11-14-2015 09:02 PM - edited 03-11-2019 11:53 PM
Dears
It might be stupid question but want to clarify, I am creating a ipsec tunnel between a voice router and cucm to secure from internal LAN users, but they both are in same premises and in same subnet,10.10.10.1 is for voice gateway and for cucm it is 10.10.10.2. Is this possible to build a ipsec tunnel within the subnet between the 2 devices.??
I can understant that i can keep it in different subnet but it is possible within the same subnet.??
Also i tried building the tunnel but when i execute the command show crypto ipsec sa i didnt saw any packet encrypted of voice signalling but the isakmp tunnel was showing me active.
thanks
11-14-2015 09:13 PM
As long as you have IP connectivity between the devices you can build an IPsec VPN tunnel between them.
--
Please remember to select a correct answer and rate helpful posts
11-14-2015 09:26 PM
Dear Marius,
attached is the snapshot for configuration on CUCM.
Also i tried building the tunnel but when i execute the command show crypto ipsec sa i didnt saw any packet encrypted of voice signalling but the isakmp tunnel was showing me active.
#sh run | b crypto
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 3600
crypto isakmp key cisco address 10.10.4.2 no-xauth
!
!
crypto ipsec transform-set IPSEC-SET esp-aes 256 esp-sha-hmac
!
crypto map MGCP-MAP 10 ipsec-isakmp
set peer 10.10.4.2
set transform-set IPSEC-SET
set pfs group2
match address 110
sh crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: MGCP-MAP, local addr 10.229.4.8
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.4.8/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.10.4.2/255.255.255.255/0/0)
current_peer 10.10.4.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.229.4.8, remote crypto endpt.: 10.229.4.2
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.10.4.8 10.10.4.2 MM_NO_STATE 0 ACTIVE (deleted)
11-14-2015 09:51 PM
I am no expert on CUCM but it looks like you are missing the hash in your crypto isakmp policy
hash sha256
Also you have it set to transport mode on the CUCM or transport on the router side. default on the router is tunneled mode.
crypto ipsec transform-set IPSEC-SET esp-aes 256 esp-sha-hmac
mode transport
Try adding that and see if the tunnel comes up.
But to be perfectly honost, you should set this up on its own VLAN. Doing this via a VPN on the same network is a bit messy and uneeded.
--
Please remember to select a correct answer and rate helpful posts
11-15-2015 10:14 AM
Dear thanks for the reply.
now the status i snot steady on the below it wait for sometime and then again it goes to MM_NO_STATE
sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.10.4.8 10.10.4.2 QM_IDLE 1016 ACTIVE
i dont get any option for hash256 except only the below
VG_01(config)#crypto isakmp policy 10
_VG_01(config-isakmp)#hash sha ?
<cr>
001332: Nov 13 08:10:48.287: ISAKMP:(1014):beginning Quick Mode exchange, M-ID of 2237452007
001333: Nov 13 08:10:48.287: ISAKMP:(1014):QM Initiator gets spi
001334: Nov 13 08:10:48.287: ISAKMP:(1014): sending packet to 10.10.4.2 my_port 500 peer_port 500 (I) QM_IDLE
001335: Nov 13 08:10:48.287: ISAKMP:(1014):Sending an IKE IPv4 Packet.
001336: Nov 13 08:10:48.287: ISAKMP:(1014):Node 2237452007, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
001337: Nov 13 08:10:48.287: ISAKMP:(1014):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
001338: Nov 13 08:10:48.287: ISAKMP:(1014):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
001339: Nov 13 08:10:48.287: ISAKMP:(1014):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
001340: Nov 13 08:10:48.287: ISAKMP (1014): received packet from 10.10.4.2 dport 500 sport 500 Global (I) QM_IDLE
001341: Nov 13 08:10:48.287: ISAKMP: set new node -1502355529 to QM_IDLE
001342: Nov 13 08:10:48.287: ISAKMP:(1014): processing HASH payload. message ID = 2792611767
001343: Nov 13 08:10:48.287: ISAKMP:(1014): processing NOTIFY INVALID_ID_INFO protocol 1
spi 0, message ID = 2792611767, sa = 0x31B85428
001344: Nov 13 08:10:48.287: ISAKMP:(1014):peer does not do paranoid keepalives.
001345: Nov 13 08:10:48.287: ISAKMP:(1014):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 10.10.4.2)
001346: Nov 13 08:10:48.287: ISAKMP:(1014):deleting node -1502355529 error FALSE reason "Informational (in) state 1"
001347: Nov 13 08:10:48.287: ISAKMP:(1014):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
001348: Nov 13 08:10:48.287: ISAKMP:(1014):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
001349: Nov 13 08:10:48.287: ISAKMP: set new node 1147210847 to QM_IDLE
001350: Nov 13 08:10:48.291: ISAKMP:(1014): sending packet to 10.10.4.2 my_port 500 peer_port 500 (I) QM_IDLE
001351: Nov 13 08:10:48.291: ISAKMP:(1014):Sending an IKE IPv4 Packet.
001352: Nov 13 08:10:48.291: ISAKMP:(1014):purging node 1147210847
001353: Nov 13 08:10:48.291: ISAKMP:(1014):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
001354: Nov 13 08:10:48.291: ISAKMP:(1014):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
001355: Nov 13 08:10:48.291: ISAKMP:(1014):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 10.10.4.2)
001356: Nov 13 08:10:48.291: ISAKMP: Unlocking peer struct 0x3230D2F8 for isadb_mark_sa_deleted(), count 0
001357: Nov 13 08:10:48.291: ISAKMP: Deleting peer node by peer_reap for 10.10.4.2: 3230D2F8
001358: Nov 13 08:10:48.291: ISAKMP:(1014):deleting node -2057515289 error FALSE reason "IKE deleted"
001359: Nov 13 08:10:48.291: ISAKMP:(1014):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
001360: Nov 13 08:10:48.291: ISAKMP:(1014):Old State = IKE_DEST_SA New State = IKE_DEST_SA
001361: Nov 13 08:10:48.291: ISAKMP (1014): received packet from 10.10.4.2 dport 500 sport 500 Global (I) MM_NO_STATE
11-16-2015 10:15 AM
Ah ok, I believe the issue is that some of the management packets / keepalive packets are going through the VPN tunnel... so in hindsite, I do not think this is going to work after all.
You would need to have a different IP to source packets from than the interface onwhich you are terminating the VPN
--
Please remember to select a correct answer and rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide