Solved: Site-to-site VPN in packet tracer

joshbroadbent · ‎04-25-2015

Hi,

I have configured two LANs with NAT. There is an ISP router inbetween these routers to emulate the internet.

I would like to configure a site-to-site VPN between these two routers.

Here is the configuration of R1 and R3:

R1:

hostname R1

no ip cef

no ipv6 cef

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

!

crypto isakmp key 0 address 209.123.123.33

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set yasser esp-aes esp-sha-hmac

!

crypto map auda 100 ipsec-isakmp

set peer 209.123.123.33

set pfs group2

set security-association lifetime seconds 86400

set transform-set yasser

match address ramzy

!

spanning-tree mode pvst

!

interface FastEthernet0/0

ip address 172.16.1.21 255.255.248.0

duplex auto

speed auto

!

interface FastEthernet0/0.10

encapsulation dot1Q 10

ip address 172.16.8.99 255.255.248.0

ip nat inside

!

interface Serial0/3/0

ip address 209.123.123.1 255.255.255.240

ip nat outside

clock rate 128000

crypto map auda

!

router ospf 1

router-id 15.15.15.15

log-adjacency-changes

network 172.16.8.0 0.0.7.255 area 1

network 209.123.123.0 0.0.0.15 area 0

!

ip nat inside source list ADDRESSES interface Serial0/3/0 overload

ip classless

!

ip flow-export version 9

!

ip access-list standard ADDRESSES

permit 172.16.8.0 0.0.7.255

ip access-list extended ramzy

permit ip 172.16.8.0 0.0.7.255 172.16.40.0 0.0.7.255

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

R3:

hostname R3

!

no ip cef

no ipv6 cef

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

!

crypto isakmp key 0 address 209.123.123.1

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set yasser esp-aes esp-sha-hmac

!

crypto map auda 100 ipsec-isakmp

set peer 209.123.123.1

set pfs group2

set security-association lifetime seconds 86400

set transform-set yasser

match address ramzy

!

spanning-tree mode pvst

!

interface FastEthernet0/0

ip address 172.16.1.22 255.255.248.0

duplex auto

speed auto

!

interface FastEthernet0/0.40

encapsulation dot1Q 40

ip address 172.16.40.99 255.255.248.0

ip nat inside

!

interface Serial0/3/1

ip address 209.123.123.33 255.255.255.240

ip nat outside

crypto map auda

!

router ospf 1

router-id 25.25.25.25

log-adjacency-changes

network 172.16.40.0 0.0.7.255 area 2

network 209.123.123.32 0.0.0.15 area 0

!

ip nat inside source list ADDRESSES interface Serial0/3/1 overload

ip classless

!

ip flow-export version 9

!

ip access-list standard ADDRESSES

permit 172.16.40.0 0.0.7.255

ip access-list extended ramzy

permit ip 172.16.40.0 0.0.7.255 172.16.8.0 0.0.7.255

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

Attempting to ping from PC-A (172.16.8.1) to PC-C (172.16.40.1) doesn't work.

I have tried numerous times to get traffic to flow through the tunnel with no succes. Can anyone tell me where I am going wrong?

Thanks,

Josh

David Johan Castro Fernandez · ‎04-26-2015

Hi Josh,

On this deployment, you will not be able to ping or reach the other side because of the NAT, it is dynamically NATting the IP addresses, you will need to do the following:

R!:

no ip nat inside source list ADDRESSES interface Serial0/3/0 overload

no ip access-list standard ADDRESSES

permit 172.16.8.0 0.0.7.255

ip access.list extended ADDRESSES_NAT

deny ip 172.16.8.0 0.0.7.255 172.16.40.0 0.0.7.255

ip nat inside source list ADDRESSES_NAT interface Serial0/3/0 overload

R3:

no ip nat inside source list ADDRESSES interface Serial0/3/1 overload

no ip access-list standard ADDRESSES

permit 172.16.40.0 0.0.7.255

ip access-list extended ADDRESSES_NAT

deny ip 172.16.40.0 0.0.7.255 172.16.8.0 0.0.7.255

ip nat inside source list ADDRESSES:NAT interface Serial0/3/1 overload

with this show commands you make sure phase 1 and phase 2 is up and working::

- show crypto isakmp sa

- show crypto ipsec sa

Hope this helps!

Please proceed to rate and mark as correct the helpful Post!

David Castro,

Regards

View solution in original post

David Johan Castro Fernandez · ‎04-26-2015

Hi Josh,

On this deployment, you will not be able to ping or reach the other side because of the NAT, it is dynamically NATting the IP addresses, you will need to do the following:

R!:

no ip nat inside source list ADDRESSES interface Serial0/3/0 overload

no ip access-list standard ADDRESSES

permit 172.16.8.0 0.0.7.255

ip access.list extended ADDRESSES_NAT

deny ip 172.16.8.0 0.0.7.255 172.16.40.0 0.0.7.255

ip nat inside source list ADDRESSES_NAT interface Serial0/3/0 overload

R3:

no ip nat inside source list ADDRESSES interface Serial0/3/1 overload

no ip access-list standard ADDRESSES

permit 172.16.40.0 0.0.7.255

ip access-list extended ADDRESSES_NAT

deny ip 172.16.40.0 0.0.7.255 172.16.8.0 0.0.7.255

ip nat inside source list ADDRESSES:NAT interface Serial0/3/1 overload

with this show commands you make sure phase 1 and phase 2 is up and working::

- show crypto isakmp sa

- show crypto ipsec sa

Hope this helps!

Please proceed to rate and mark as correct the helpful Post!

David Castro,

Regards

joshbroadbent · ‎04-26-2015

Thanks for your help, David.

Much appreciated!

Regards,

Josh Broadbent

David Johan Castro Fernandez · ‎04-26-2015

Hi Josh,

It was a pleasure, let me know if you have any doubts!

David Castro,

Regards