09-10-2013 04:30 AM
Hello guys,
Need some help since i am going crazy trying to finish a lab for my CCNA-S exam.
I am trying to establish a VPN using 3 routers.
SiteA
SiteB
and ISP as the router in between simulating the internet.
Router SiteA can ping SiteB external ip and vice versa.
I follow the book example and also i have tried an online lab but with no success.
Can you please check my configs and let me know WHAT am i missing???
The show crypto isakmp sa detail shows no Active connections.
SiteA(config)#do ping 172.16.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
SiteA(config)#do show crypto isakm
SiteA(config)#do show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
IPv6 Crypto ISAKMP SA
SiteA(config)#do show crypto ipsec sa
interface: Serial1/1
Crypto map tag: CMPS1, local addr 10.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)
current_peer 172.16.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.1.1, remote crypto endpt.: 172.16.1.1
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Configuration files ROUTER SITE A
crypto isakmp policy 2
encr aes 256
hash md5
authentication pre-share
group 2
lifetime 600
crypto isakmp key cisco123 address 172.16.1.1
!
!
crypto ipsec transform-set TSA esp-aes 256 esp-sha-hmac
!
crypto map CMPS1 1 ipsec-isakmp
description Tunnet1 to SiteB
set peer 172.16.1.1
set transform-set TSA
match address ToSiteB
!
!
!
!
!
interface Loopback0
ip address 192.168.0.100 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/1
ip address 10.1.1.1 255.255.255.0
serial restart-delay 0
no dce-terminal-timing-enable
crypto map CMPS1
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Serial1/0
ip route 172.16.1.0 255.255.255.0 10.1.1.2
ip route 172.16.2.0 255.255.255.0 10.1.1.2
ip access-list extended ToSiteB
permit ip 192.168.0.0 0.0.0.255 172.16.2.0 0.0.0.255
AND ROUTER B
crypto isakmp policy 2
encr aes 256
hash md5
authentication pre-share
group 2
lifetime 600
crypto isakmp key cisco123 address 10.1.1.1
!
!
crypto ipsec transform-set TSB esp-aes 256 esp-sha-hmac
!
crypto map CMPS2 1 ipsec-isakmp
set peer 10.1.1.1
set transform-set TSB
match address ToSiteA
!
!
!
!
!
interface Loopback0
ip address 172.16.2.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
ip address 172.16.1.1 255.255.255.0
serial restart-delay 0
no dce-terminal-timing-enable
crypto map CMPS2
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Serial1/0
ip route 10.1.1.0 255.255.255.0 172.16.1.2
ip route 192.168.0.0 255.255.255.0 172.16.1.2
!
ip access-list extended ToSiteA
permit ip 172.16.2.0 0.0.0.255 192.168.0.0 0.0.0.255
!
!
!
Solved! Go to Solution.
09-10-2013 07:38 AM
To trigger the VPN with "ping" you have to set the source interface to the internal on, because a standardping would use external ip which doesn't fit the ACL from your crypto map.
Michael
Please rate all helpful posts
09-10-2013 12:49 PM
yes as Max said if you are initiating traffic from the device you need to define the source interface if you don't define that it would take outside interface IP as a source by default.
If you are using a router that command would be: ping 172.16.2.1 source (Name of the interface or the IP address).
If its an ASA than you have to use : ping inside (or which interface you wanna use) 172.16.2.1
In case of ASA you need make sutre whichever interface you are using as a source should be the management interface.
in case of a Cisco IOS router it is not applicable you can use any interface if the IP of the subnet is included in your crypto access-list.
I hope it answers your question.
Thanks
Jeet
09-10-2013 07:38 AM
To trigger the VPN with "ping" you have to set the source interface to the internal on, because a standardping would use external ip which doesn't fit the ACL from your crypto map.
Michael
Please rate all helpful posts
09-10-2013 12:49 PM
yes as Max said if you are initiating traffic from the device you need to define the source interface if you don't define that it would take outside interface IP as a source by default.
If you are using a router that command would be: ping 172.16.2.1 source (Name of the interface or the IP address).
If its an ASA than you have to use : ping inside (or which interface you wanna use) 172.16.2.1
In case of ASA you need make sutre whichever interface you are using as a source should be the management interface.
in case of a Cisco IOS router it is not applicable you can use any interface if the IP of the subnet is included in your crypto access-list.
I hope it answers your question.
Thanks
Jeet
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide