Solved: IPSec tunnel between 2 routers

Riccardo Margiotta · ‎11-24-2013

Hello,

i'm trying to configure an IPSec VPN tunnel between 2 Cisco routers connected to internet via ATM interface, my router is a 1841 with network address 10.200.36.0, the remote router is a Cisco 877 with network address 192.168.9.0.

I tryied to follow some tutorials, without success because i still can't ping any IP address on the remote network and also the VPN tunnel is not up!

May you please help me giving a configuration template, or maybe let me know how to configure it step by step on mine and remote router?

Thank you very much!

Regards

Riccardo

Karsten Iwen · ‎11-24-2013

Here is an example. x.x.x.x and y.y.y.y are the public IPs of the routers:

hostname Router1

!

crypto isakmp policy 10

encr aes 256

auth pre

group 5

!

crypto isakmp key cisco1234 address y.y.y.y

!

crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac

!

crypto ipsec profile TunnelProfile

set transform ESP-AES256-SHA1

!

interface Tunnel0

ip address 10.255.255.0 255.255.255.254

tunnel source Dialer 0

tunnel destination y.y.y.y

tunnel mode ipsec ipv4

tunnel protection ipsec profile TunnelProfile

!

interface Dialer0

ip address x.x.x.x

!

ip route 192.168.9.0 255.255.255.0 Tunnel0

hostname Router2

!

crypto isakmp policy 10

encr aes 256

auth pre

group 5

!

crypto isakmp key cisco1234 address x.x.x.x

!

crypto ipsec tranform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac

!

crypto ipsec profile TunnelProfile

set transform ESP-AES256-SHA1

!

interface Tunnel0

ip address 10.255.255.1 255.255.255.254

tunnel source Dialer 0

tunnel destination x.x.x.x

tunnel mode ipsec ipv4

tunnel protection ipsec profile TunnelProfile

!

interface Dialer0

ip address y.y.y.y

!

ip route 10.200.36.0 255.255.255.0 Tunnel0

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Karsten Iwen · ‎11-24-2013

Here is an example. x.x.x.x and y.y.y.y are the public IPs of the routers:

hostname Router1

!

crypto isakmp policy 10

encr aes 256

auth pre

group 5

!

crypto isakmp key cisco1234 address y.y.y.y

!

crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac

!

crypto ipsec profile TunnelProfile

set transform ESP-AES256-SHA1

!

interface Tunnel0

ip address 10.255.255.0 255.255.255.254

tunnel source Dialer 0

tunnel destination y.y.y.y

tunnel mode ipsec ipv4

tunnel protection ipsec profile TunnelProfile

!

interface Dialer0

ip address x.x.x.x

!

ip route 192.168.9.0 255.255.255.0 Tunnel0

hostname Router2

!

crypto isakmp policy 10

encr aes 256

auth pre

group 5

!

crypto isakmp key cisco1234 address x.x.x.x

!

crypto ipsec tranform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac

!

crypto ipsec profile TunnelProfile

set transform ESP-AES256-SHA1

!

interface Tunnel0

ip address 10.255.255.1 255.255.255.254

tunnel source Dialer 0

tunnel destination x.x.x.x

tunnel mode ipsec ipv4

tunnel protection ipsec profile TunnelProfile

!

interface Dialer0

ip address y.y.y.y

!

ip route 10.200.36.0 255.255.255.0 Tunnel0

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Riccardo Margiotta · ‎11-25-2013

Hello,

Thank you very much for your quick reply, i configured VPN site to site but i'm not able to ping the private IP of remote host.

I also tried to configure the IPSec VPN on a Draytec firewall, but i have the same problem..

Do you have any suggestion?

Thank you,

Regards

Riccardo

Karsten Iwen · ‎11-25-2013

The given config is only compatible with IOS-routers (well, it could be compatible, but typically it is not).

How do you test exactly? Do your pings and post the output of "show crypto session detail" of both routers.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Riccardo Margiotta · ‎11-25-2013

Right now i can post the session detail of cisco 877 and if you need also the screenshot of Draytec...

RA1-ADVPROD-1#sh crypto session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

F - IKE Fragmentation

Interface: Dialer1 Virtual-Access1

Uptime: 00:07:17

Session status: UP-ACTIVE

Peer: port 37588 fvrf: (none) ivrf: (none)

Phase1_id: 10.0.0.10 (IP of ADSL router: it NAT all traffic to firewall where there is the VPN configuration)

Desc: (none)

IKE SA: local /4500 remote /37588 Active

Capabilities:N connid:2017 lifetime:07:52:41

IPSEC FLOW: permit ip 192.168.9.0/255.255.255.0 192.168.16.0/255.255.255.0

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 32 drop 1255 life (KB/Sec) 4601636/3162

Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4601646/3162

Karsten Iwen · ‎11-25-2013

so you are receiving traffic through the tunnel, but you don't send anything (last two lines). A typical problem is misconfigured NAT. Make sure that the traffic from your network to the other network is not NATted.

Riccardo Margiotta · ‎11-30-2013

Hello,

i tried to modify the configuration of NAT without success...

May i post mine 877 configuration and also 2 draytec config and also the connection diagram in order to find where is the issue?

Thanks,

Regards

Riccardo