Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IPSEC problems

Status
Not open for further replies.

2836Net

MIS
Oct 9, 2009
7
US
I am having a problem setting up an ipsec tunnel on a new remote site. When I do a "show crypto isakmp sa" it says everything is active, and when I do a "show crypto ipsec sa" it says it is connected but nothing is being encrypted. Here are the configs on both sides:

remote router:

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key MYRM-Core--PDC-shar3d-k3y address 192.168.55.1

crypto ipsec transform-set MYRM-sites-AES esp-aes 256 esp-sha-hmac

crypto map PDC-map 10 ipsec-isakmp
set peer 192.168.55.1
set transform-set MYRM-sites-AES
match address MYRM-Core

interface FastEthernet0/0
description Embarq Ethernet 5MB Circuit# XX.XXXX.XXXX.UFLG
no ip address
duplex full
speed auto
service-policy output qos-out
crypto map MYRM-map

ip access-list extended MYRM-Core
remark source/destination for Core IPSec Tunnel
permit ip any any

Main Router:

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2

crypto isakmp key MYRM-Core--PDC-shar3d-k3y address 192.168.55.11
crypto isakmp invalid-spi-recovery

crypto ipsec transform-set CCSO-sites-AES esp-aes 256 esp-sha-hmac

crypto map EtherCloud-map 100 ipsec-isakmp
set peer 192.168.55.11
set transform-set MYRM-sites-AES
match address MYRM-PDC

interface GigabitEthernet0/3.55
description EtherCloud Interface - PDC
encapsulation dot1Q 55
ip address 192.168.55.1 255.255.255.224
ip flow ingress
ip flow egress
no snmp trap link-status
crypto map EtherCloud-map

ip access-list extended MYRM-PDC
remark source/destination for VoTech IPSec Tunnel
deny ip host 27.27.27.230 192.168.2.0 0.0.0.255
deny ip host 27.27.27.251 host 192.168.2.12
deny ip host 27.27.29.40 host 192.168.2.12
permit ip 27.0.0.0 0.255.255.255 192.168.2.0 0.0.0.255
permit ip 10.0.0.0 0.255.255.255 192.168.2.0 0.0.0.25
permit ip 10.0.0.0 0.255.255.255 192.168.2.0 0.0.0.255
permit ip 162.143.0.0 0.0.255.255 192.168.2.0 0.0.0.255
remark source/destination for VoTech IPSec Tunnel
 
is 192.168.2.0/24 the network behind the remote router?? how is there a tunnel setup with no ip address on the remote routers interface?? is all traffic from the remote router being routed back over to the main location??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
You don't have an acl for interesting traffic on the remote, and the main is not protecting your LAN behind the router (directly connected). Also, what's with the public IP block in the crypto acl?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
192.168.2.0 is the subnet on the remote router, I hadn't included that interface because the traffic on the WAN interface is what I want to encrypt. In the ACL I had interesting traffic, but changed it to allow any traffic just to see if it would work. The actual acl that I want on the remote is as follows:

ip access-list extended MYRM-Core
remark source/destination for Core IPSec Tunnel
deny ip any host 27.27.27.230
deny ip host 192.168.2.12 host 27.27.27.251
deny ip host 192.168.2.12 host 27.27.29.40
permit ip 192.168.2.0 0.0.0.255 27.0.0.0 0.255.255.255
permit ip 192.168.2.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 192.168.2.0 0.0.0.255 162.143.0.0 0.0.255.255

Thanks for your thoughts!
 
Now to answer our other ?...how can the tunnel be up with no IP address on the fa0/0 int of the remote?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
I see your point, there is a sub interface, and I have the crypto map on the physical interface. Let me take a look at my config and make sure that isn't a typo. Thanks all!
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top