Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
421
Views
10
Helpful
2
Replies

VPN not getting established :-(

Go to solution
nemiath76
Level 1
Level 1

‎09-10-2013 04:30 AM

Hello guys,

Need some help since i am going crazy trying to finish a lab for my CCNA-S exam.

I am trying to establish a VPN using 3 routers.

SiteA

SiteB

and ISP as the router in between simulating the internet.

Router SiteA can ping SiteB external ip and vice versa.

I follow the book example and also i have tried an online lab but with no success.

Can you please check my configs and let me know WHAT am i missing???

The show crypto isakmp sa detail shows no Active connections.

SiteA(config)#do ping 172.16.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
SiteA(config)#do show crypto isakm
SiteA(config)#do show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.

IPv6 Crypto ISAKMP SA

SiteA(config)#do show crypto ipsec sa

interface: Serial1/1

    Crypto map tag: CMPS1, local addr 10.1.1.1

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)

   current_peer 172.16.1.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 10.1.1.1, remote crypto endpt.: 172.16.1.1

     path mtu 1500, ip mtu 1500

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Configuration files ROUTER SITE A

crypto isakmp policy 2

encr aes 256

hash md5

authentication pre-share

group 2

lifetime 600

crypto isakmp key cisco123 address 172.16.1.1

!

!

crypto ipsec transform-set TSA esp-aes 256 esp-sha-hmac

!

crypto map CMPS1 1 ipsec-isakmp

description Tunnet1 to SiteB

set peer 172.16.1.1

set transform-set TSA

match address ToSiteB

!

!

!

!

!

interface Loopback0

ip address 192.168.0.100 255.255.255.0

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial1/0

no ip address

shutdown

serial restart-delay 0

no dce-terminal-timing-enable

!

interface Serial1/1

ip address 10.1.1.1 255.255.255.0

serial restart-delay 0

no dce-terminal-timing-enable

crypto map CMPS1

!

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

no dce-terminal-timing-enable

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

no dce-terminal-timing-enable

!

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 Serial1/0

ip route 172.16.1.0 255.255.255.0 10.1.1.2

ip route 172.16.2.0 255.255.255.0 10.1.1.2

ip access-list extended ToSiteB

permit ip 192.168.0.0 0.0.0.255 172.16.2.0 0.0.0.255

AND ROUTER B

crypto isakmp policy 2

encr aes 256

hash md5

authentication pre-share

group 2

lifetime 600

crypto isakmp key cisco123 address 10.1.1.1

!

!

crypto ipsec transform-set TSB esp-aes 256 esp-sha-hmac

!

crypto map CMPS2 1 ipsec-isakmp

set peer 10.1.1.1

set transform-set TSB

match address ToSiteA

!

!

!

!

!

interface Loopback0

ip address 172.16.2.1 255.255.255.0

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial1/0

ip address 172.16.1.1 255.255.255.0

serial restart-delay 0

no dce-terminal-timing-enable

crypto map CMPS2

!

interface Serial1/1

no ip address

shutdown

serial restart-delay 0

no dce-terminal-timing-enable

!

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

no dce-terminal-timing-enable

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

no dce-terminal-timing-enable

!

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 Serial1/0

ip route 10.1.1.0 255.255.255.0 172.16.1.2

ip route 192.168.0.0 255.255.255.0 172.16.1.2

!

ip access-list extended ToSiteA

permit ip 172.16.2.0 0.0.0.255 192.168.0.0 0.0.0.255

!

!

!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Michael Muenz
Level 5
Level 5

‎09-10-2013 07:38 AM

To trigger the VPN with "ping" you have to set the source interface to the internal on, because a standardping would use external ip which doesn't fit the ACL from your crypto map.

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

View solution in original post

Go to solution
Jeet Kumar
Cisco Employee
Cisco Employee

‎09-10-2013 12:49 PM

yes as Max said if you are initiating traffic from the device you need to define the source interface if you don't define that it would take outside interface IP as a source by default.

If you are using a router that command would be: ping 172.16.2.1 source (Name of the interface or the IP address).

If its an ASA than you have to use : ping inside (or which interface you wanna use) 172.16.2.1

In case of ASA you need make sutre whichever interface you are using as a source should be the management interface.

in case of a Cisco IOS router it is not applicable you can use any interface if the IP of the subnet is included in your crypto access-list.

I hope it answers your question.

Thanks

Jeet

View solution in original post

2 Replies 2

Go to solution
Michael Muenz
Level 5
Level 5

‎09-10-2013 07:38 AM

To trigger the VPN with "ping" you have to set the source interface to the internal on, because a standardping would use external ip which doesn't fit the ACL from your crypto map.

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

Go to solution
Jeet Kumar
Cisco Employee
Cisco Employee

‎09-10-2013 12:49 PM

yes as Max said if you are initiating traffic from the device you need to define the source interface if you don't define that it would take outside interface IP as a source by default.

If you are using a router that command would be: ping 172.16.2.1 source (Name of the interface or the IP address).

If its an ASA than you have to use : ping inside (or which interface you wanna use) 172.16.2.1

In case of ASA you need make sutre whichever interface you are using as a source should be the management interface.

in case of a Cisco IOS router it is not applicable you can use any interface if the IP of the subnet is included in your crypto access-list.

I hope it answers your question.

Thanks

Jeet

Customers Also Viewed These Support Documents