[c-nsp] Having trouble bringing up a IPSEC tunnel, pointers?

Wed May 30 22:27:59 EDT 2007

Chris, sure find the configs attached.  I left the addressing intact as this 
is purely a lab / non production configuration.  Ih ave no other ACL's in 
place as again this is a lab environment.  There is a Samsun DSLAM providing 
access (T1 via frame and DSL), and a Redback 800 as BRAS.  I do not have the 
configurations for these devices as I don't touch them directly but they 
seem to be configured with no filtering.

2600 config

write t
Building configuration...

Current configuration : 2603 bytes
!
! Last configuration change at 18:46:14 pst Wed May 30 2007
! NVRAM config last updated at 09:48:59 pst Wed May 30 2007
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname l3testcpe
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
!
!
resource policy
!
 --More--         no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip subnet-zero
no ip dhcp use vrf connected
!
!
!
!
ip cef
ip sla monitor 1
 type echo protocol ipIcmpEcho 172.16.100.1 source-ipaddr 172.16.100.2
 timeout 1000
 threshold 15
 frequency 3
ip sla monitor schedule 1 life forever start-time now
!
!
!
voice service voip
 --More--          no allow-connections any to pots
 no allow-connections pots to any
 allow-connections h323 to h323
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
track 1 rtr 1 reachability
!
!
crypto isakmp policy 10
 encr 3des
 --More--          hash md5
 authentication pre-share
crypto isakmp key testkey address 10.100.0.146
no crypto isakmp ccm
!
!
crypto ipsec transform-set vpntransform esp-3des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
 set peer 10.100.0.146
 set transform-set vpntransform
 match address 100
!
!
!
!
interface ATM0/0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
 dsl enable-training-log
!
interface ATM0/0.1 point-to-point
 --More--          pvc 0/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0/0
 ip address 10.200.100.1 255.255.255.0
 speed 100
 full-duplex
!
interface Serial0/1
 no ip address
 encapsulation frame-relay IETF
 no dce-terminal-timing-enable
!
interface Serial0/1.1 point-to-point
 ip address 172.16.100.2 255.255.255.252
 frame-relay interface-dlci 16 IETF
 crypto map vpn
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 --More--          encapsulation ppp
 dialer pool 1
 ppp chap hostname bzsub100 at bz8
 ppp chap password 0 covad
 no ppp chap wait
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.141.1
ip route 10.100.0.144 255.255.255.248 172.16.100.1
ip route 10.100.0.144 255.255.255.248 192.168.157.1 254
ip route 66.201.32.0 255.255.224.0 Dialer1 254
!
!
!
access-list 100 permit ip 10.200.100.0 0.0.0.255 10.200.200.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
control-plane
!
 --More--         !
!
!
!
!
!
!
!
!
line con 0
line 33 48
line aux 0
line vty 0 4
 login
!
end

l3testcpe#  

and 7206VXR

write t
Building configuration...

Current configuration : 1671 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname l3mgmttest
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
 --More--         ip cef
no ip dhcp use vrf connected
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
controller T3 5/0
 --More--         !
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key testkey address 172.16.100.2
no crypto isakmp ccm
!
!
crypto ipsec transform-set vpntransform esp-3des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
 set peer 172.16.100.2
 set transform-set vpntransform
 match address 100
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.141.99 255.255.255.0
 duplex full
 --More--          speed 100
!
interface FastEthernet0/1
 ip address 10.100.0.146 255.255.255.248
 duplex full
 speed 100
 crypto map vpn
!
interface FastEthernet1/0
 ip address 10.200.200.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet4/0
 no ip address
 shutdown
 duplex half
 --More--         !
ip default-gateway 192.168.141.1
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.141.1
ip route 172.16.100.0 255.255.255.252 10.100.0.145
ip route 192.168.157.0 255.255.255.0 10.100.0.145
!
no ip http server
no ip http secure-server
!
!
access-list 100 permit ip 10.200.200.0 0.0.0.255 10.200.100.0 0.0.0.255
!
!
!
control-plane
!
!
!
!
!
!
!
 --More--         gatekeeper
 shutdown
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
!
!
end

l3mgmttest#  

Note in this case I cut and pasted the configs from the Cisco examples.  Any 
pointers would be appreciated, thanks!

Scott

----- Original Message ----- 
From: "ChrisSerafin" <chris at chrisserafin.com>
To: "comcast mail" <gsgranados at comcast.net>
Cc: <cisco-nsp at puck.nether.net>
Sent: Wednesday, May 30, 2007 4:39 PM
Subject: Re: [c-nsp] Having trouble bringing up a IPSEC tunnel, pointers?

> Please post a full sanitized config. You may have ACLs blocking 
> IPSEC/ISAKMP traffic in or out.
>
> Chris Serafin
> chris at chrisserafin.com
>
>
> comcast mail wrote:
>> Hi, I'm trying to configure a vpn from a 2610XM to a 7206VXR NPE400 and 
>> not having much luck (or debug output).
>>
>> Router A (2610) has 1 FAST E and one Serial
>>
>> fast E 0/0 has an IP of 10.200.100.1/24
>> Serial 0/1.1 has a frame connected IP of 172.16.100.2 and a DLCI of 16
>>
>> the 7206 has a fast E 1/0 with an IP of 10.200.200.1/24
>> and another fast E of 10.100.0.146
>> On the 2600 side, I have the following crypto commandes
>>
>> crypto isakmp policy 10
>> encr aes 256
>> group 2
>> hash sha
>> crypto isakmp key 6 testkey address 10.100.0.146  (far end peer on 7206)
>> crypto ipsec transform vpntransform esp-aes 256 esp-sha
>>
>> crypto map vpn 10 ipsec-isa
>> set peer 10.100.0.146
>> set transform vpntransform
>> match address 100
>>
>> and the ACL
>> access-list 100 permit ip 10.200.100.0 0.0.0.255 10.200.200.0 0.0.0.255
>>
>>
>> For completeness, the serial
>> serial 0/1.1 point
>> ip 172.16.100.2 255.255.255.252
>> frame interface-dlci 16
>> crypto map vpn
>>
>> On the 7206 VXR I have
>>
>> crypto isakmp policy 10
>> encr aes 256
>> hash sha
>> group 2
>> crypto isakmp key 6 testkey address 172.16.100.2 (2600 serial address for 
>> peer)
>> crypto ipsec transform vpntransform esp-aes 256 esp-sha
>>
>> crypto map vpn 10 ipsec-isa
>> set peer 172.16.100.2
>> set transform vpntransform
>> match address 100
>>
>> and the acl
>> access-list 100 permit ip 10.200.200.0 0.0.0.255 10.200.100.0 0.0.0.255
>>
>> on the fast E 0/1
>> ip addr 10.100.0.146
>> crypto map vpn
>>
>> When I complete the configuration if I try to use an extended ping and 
>> originate traffic from the fast E on the 2600 it simply times out when 
>> reaching the 7206 and the reverse path also has the same results.  When I 
>> enable debugging
>> debug crypto isakmp
>> debug crypto ipsec
>> debug crypto engine
>>
>> I don't get any debug output other than when I apply the maps to the 
>> interfaces
>> when I apply map vpn to serial 0/0.1 for example on the 2600 I get a
>> callback no matching SA found for 0.0.0.0/0.0.0.0
>>
>> I tried to match the config to the lan to lan IPSEC config example that 
>> Cisco provides but no luck, what am I missing?  Also, I'm running 
>> c2600-ik9s-mz.123-14.T7 and c7200-ik9s-mz.12-14.T7 on each unit 
>> respectively.  One last datapoint, I have connectivity that's verified 
>> between 172.16.100.2 and 10.100.0.146 I can ping and telnet from one to 
>> the other and I tested that the path is simetrical between both routers. 
>> Any help would be appreciated.
>>
>> Thank you!
>> Scott
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>
>>
> 