[c-nsp] IPSEC VPN

Peter Rathlev peter at rathlev.dk
Mon Aug 10 16:12:25 EDT 2009 

On Mon, 2009-08-10 at 22:20 +0300, Mohammad Khalil wrote:
> i configured the below on GNS3 simulator
> 
> Router(config)#crypto isakmp policy 1
> Router(config-isakmp)#authentication pre-share
> Router(config)#crypto isakmp key VPNKEY address x.x.x.x
> Router(config)#access-list extended LIST
> Router(config-list)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
> Router(config)#crypto ipsec transform-set SET
> Router(config)#crypto map MAP 10 ipsec-isakmp
> Router(config-crypto-map)#set peer x.x.x.x
> Router(config-crypto-map)#set transform-set SET
> Router(config-crypto-map)#match address LIST
> Router(config)#interface f0/0
> Router(config-if)#crypto map MAP
> 
> and im trying to ping 192.168.2.1 source 192.168.1.1 (loopbacks) but
> im not able to , and the show crypto isakmp sa produces empty o/p
> 
> am i missing something here ??

That's hard to say without knowing what's in the other end. :-) Or are
both ends configured the same?

You haven't defined any explicit encryption or hashing in your ISAKMP
policy. AFAICT a 7200 running 12.4 defaults to single DES encryption and
SHA hashing with a lifetime of 86400 seconds.

I don't understand the "crypto ipsec transform-set SET"; wasn't there
supposed to be an IPSec transform set after this? Like "esp-aes 128
esp-sha-hmac"?

Otherwise, as Michael mentions, debug is a good thing. A "debug crypto
isakmp" probably tells relevant things. (Though this seems to be IOS and
not PIX.)

We have something like this in a working configuration:

 ip access-list extended SomeCryptoACL
  permit gre host 10.0.0.2 host 10.0.0.1
 !
 crypto isakmp policy 15
  encr 3des
  hash md5
  authentication pre-share
  lifetime 43200
 !
 crypto keyring SomeKeyRing
  pre-shared-key address 10.0.0.1 key SomeKey
 !
 crypto isakmp profile SomeISAKMPProfile
  keyring SomeKeyRing
  match identity address 10.0.0.1 255.255.255.255 
  initiate mode aggressive
 !
 crypto ipsec transform-set MD5_3DES esp-3des esp-md5-hmac 
 !
 crypto map SomeCryptoMap 5 ipsec-isakmp 
  description Some description
  set peer 10.0.0.1
  set transform-set MD5_3DES
  set isakmp-profile SomeISAKMPProfile
  match address SomeCryptoACL
 !
 interface GigabitEthernet0/1
  ip address 10.0.0.2 255.255.255.0
  crypto map SomeCryptoMap
 !

This isn't best practise, but it does work.

Regards,
Peter

More information about the cisco-nsp mailing list