IPSEC Site-To-Site VPN
Hello Everyone,
I have a homelab and i configure site-to-site vpn, but the problem is pings are unsuccessful, in configuring this topology i follow this simple steps: Please help if where did i gone wrong with the configuration. I don't use SDM / PDM yet, because I want to know the basic first: Tnx in Advance...
Consider this Topology
PIX501 --------- Internet ---------- C2691(R1)
ip behind pix: 192.168.1.0 /24 ip behind R1: 192.168.1.0 /24
internet facing ip: 1.1.1.1 /30 Internet facing ip: 2.2.2.2 /30
My steps in Configuring S2S VPN tunnel:
Step 1. Configure NAT.
PIX(Config)# nat (INSIDE) 1 192.168.1.0 255.255.255.0
PIX(Config)# nat (OUTSIDE) 1 1.1.1.1 255.255.255.252
Step 2. Set default route.
PIX(Config)# route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.2 1
Step 3. IKE Phase 1. [main mode]
PIX(Config)# isakmp enable outside
PIX(Config)# crypto isakmp policy 1
PIX(config-crypto-policy)# authentication pre-share
PIX(config-crypto-policy)# hash sha
PIX(config-crypto-policy)# group 2
PIX(config-crypto-policy)# encryption 3des
PIX(config-crypto-policy)# exit
PIX(config)# crypto isakmp key cisco address 2.2.2.2 netmask 255.255.255.252
PIX(config)#
Step 4. IKE Phase2, IPsec Policy to use in IPsec TUnnel. [Quick Mode]
PIX(config)# crypto ipsec transform-set MYSET esp-sha-hmac esp-3des
Step 5. Mapping the policy above. I configure ACL for match traffic to be encrypted w/ esp.
PIX(config)# crypto map MYMAP 10 ipsec-isakmp
PIX(config)# crypto map MYMAP 10 set transform-set MYSET
PIX(config)# crypto map MYMAP 10 set peer 2.2.2.2
PIX(config)# access-list TO_ENCRYPT_TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 172.21.1.0 255.255.255.0
PIX(config)# crypto map MYMAP 10 match address TO_ENCRYPT_TRAFFIC
PIX(config)#
Step 6. Apply To interface
PIX(config)# crypto map MYMAP interface OUTSIDE
Note: Same Procedure that I followed for the router config.
Comments
appear on your configuration.
Hello Everyone,
I have a homelab and i configure site-to-site vpn, but the problem is pings
are unsuccessful, in configuring this topology i follow this simple steps:
Please help if where did i gone wrong with the configuration. I don't use SDM /
PDM yet, because I want to know the basic first: Tnx in Advance...
Consider this
Topology
PIX501 --------- Internet ---------- C2691(R1)
ip behind pix: 192.168.1.0
/24 ip
behind R1: 192.168.1.0 /24
internet facing ip: 1.1.1.1
/30
Internet facing ip: 2.2.2.2 /30
My steps in Configuring S2S VPN tunnel:
@PIX
Step 1. Configure NAT.
PIX(Config)# nat (INSIDE) 1 192.168.1.0
255.255.255.0
PIX(Config)# nat (OUTSIDE)
1 1.1.1.1 255.255.255.252
Step 2. Set default route.
PIX(Config)# route OUTSIDE 0.0.0.0
0.0.0.0 1.1.1.2 1
Step 3. IKE Phase 1. [main mode]
PIX(Config)# isakmp enable
outside
PIX(Config)# crypto isakmp policy
1
PIX(config-crypto-policy)#
authentication
pre-share
PIX(config-crypto-policy)# hash
sha PIX(config-crypto-policy)# group 2 PIX(config-crypto-policy)# encryption
3des
PIX(config-crypto-policy)#
exit
PIX(config)# crypto
isakmp key cisco address 2.2.2.2 netmask
255.255.255.252
PIX(config)#
Step 4. IKE Phase2, IPsec Policy to use in
IPsec TUnnel. [Quick Mode]
PIX(config)# crypto ipsec transform-set MYSET esp-sha-hmac
esp-3des
Step 5. Mapping the policy above. I configure ACL for
match traffic to be encrypted w/
esp.
PIX(config)# crypto
map MYMAP 10
ipsec-isakmp
PIX(config)# crypto map MYMAP 10 set transform-set
MYSET
PIX(config)#
crypto map MYMAP 10 set peer
2.2.2.2
PIX(config)#
access-list TO_ENCRYPT_TRAFFIC extended permit ip 192.168.1.0
255.255.255.0 172.21.1.0
255.255.255.0
PIX(config)# crypto map MYMAP 10 match address
TO_ENCRYPT_TRAFFIC
PIX(config)#
Step 6. Apply To
interface
PIX(config)# crypto map MYMAP interface OUTSIDE
Note: Same Procedure that I followed for the router config.
INE
- The Industry Leader in CCIE
Preparation
http://www.INE.com
Subscription information may be found
at:
http://www.ieoc.com/forums/ForumSubscriptions.aspx
What interesting traffic are you matching on the other side?
The nat IP range or the real IP range?
Is there a reason you want to nat the inside traffic or would it be ok to do a nat exempt?
I agree with the above, firstly, you are lacking the global command for nat'ing.
Secondly, you need to check what you are matching on the itraffic acl on the router.
you would also do well to enable logging and check what the log messages say
Thanks for your Replies, okay here's my config for the FW and Router.
FW
PIX Version 7.2(2)
!
hostname PIX
domain-name aida.com
enable password 2KFQnbNIdI.2KYOU encrypted
names
name 172.21.1.0 network2 description n2
!
interface Ethernet0
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address 1.1.1.1 255.255.255.252
!
interface Ethernet1
nameif INSIDE
security-level 100
ip address 192.168.1.1 255.255.255.0
!
access-list TO_ENCRYPT_TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0
global (OUTSIDE) 1 interface
nat (INSIDE) 1 192.168.1.0 255.255.255.0
!
route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA
crypto map MYMAP 10 match address TO_ENCRYPT_TRAFFIC
crypto map MYMAP 10 set peer 2.2.2.2
crypto map MYMAP 10 set transform-set MYSET
crypto map MYMAP interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *
!
: end
ROUTER
!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R9
!
crypto pki certificate chain TP-self-signed-998521732
certificate self-signed 01 nvram:IOS-Self-Sig#3201.cer
username mark privilege 15 secret 5 $1$BTWy$PNE9BFeWm1SiRa/PiO9Ak/
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.1.1 255.255.255.252
!
!
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
!
!
crypto map MYMAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set MYSET
match address TO_ENCRYPT_TRAFFIC
!
!
!
!
interface FastEthernet0/0
ip address 2.2.2.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map MYMAP
!
interface FastEthernet0/1
ip address 172.21.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip route 172.21.1.0 255.255.255.0 2.2.2.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list NAT_IP interface FastEthernet0/0 overload
!
ip access-list extended NAT_IP
deny ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 172.21.1.0 0.0.0.255 any
ip access-list extended TO_ENCRYPT_TRAFFIC
permit ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
transport input ssh
!
!
end
Hi,
Can you please provide the output of the following commands? We need to understand if the IPSec is falling at phase 1 or phase 2.
- sh crypto isakmp sa (router,pix)
- debug crypto isakmp (router)
- debug crypto isakmp 10 (pix)
One thing I did not understand why you configured:
1) ip route command on router, why the local LAN points to the WAN?
Also you did not configure NO NAT on your PIX, only on the router. Try to add the following on your PIX:
access-list NO_NAT permit ip 192.168.1.0.0 255.255.255.0 172.21.1.0 255.255.255.0
!
nat (INSIDE) 0 access-list NO_NAT
HTH
Good luck!
Hello qqabdal,
To answer your question:
1.) For IP route command: because this network 172.21.1.0 /24 and 192.168.1.0 /24 are also allowed to the internet like, google, yahoo and etc.
2.) sh crypto isakmp sa for PIX and ROUTER:
PIX# sh crypto isakmp sa
There are no isakmp sas
R9#sh crypto isakmp sa
dst src state conn-id slot status
3. Debug PIX and ROUTER
- NO ACTIVITY HAPPEN - < no debug output
4. Updated config:
FW
PIX Version 7.2(2)
!
hostname PIX
domain-name aida.com
enable password 2KFQnbNIdI.2KYOU encrypted
names
name 172.21.1.0 network2 description n2
!
interface Ethernet0
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address 1.1.1.1 255.255.255.252
!
interface Ethernet1
nameif INSIDE
security-level 100
ip address 192.168.1.1 255.255.255.0
!
access-list TO_ENCRYPT_TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0
global (OUTSIDE) 1 interface
nat (INSIDE) 0 access-list nonat
nat (INSIDE) 1 192.168.1.0 255.255.255.0
!
route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA
crypto map MYMAP 10 match address TO_ENCRYPT_TRAFFIC
crypto map MYMAP 10 set peer 2.2.2.2
crypto map MYMAP 10 set transform-set MYSET
crypto map MYMAP interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *
!
: end
ROUTER
!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R9
!
crypto pki certificate chain TP-self-signed-998521732
certificate self-signed 01 nvram:IOS-Self-Sig#3201.cer
username mark privilege 15 secret 5 $1$BTWy$PNE9BFeWm1SiRa/PiO9Ak/
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.1.1 255.255.255.252
!
!
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
!
!
crypto map MYMAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set MYSET
match address TO_ENCRYPT_TRAFFIC
!
!
!
!
interface FastEthernet0/0
ip address 2.2.2.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map MYMAP
!
interface FastEthernet0/1
ip address 172.21.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip route 172.21.1.0 255.255.255.0 2.2.2.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list NAT_IP interface FastEthernet0/0 overload
!
ip access-list extended NAT_IP
deny ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 172.21.1.0 0.0.0.255 any
ip access-list extended TO_ENCRYPT_TRAFFIC
permit ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
transport input ssh
!
!
end
hello tau1z,
the traffic that i have to encrypt are:
172.21.1.0 /24 behind PIX
and
192.168.1.0 /24 behing ROUTER
On the updated config, I add the exemption still could not ping the other end.
FOR PIX:
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0
nat (INSIDE) 0 access-list nonat
FOR ROUTER:
ip nat inside source list NAT_IP interface FastEthernet0/0 overload
ip access-list extended NAT_IP
deny ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 172.21.1.0 0.0.0.255 any
Hi,
Have you generated interesting traffic to trigger IPSec?
I guess that static route is not needed, as this is a directly connected network, you don`t need the static route.
Try generating interesting traffic and running the debugs, you should see activity if you source traffic from 192.168.1.0 destined to 172.21.1.0.
This is what happen when remove the route:
PIX# ping 172.21.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.21.1.1, timeout is 2 seconds:
No route to host 172.21.1.1
Success rate is 0 percent (0/1)
The interesting traffic that you mean is the traffic that will be encrypted inside the VPN Tunnel? yes i have, the 172.21.1.0 /24 and 192.168.1.0 /24 network.
Hang on a sec (just in case there is some misunderstanding here). I am not asking to remove the default route on the PIX. This route should remain there:
route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1
I am referring to the static route on the router side:
ip route 172.21.1.0 255.255.255.0 2.2.2.1
hello qqabdal,
Okay i place the PIX default route back and remove the routers default route, but still pings are unsuccessful.
The reason why i configure default route on the PIX and Router, because behind those device are my internal network which use internal private ip address, Yes, on the topology i've shown the ip route doesn't make any since, but i just include it there as if i'm configuring my real production network. The actual connection will be that Router / PIX will be connected to a modem then internet.
mactej6228,
Please clearify my some stuff, but before that.
As i saw in your previous post, you are originating ping from the PIX itself. do you know about source IP that PIX will be using to send of the icmp traffic?
Please try to ping from behind PIX NOT from PIX itself. if that didn't work. let me know.
Sent from my iPhone
On May 4, 2013, at 15:45, mactej6228 <[email protected]> wrote:
momari
I also tried to ping from the other end(R9) but still unsuccessful, pings from their directly connected network are successful, but on end-end(PIX to other site Router) they are unsuccessful:
Site 1: PIX internal Network: 192.168.1.0 /24
Site 2: R9 internal Network: 172.21.1.0 /24
_____________________________________________
PIX# ping 1.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/22/50 ms
PIX# ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms
PIX#
________________________________
R9#ping 2.2.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/28/80 ms
R9#ping 172.21.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.21.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/20/32 ms
R9#
_________________________________________________
R9#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R9#
I replicated your config on a dynamips and I was able to make it work without any issues, you need:
1) nat 0 statement on PIX to bypass nat
2) default route on PIX
3) default route on router
Here are my configs:
PIX:
PIX(config)# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname PIX
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 1.1.1.1 255.255.255.252
!
interface Ethernet0/1
nameif INSIDE
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot config disk0:/.private/startup-config
ftp mode passive
access-list TO_ENCRYPT_TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 172. 21.1.0 255.255.255.0
access-list NO_NAT extended permit ip 192.168.1.0 255.255.255.0 172.21.1.0 255.2 55.255.0
pager lines 24
no logging message 402128
mtu OUTSIDE 1500
mtu INSIDE 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (INSIDE) 0 access-list NO_NAT
nat (INSIDE) 1 192.168.1.0 255.255.255.0
route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA
crypto map MYMAP 10 match address TO_ENCRYPT_TRAFFIC
crypto map MYMAP 10 set peer 2.2.2.2
crypto map MYMAP 10 set transform-set MYSET
crypto map MYMAP interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *
prompt hostname context
ISP_ROUTER(config)#do sh run
ip address 1.1.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 2.2.2.1 255.255.255.0
duplex auto
speed auto
LAN_1:
LAN_1(config)#do sh run
!
interface FastEthernet0/0
ip address 192.168.1.10 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
LAN_2:
LAN_2(config)#do sh run
!
interface FastEthernet0/0
ip address 172.21.1.10 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 172.21.1.1
@qabdal,
We have the same configuration, i just couldn't figure it out why it won't work in my end, here's my pix and router config, i also tried to ping my ISP router to other end ISP router, and it's successful:
PIX# sh run
: Saved
:
PIX Version 7.2(2)
!
hostname PIX
domain-name aida.com
enable password 2KFQnbNIdI.2KYOU encrypted
names
name 172.21.1.0 network2 description n2
!
interface Ethernet0
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address 1.1.1.1 255.255.255.252
!
interface Ethernet1
nameif INSIDE
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name aida.com
access-list TO_ENCRYPT_TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0
pager lines 24
mtu OUTSIDE 1500
mtu INSIDE 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (INSIDE) 0 access-list nonat
nat (INSIDE) 1 192.168.1.0 255.255.255.0
route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username mark password MwHKvxGV7kdXuSQG encrypted
http server enable
http 192.168.1.3 255.255.255.255 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map MYMAP 10 match address TO_ENCRYPT_TRAFFIC
crypto map MYMAP 10 set peer 2.2.2.2
crypto map MYMAP 10 set transform-set MYSET
crypto map MYMAP interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
prompt hostname context
Cryptochecksum:8491323562e3f1a86ccd4334cd1d37f6
: end
ROUTER:
R9#sh run
Building configuration...
Current configuration : 3313 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R9
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization config-commands
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip domain name aida.com
ip ssh version 2
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-998521732
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-998521732
revocation-check none
rsakeypair TP-self-signed-998521732
!
!
crypto pki certificate chain TP-self-signed-998521732
A75B9F04 E17B5692 35947CAC 0783AD36 A3894A64 FB6CE1AB 1E3069D3
A818A71C 00D968FE 3AA7463D BA3B4DE8 035033D5 0CA458F3 635005C3 FB543661
9EE305FF 63
quit
username mark privilege 15 secret 5 $1$BTWy$PNE9BFeWm1SiRa/PiO9Ak/
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.1.1 255.255.255.252
!
!
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
!
crypto map MYMAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set MYSET
match address TO_ENCRYPT_TRAFFIC
!
!
!
!
interface FastEthernet0/0
ip address 2.2.2.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map MYMAP
!
interface FastEthernet0/1
ip address 172.21.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 2.2.2.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list NAT_IP interface FastEthernet0/0 overload
!
ip access-list extended NAT_IP
deny ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 172.21.1.0 0.0.0.255 any
ip access-list extended TO_ENCRYPT_TRAFFIC
permit ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
transport input ssh
!
!
end
Hi,
Right. I would recommend the following set of tests to be performed.
On the PIX:
- Enable debug crypto isakmp 10
- Ping a host in the 172.21.1.x network sourcing the ping from 192.168.1.x network
- You MUST see messages from the debug on the PIX, as there will be interesting traffic triggering the tunnel formation (post that output for me)
On the Router:
- Enable debug crypto isakmp
- Ping a host in the 192.168.1.x network sourcing the ping from 172.21.1.x network
- You will see debug messages on the router due to the interesting traffic sent (post that output for me)
Thanks!
Hello qqabdal,
YES FINALLY! IT WORKS NOW... THANKS A LOT BRO!
The configuration actually works on what you said, my mistake is that i made ping on the router/pix, so eventually the source ip will not originate on the local network on both device(PIX/ROUTER), I attach a PC on both ends and ping each ends..
Mark,
That makes a lot of sense, if you don't source the traffic correctly, the traffic does not match your ACL, you don't have interesting traffic and consequently IPSec is not triggered.
Glad to hear that it is working now!
Take care!