01-30-2014 08:56 PM - edited 03-04-2019 10:13 PM
Hello folks, attached is a diagram and configuration for R1 and R2.
My goal is to setup a basic tunnel between two routers (R1 and R2). It is connected via frame-relay.
I can fully ping physical WAN interfaces R1 - R2 (vice and versa).
I created static routes and I can reach loopback from R1 to R2 and vice and versa.
I am using a simulator software GNS3. I don't think this would be a problem though.
Question:
I see the IPSec tunnel remains down on both routers.
Please let me know if you find what is wrong. I attempted various 'debug crypto isakmp' and other and I see no output though.
R2#show crypto map
Crypto Map "IPSEC_TUNNEL" 10 ipsec-isakmp
Peer = 10.1.0.1
Extended IP access list 101
access-list 101 permit ip host 192.168.1.2 host 192.168.1.1
Current peer: 10.1.0.1
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
MYSET,
}
Interfaces using crypto map IPSEC_TUNNEL:
Serial1/0.221
R2#show crypto session
Crypto session current status
Interface: Serial1/0.221
Session status: DOWN
Peer: 10.1.0.1 port 500
IPSEC FLOW: permit ip host 192.168.1.2 host 192.168.1.1
Active SAs: 0, origin: crypto map
01-30-2014 11:35 PM
Hi,
what did you do to initiate the tunnel ?
you have to ping other loopback sourcing from your own loopback to trigger interesting traffic.
Regards
Alain
Don't forget to rate helpful posts.
01-31-2014 12:17 PM
You right.I did put static routes on both routesrs.
Then please see what I am getting from the target router. Any idea if this is an IPsec configuration issue? It seems routing is working the way it should...
R2#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/32/68 ms
R2#ping 192.168.1.1 source 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.2
.....
Success rate is 0 percent (0/5)
R2#
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R1#ping 192.168.1.2 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.....
Success rate is 0 percent (0/5)
R1#
*Mar 1 00:24:25.075: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 10.1.0.2 failed its sanity check or is malformed
R1#
R1#ping 192.168.1.2 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
....
R2#
*Mar 1 00:24:49.931: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 10.1.0.1 failed its sanity check or is malformed
R2
01-31-2014 05:58 PM
I think you need
crypto isakmp key CISCO address 10.1.0.2 no-xauth
Also try afew more ISA policies
crypto isakmp policy 5
encr aes 256
authentication pre-share
group 14
!
crypto isakmp policy 15
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 5
!
crypto isakmp policy 30
encr aes 256
hash sha256
authentication pre-share
group 5
HTH
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: