04-01-2008 08:14 AM - edited 02-21-2020 03:38 PM
Hi,
I'm wondering if someone can help with my vpn set-up. Its a simple ipsec site-to-site between two 1721 routers which in turn are connected to two nodes (192.168.1.1 and 192.168.2.1) in a lab situation. I'm finding i can ping from one node to the other but when checking the status of the tunnel it says there no active connections and 0 packets are being encrypted. I have the config and the readout from "show crypto ipsec sa". If you can spot whats up i'd be very grateful as i'm well and truly stuck and stressed now :(.
Router 1 config:
Password:
Router1#sh run
Building configuration...
Current configuration : 1157 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
enable secret xxx
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key key1 address 10.0.0.2
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set set1 ah-md5-hmac esp-3des esp-md5-hmac
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 10.0.0.2
set transform-set set1
match address 101
!
!
!
!
interface Ethernet0
no ip address
shutdown
half-duplex
!
interface FastEthernet0
ip address 192.168.1.2 255.255.255.0
speed auto
!
interface Serial0
bandwidth 64
ip address 10.0.0.1 255.0.0.0
encapsulation ppp
crypto map VPN-Map-1
!
ip classless
ip route 192.168.2.0 255.255.255.0 10.0.0.2
no ip http server
!
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 // this was a mistake
!
!
line con 0
line aux 0
line vty 0 4
--More--
04-01-2008 08:15 AM
Here is Router 2 config:
Router2#sh run
Building configuration...
Current configuration : 1126 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router2
!
enable secret xxx
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key key1 address 10.0.0.1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set set2 ah-md5-hmac esp-3des esp-md5-hmac
!
crypto map VPN-Map-2 20 ipsec-isakmp
set peer 10.0.0.1
set transform-set set2
match address 102
!
!
!
!
interface Ethernet0
no ip address
shutdown
half-duplex
!
interface FastEthernet0
ip address 192.168.2.2 255.255.255.0
speed auto
!
interface Serial0
bandwidth 64
ip address 10.0.0.2 255.0.0.0
encapsulation ppp
clockrate 64000
crypto map VPN-Map-2
!
ip classless
ip route 192.168.1.0 255.255.255.0 10.0.0.1
no ip http server
!
!
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
line con 0
line aux 0
line vty 0 4
password *******
login
--More--
04-01-2008 08:16 AM
Here is the read-out:
Router1#show crypto ipsec sa
interface: Serial0
Crypto map tag: VPN-Map-1, local addr. 10.0.0.1
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 10.0.0.2
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Router1#
Router1#show crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
Router1#
If you can help i'd be very grateful,
Thanks a lot,
Richard
04-04-2008 11:30 AM
I think you have you ACL 101 reversed. For router 1, your LAN is defined by 192.168.1.0/24 on interface Fa0. Therefore your ACL should have the source subnet as 192.168.1.0/24 and the destination subnet as 192.168.2.0/24.
ACL on router 1:
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ACL on router 2:
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide