Cisco People - Setting up an IPSEC between two routers - Check inside for packet tracer lab

DJMK4 · 15 Aug 2013 at 18:36

Hi all,

I am trying to set-up a very simple IPSEC tunnel between two networks here, just using a PC on each LAN, a simple Hub and two routers dividing the two networks, I want to set-up the IPSEC tunnel between router 1 and router 2

Router 1 has the following interfaces configured

FastEthernet0/0
10.10.10.1 255.255.255.0

FastEthernet0/1
1.1.1.1 255.255.255.0

Router 2 has the following interfaces configured

FastEthernet0/0
20.20.20.1 255.255.255.0

FastEthernet0/1
1.1.1.2 255.255.255.0

I have set-up the IPSec tunnel as per a guide on the web, here is the config of both routers, now I can seem to ping between both networks, but I can verify that the traffic is going over an encrypted VPN, or if its just standard traffic on a "normal" route.

Router1 Config

Code:

Router1#show run
Building configuration...

Current configuration : 1123 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router1
!
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp key firewallcx address 1.1.1.2
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp 
 set peer 1.1.1.2
 set transform-set TS 
 match address VPN-TRAFFIC
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 10.10.10.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 1.1.1.1 255.255.255.0
 duplex auto
 speed auto
 crypto map CMAP
!
interface Vlan1
 no ip address
 shutdown
!
ip nat inside source list 100 interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 20.20.20.1 
ip route 10.10.10.0 255.255.255.0 1.1.1.2 
!
!
ip access-list extended VPN-TRAFFIC
 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
!
!
!
!
!
line con 0
line vty 0 4
 login
!
!
!
end

Router 2

Code:

Router2#show run
Building configuration...

Current configuration : 1128 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router2
!
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp key firewallcx address 1.1.1.1
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp 
 set peer 1.1.1.1
 set transform-set TS 
 match address VPN-TRAFFIC
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 20.20.20.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 1.1.1.2 255.255.255.0
 duplex auto
 speed auto
 crypto map CMAP
!
interface Vlan1
 no ip address
 shutdown
!
ip nat inside source list 100 interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1 
!
!
ip access-list extended VPN-TRAFFIC
 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 100 remark -=[Define NAT Service]=-
access-list 100 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 100 permit ip 20.20.20.0 0.0.0.255 any
!
!
!
!
!
line con 0
line vty 0 4
 login
!
!
!
end

I have tried to use the show crypto session command in packet tracer which people suggest to use to verify the tunnel status but it doesn't like it.

Any help greatly appriciated

Many thanks

GhostlyPea · 15 Aug 2013 at 22:02

On one router enter the command "sh cry ips sa <peer x.x.x.x>" and have a look for encrypts listed there, that will tell you if data is being sent over the VPN. Running the same command on the other end should also show decypts, they should match both sides (encrypts to decrypts). On IOS to see if the tunnel is up you can use "show cry isa sa" Your config however for the most art looks fine.

- GP

Edit - Your default routes look messed up
Edit 2 (I'm slow due to being at the GBBF today

) You're also missing your NAT statements on the inside/outside lists so you're not going over the tunnel.

On Router 1:

Take off static routes.
Add in ip route 0.0.0.0 0.0.0.0 1.1.1.2

int fa 0/0
ip nat inside
int fa 0/1
ip nat outide

On Router 2:

Take off static routes.
Add in ip route 0.0.0.0 0.0.0.0 1.1.1.1

int fa 0/0
ip nat inside
int fa 0/1
ip nat outide

GhostlyPea · 15 Aug 2013 at 22:19

When it's working youll have something like this:

Code:

Router2#sh cry isa sa
dst             src             state          conn-id slot status
[B]1.1.1.2         1.1.1.1         QM_IDLE              1    0 ACTIVE[/B]

Router2#sh cry ips sa

interface: FastEthernet0/1
    Crypto map tag: CMAP, local addr 1.1.1.2

   protected vrf: (none)
   [B]local  ident (addr/mask/prot/port): (20.20.20.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)[/B]
   current_peer 1.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    [B]#pkts encaps: 5, #pkts encrypt: 5[/B], #pkts digest: 5
    [B]#pkts decaps: 5, #pkts decrypt: 5[/B], #pkts verify: 5
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 1.1.1.2, remote crypto endpt.: 1.1.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0x610D0B5(101765301)

     inbound esp sas:
      spi: 0x810EBA74(2165226100)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4468458/3449)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x610D0B5(101765301)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: SW:2, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4468458/3448)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Note the bits in bold:

The local and remote idents indicate the specific phase 2 tunnel pair (In this case, each LAN)

QM_IDLE = tunnel up for P1 and P2

Encaps and encrypts with corresponding decrypts means its sending traffic over the VPN

Any more questions, fire away

- GP

Edit - Further confirmation its working:

"clear ip nat trans *" on each router
ping each PC
"sh ip nat trans" - the table should be empty

DJMK4 · 16 Aug 2013 at 13:34

Brilliant thanks

will have another go at this today, many thanks for your help, will let you know how I get on.

Just trying now

The show crypto ipsec sa command doesnt appear to be working in packet tracer.

I have run show cry isa sa but it comes up with the below, no state displaying

Router1#show cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status

IPv6 Crypto ISAKMP SA

I have updated the configs on both routers as per what you mentioned, but I am still getting nothing whhen I do the show cry isa sa command, I have run a ping command from router 1 to router 2 (1.1.1.2) and it started responding after the 2nd attempt, I was hoping that would bring up the tunnel.

Router 1

Code:

Router1#show run
Building configuration...

Current configuration : 1108 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router1
!
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp key firewallcx address 1.1.1.2
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp 
 set peer 1.1.1.2
 set transform-set TS 
 match address VPN-TRAFFIC
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 1.1.1.1 255.255.255.0
 ip nat outside
 duplex auto
 speed auto
 crypto map CMAP
!
interface Vlan1
 no ip address
 shutdown
!
ip nat inside source list 100 interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.2 
!
!
ip access-list extended VPN-TRAFFIC
 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
!
!
!
!
!
line con 0
line vty 0 4
 login
!
!
!
end

Router 2

Code:

Router2#show run
Building configuration...

Current configuration : 1156 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router2
!
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp key firewallcx address 1.1.1.1
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp 
 set peer 1.1.1.1
 set transform-set TS 
 match address VPN-TRAFFIC
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 20.20.20.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 1.1.1.2 255.255.255.0
 ip nat outside
 duplex auto
 speed auto
 crypto map CMAP
!
interface Vlan1
 no ip address
 shutdown
!
ip nat inside source list 100 interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.1 
!
!
ip access-list extended VPN-TRAFFIC
 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 100 remark -=[Define NAT Service]=-
access-list 100 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 100 permit ip 20.20.20.0 0.0.0.255 any
!
!
!
!
!
line con 0
line vty 0 4
 login
!
!
!
end

GhostlyPea · 16 Aug 2013 at 15:05

Might be a bug with Packet Tracer - works fine in GNS3 with your config. Do you have access to any real IOS images? (2691 ideally, or 2600)

- GP

DJMK4 · 16 Aug 2013 at 15:12

GhostlyPea said:
Might be a bug with Packet Tracer - works fine in GNS3 with your config. Do you have access to any real IOS images? (2691 ideally, or 2600)

- GP

Oh yeah I have IOS images that I could use, just never tried GNS3, I will give this ago at some point, I just wanted to ensure I have the basis of what is needed for a tunnel in the above configs, I have noticed a few little things a miss with packet tracer.

GhostlyPea · 16 Aug 2013 at 15:17

PT is only a Simulator rather than an Emulator as you probably we ll know - it's never going to be as good as working directly on the images. If you have the images then use GNS3 for bits like this - its pretty easy to set up, just make sure you set the idle PC value for each router model (plenty of info around this on Google)

- GP

DJMK4 · 16 Aug 2013 at 15:18

Will do, many thanks

GhostlyPea · 16 Aug 2013 at 15:22

No worries, let me know if you have any questions

- GP