Site-to-site IPSec VPN

woody1144 · ‎04-01-2008

Hi,

I'm wondering if someone can help with my vpn set-up. Its a simple ipsec site-to-site between two 1721 routers which in turn are connected to two nodes (192.168.1.1 and 192.168.2.1) in a lab situation. I'm finding i can ping from one node to the other but when checking the status of the tunnel it says there no active connections and 0 packets are being encrypted. I have the config and the readout from "show crypto ipsec sa". If you can spot whats up i'd be very grateful as i'm well and truly stuck and stressed now :(.

Router 1 config:

Password:

Router1#sh run

Building configuration...

Current configuration : 1157 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router1

!

enable secret xxx

!

ip subnet-zero

!

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key key1 address 10.0.0.2

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set set1 ah-md5-hmac esp-3des esp-md5-hmac

!

crypto map VPN-Map-1 10 ipsec-isakmp

set peer 10.0.0.2

set transform-set set1

match address 101

!

interface Ethernet0

no ip address

shutdown

half-duplex

!

interface FastEthernet0

ip address 192.168.1.2 255.255.255.0

speed auto

!

interface Serial0

bandwidth 64

ip address 10.0.0.1 255.0.0.0

encapsulation ppp

crypto map VPN-Map-1

!

ip classless

ip route 192.168.2.0 255.255.255.0 10.0.0.2

no ip http server

!

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 // this was a mistake

!

line con 0

line aux 0

line vty 0 4

--More--

woody1144 · ‎04-01-2008

Here is Router 2 config:

Router2#sh run

Building configuration...

Current configuration : 1126 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router2

!

enable secret xxx

!

ip subnet-zero

!

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 20

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key key1 address 10.0.0.1

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set set2 ah-md5-hmac esp-3des esp-md5-hmac

!

crypto map VPN-Map-2 20 ipsec-isakmp

set peer 10.0.0.1

set transform-set set2

match address 102

!

interface Ethernet0

no ip address

shutdown

half-duplex

!

interface FastEthernet0

ip address 192.168.2.2 255.255.255.0

speed auto

!

interface Serial0

bandwidth 64

ip address 10.0.0.2 255.0.0.0

encapsulation ppp

clockrate 64000

crypto map VPN-Map-2

!

ip classless

ip route 192.168.1.0 255.255.255.0 10.0.0.1

no ip http server

!

access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

!

line con 0

line aux 0

line vty 0 4

password *******

login

--More--

woody1144 · ‎04-01-2008

Here is the read-out:

Router1#show crypto ipsec sa

interface: Serial0

Crypto map tag: VPN-Map-1, local addr. 10.0.0.1

local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

current_peer: 10.0.0.2

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2

path mtu 1500, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Router1#

Router1#show crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt

Router1#

If you can help i'd be very grateful,

Thanks a lot,

Richard

m-heard · ‎04-04-2008

I think you have you ACL 101 reversed. For router 1, your LAN is defined by 192.168.1.0/24 on interface Fa0. Therefore your ACL should have the source subnet as 192.168.1.0/24 and the destination subnet as 192.168.2.0/24.

ACL on router 1:

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

ACL on router 2:

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255