Cisco People - Setting up an IPSEC between two routers - Check inside for packet tracer lab

DJMK4

DJMK4

DJMK4

Soldato
Joined
1 Dec 2004
Posts
23,245
Location
S.Wales
Hi all,

I am trying to set-up a very simple IPSEC tunnel between two networks here, just using a PC on each LAN, a simple Hub and two routers dividing the two networks, I want to set-up the IPSEC tunnel between router 1 and router 2

ciscoipsec.jpg


Router 1 has the following interfaces configured

FastEthernet0/0
10.10.10.1 255.255.255.0

FastEthernet0/1
1.1.1.1 255.255.255.0


Router 2 has the following interfaces configured

FastEthernet0/0
20.20.20.1 255.255.255.0

FastEthernet0/1
1.1.1.2 255.255.255.0


I have set-up the IPSec tunnel as per a guide on the web, here is the config of both routers, now I can seem to ping between both networks, but I can verify that the traffic is going over an encrypted VPN, or if its just standard traffic on a "normal" route.

Router1 Config

Code: 
Router1#show run
Building configuration...

Current configuration : 1123 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router1
!
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp key firewallcx address 1.1.1.2
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp 
 set peer 1.1.1.2
 set transform-set TS 
 match address VPN-TRAFFIC
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 10.10.10.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 1.1.1.1 255.255.255.0
 duplex auto
 speed auto
 crypto map CMAP
!
interface Vlan1
 no ip address
 shutdown
!
ip nat inside source list 100 interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 20.20.20.1 
ip route 10.10.10.0 255.255.255.0 1.1.1.2 
!
!
ip access-list extended VPN-TRAFFIC
 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
!
!
!
!
!
line con 0
line vty 0 4
 login
!
!
!
end




Router 2

Code: 
Router2#show run
Building configuration...

Current configuration : 1128 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router2
!
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp key firewallcx address 1.1.1.1
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp 
 set peer 1.1.1.1
 set transform-set TS 
 match address VPN-TRAFFIC
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 20.20.20.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 1.1.1.2 255.255.255.0
 duplex auto
 speed auto
 crypto map CMAP
!
interface Vlan1
 no ip address
 shutdown
!
ip nat inside source list 100 interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1 
!
!
ip access-list extended VPN-TRAFFIC
 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 100 remark -=[Define NAT Service]=-
access-list 100 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 100 permit ip 20.20.20.0 0.0.0.255 any
!
!
!
!
!
line con 0
line vty 0 4
 login
!
!
!
end


I have tried to use the show crypto session command in packet tracer which people suggest to use to verify the tunnel status but it doesn't like it.

Any help greatly appriciated :)

Many thanks
 
Brilliant thanks :) will have another go at this today, many thanks for your help, will let you know how I get on.

Just trying now

The show crypto ipsec sa command doesnt appear to be working in packet tracer.

I have run show cry isa sa but it comes up with the below, no state displaying

Router1#show cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status

IPv6 Crypto ISAKMP SA


I have updated the configs on both routers as per what you mentioned, but I am still getting nothing whhen I do the show cry isa sa command, I have run a ping command from router 1 to router 2 (1.1.1.2) and it started responding after the 2nd attempt, I was hoping that would bring up the tunnel.



Router 1

Code: 
Router1#show run
Building configuration...

Current configuration : 1108 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router1
!
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp key firewallcx address 1.1.1.2
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp 
 set peer 1.1.1.2
 set transform-set TS 
 match address VPN-TRAFFIC
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 1.1.1.1 255.255.255.0
 ip nat outside
 duplex auto
 speed auto
 crypto map CMAP
!
interface Vlan1
 no ip address
 shutdown
!
ip nat inside source list 100 interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.2 
!
!
ip access-list extended VPN-TRAFFIC
 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
!
!
!
!
!
line con 0
line vty 0 4
 login
!
!
!
end




Router 2

Code: 
Router2#show run
Building configuration...

Current configuration : 1156 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router2
!
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp key firewallcx address 1.1.1.1
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp 
 set peer 1.1.1.1
 set transform-set TS 
 match address VPN-TRAFFIC
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 20.20.20.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 1.1.1.2 255.255.255.0
 ip nat outside
 duplex auto
 speed auto
 crypto map CMAP
!
interface Vlan1
 no ip address
 shutdown
!
ip nat inside source list 100 interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.1 
!
!
ip access-list extended VPN-TRAFFIC
 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 100 remark -=[Define NAT Service]=-
access-list 100 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 100 permit ip 20.20.20.0 0.0.0.255 any
!
!
!
!
!
line con 0
line vty 0 4
 login
!
!
!
end
 
Last edited:
GhostlyPea said:
Might be a bug with Packet Tracer - works fine in GNS3 with your config. Do you have access to any real IOS images? (2691 ideally, or 2600)

- GP
Click to expand...

Oh yeah I have IOS images that I could use, just never tried GNS3, I will give this ago at some point, I just wanted to ensure I have the basis of what is needed for a tunnel in the above configs, I have noticed a few little things a miss with packet tracer.
 
You must log in or register to reply here.
Back
Top Bottom