Cisco Router - Router IPSec Vpn Problems

Curiosityx · 14 Feb 2008 at 10:59

Greetings ive setup a lab consisting of three 2610 routers running 12.3(6) 2610-2613 Enterprise Basic IOS and a 3640 running a standard IP Base image.

Im trying to get an IPSec site to site vpn between two of the routers but after inputting the IPSec configuration i cannot get any SA activity on either router.

The routers are connected to the central 3640 via serial links with inside and outside addresses, i can successfully ping between routers and hosts using outside IP addresses.

Configurations

Router A

Code:

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname wg_ro_a
!
boot-start-marker
boot-end-marker
!
!
username icadmin privilege 15 secret 5 $1$xG62$ks5JzJ0cUdd4pk5zyh4jV0
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
ip dhcp excluded-address 192.168.3.1 192.168.3.10
!
ip dhcp pool Data
   network 192.168.3.0 255.255.255.0
   default-router 192.168.3.1 
   dns-server 192.168.3.1 
!
ip audit notify log
ip audit po max-events 100
ip ssh break-string 
!
! 
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key siviter address 3.3.3.2
!
!
crypto ipsec transform-set wgset esp-3des 
!
crypto map wgmap 1 ipsec-isakmp 
 description ****** Link to wg_ro_b ******
 set peer 3.3.3.2
 set security-association lifetime seconds 86400
 set transform-set wgset 
 set pfs group2
 match address 100
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination 
!
!
!
!
!
!
interface Ethernet0/0
 ip address 192.168.3.1 255.255.255.0
 ip nat inside
 full-duplex
!
interface Serial0/0
 bandwidth 2048
 ip address 2.2.2.2 255.255.255.252
 ip nat outside
 clockrate 128000
 no fair-queue
 crypto map wgmap
!
router eigrp 99
 network 2.2.2.0 0.0.0.3
 no auto-summary
!
ip nat inside source route-map nonat interface Serial0/0 overload
ip http server
no ip http secure-server
ip classless
!
!
access-list 100 remark ****** Link to wg_ro_a ******
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 remark ****** NAT ACL  ******
access-list 101 deny   ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 permit ip any any
!
route-map nonat permit 10
 match ip address 101
!
!
!
!
!
!
line con 0
 logging synchronous
 login local
line aux 0
 login local
line vty 0 4
 login local
!
!
!
end

Router B

Code:

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname wg_ro_b
!
boot-start-marker
boot-end-marker
!
!
username icadmin privilege 15 secret 5 $1$xG62$ks5JzJ0cUdd4pk5zyh4jV0
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
ip dhcp excluded-address 192.168.4.1 192.168.4.10
!
ip dhcp pool Data
   network 192.168.4.0 255.255.255.0
   default-router 192.168.4.1 
   dns-server 192.168.4.1 
!
ip audit notify log
ip audit po max-events 100
ip ssh break-string 
!
! 
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key siviter address 2.2.2.2
!
!
crypto ipsec transform-set wgset esp-3des 
!
crypto map wgmap 2 ipsec-isakmp 
 description ****** Link to wg_ro_a ******
 set peer 2.2.2.2
 set security-association lifetime seconds 86400
 set transform-set wgset 
 set pfs group2
 match address 100
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination 
!
!
!
!
!
!
interface Ethernet0/0
 ip address 192.168.4.1 255.255.255.0
 ip nat inside
 full-duplex
!
interface Serial0/0
 bandwidth 2048
 ip address 3.3.3.2 255.255.255.252
 ip nat outside
 clockrate 128000
 no fair-queue
 crypto map wgmap
!
router eigrp 99
 network 3.3.3.0 0.0.0.3
 no auto-summary
!
ip nat inside source route-map nonat interface Serial0/0 overload
ip http server
no ip http secure-server
ip classless
!
!
access-list 100 remark ****** Link to wg_ro_a ******
access-list 100 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 remark ****** NAT ACL  ******
access-list 101 deny   ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip any any
!
route-map nonat permit 10
 match ip address 101
!
!
!
!
!
!
line con 0
 logging synchronous
 login local
line aux 0
 login local
line vty 0 4
 login local
!
!
!
end

Ive also tried using the debug commands available but am unable to get any output.

Any help would be much appreciated.

Curiosityx · 14 Feb 2008 at 11:42

Cheers for the reply, ive managed to get it to come up by pinging from a host on inside network previously i was pinging from the router itself.

Just a quick question, suppose i was too configure another site to site vpn to the third router would i just need to add its outside ip to the list of peers and adjust the access lists accordingly?

Router A

crypto isakmp key siviter address 3.3.3.2 (Router B)
crypto isakmp key siviter address 4.4.4.2 (Router C)

crypto map wgmap 2 ipsec-isakmp
set peer 3.3.3.2
set peer 4.4.4.2
set transform-set wgset
set pfs group2
match address 100
set security-association lifetime seconds 86400
set security-association lifetime kilobytes 4608000

Router B

crypto isakmp key siviter address 2.2.2.2 (Router A)
crypto isakmp key siviter address 4.4.4.2 (Router C)

crypto map wgmap 2 ipsec-isakmp
set peer 2.2.2.2
set peer 4.4.4.2
set transform-set wgset
set pfs group2
match address 100
set security-association lifetime seconds 86400
set security-association lifetime kilobytes 4608000

Router C

crypto isakmp key siviter address 2.2.2.2 (Router A)
crypto isakmp key siviter address 3.3.3.2 (Router B)

crypto map wgmap 2 ipsec-isakmp
set peer 2.2.2.2
set peer 3.3.3.2
set transform-set wgset
set pfs group2
match address 100
set security-association lifetime seconds 86400
set security-association lifetime kilobytes 4608000

Curiosityx · 14 Feb 2008 at 12:12

Brilliant, thankyou very much

Curiosityx · 14 Feb 2008 at 21:11

Cheers for the replies guys all working now

Curiosityx · 14 Feb 2008 at 22:20

Chief Wiggum said:
While that may be the case, it's not valid in this config as the ACL is being used in a route-map, that route-map is then being called to make the NAT in the 'overload' statement.
"ip nat inside source route-map nonat interface Serial0/0 overload"

All that ACL is doing is stopping 'interesting' traffic from being natted so that it can then get picked up in the crypto map and then allowing 'anything else' to pass through - that 'anything else' would then be natted in the 'overload' statement so it would only really be 'inside' addresses anyway.

Sorry for the hijack Curiosityx!

Kev

Hijack away im very kean to pick up any pointers