Basic IPSec: Tunnel is down. Please help

news2010a · ‎01-30-2014

Hello folks, attached is a diagram and configuration for R1 and R2.

My goal is to setup a basic tunnel between two routers (R1 and R2). It is connected via frame-relay.

I can fully ping physical WAN interfaces R1 - R2 (vice and versa).

I created static routes and I can reach loopback from R1 to R2 and vice and versa.

I am using a simulator software GNS3. I don't think this would be a problem though.

Question:
I see the IPSec tunnel remains down on both routers.
Please let me know if you find what is wrong. I attempted various 'debug crypto isakmp' and other and I see no output though.

R2#show crypto map

Crypto Map "IPSEC_TUNNEL" 10 ipsec-isakmp

Peer = 10.1.0.1

Extended IP access list 101

access-list 101 permit ip host 192.168.1.2 host 192.168.1.1

Current peer: 10.1.0.1

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

MYSET,

}

Interfaces using crypto map IPSEC_TUNNEL:

Serial1/0.221

R2#show crypto session

Crypto session current status

Interface: Serial1/0.221

Session status: DOWN

Peer: 10.1.0.1 port 500

IPSEC FLOW: permit ip host 192.168.1.2 host 192.168.1.1

Active SAs: 0, origin: crypto map

cadet alain · ‎01-30-2014

Hi,

what did you do to initiate the tunnel ?

you have to ping other loopback sourcing from your own loopback to trigger interesting traffic.

Regards

Alain

Don't forget to rate helpful posts.

news2010a · ‎01-31-2014

You right.I did put static routes on both routesrs.

Then please see what I am getting from the target router. Any idea if this is an IPsec configuration issue? It seems routing is working the way it should...

R2#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/32/68 ms

R2#ping 192.168.1.1 source 192.168.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.2

.....

Success rate is 0 percent (0/5)

R2#

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

R1#ping 192.168.1.2 source 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

.....

Success rate is 0 percent (0/5)

R1#

*Mar 1 00:24:25.075: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 10.1.0.2 failed its sanity check or is malformed

R1#

R1#ping 192.168.1.2 source 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

....

R2#

*Mar 1 00:24:49.931: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 10.1.0.1 failed its sanity check or is malformed

R2

Richard Bradfield · ‎01-31-2014

I think you need

crypto isakmp key CISCO address 10.1.0.2 no-xauth

Also try afew more ISA policies

crypto isakmp policy 5

encr aes 256

authentication pre-share

group 14

!

crypto isakmp policy 15

encr aes 256

authentication pre-share

group 5

!

crypto isakmp policy 20

encr 3des

authentication pre-share

group 5

!

crypto isakmp policy 30

encr aes 256

hash sha256

authentication pre-share

group 5

HTH