

crypto isakmp key 0 address 10.0.0.9

Lovleen Arora · ‎12-02-2014

ACL still incorrect mate on one of the routers. note it has to be an exact replica: like 60 to 80 on one end and 80 to 60 on other end.

use this link for help

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html

th3rub3x1 · ‎12-02-2014

Meh it was working all along, I sent you the wrong configs. I have 4 different PT files because I keep old ones in case PT crashes. Two times I had packet tracer crash and overwrite the files with empty data and had a 0 byte project file, so every time I make changes I copy the file in case it crashes. I was working out of the wrong PT file! Thanks again.