Announcement

Collapse
No announcement yet.

Enabling crypto

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Enabling crypto

    Hi Network folks,

    I need your expertise on this as i am trying to test and enable crypto in one of my tunnels and interface.
    Currently, I have a tunnel with no encryption.

    As a requirement, Crypto needs to be implemented on the tunnel.
    I have made my own simulation in GNS3. Everything works fine as I am using only 2 routers.
    The confusion/problem is with the 2 PE Routers in between as I am not sure if they are needed to enable crypto for both ends.
    Again, current GRE tunnel is working fine. After enabling Crypto Phase 1 is not establishing.



    Any information is much appreciated.

    Thanks.


    IP information:

    10.100.22.185 255.255.255.252
    10.100.22.186 255.255.255.252
    - - - - - - - - - - - - - - - -
    10.100.22.173 255.255.255.252
    10.100.22.174 255.255.255.252


    CE Router 1
    Gi0/3
    10.100.22.186 255.255.255.252

    PE Router 1
    GI0/3
    10.100.22.185 255.255.255.252


    PE Router 2
    Gi0/3
    10.100.22.173 255.255.255.252

    CE Router 2
    Gi0/3
    10.100.22.174 255.255.255.252


    CE Router 1 can do the following:
    ping all routers Gi0/3 interface
    remotely access CE Router 2


    CE Router 2 can do the following:
    ping only its peer-->10.100.22.173 [I am assuming that this can be a problem since it can only ping its peer and could not ping other routers
    ]
    ping to other routers is unsuccessful


    Tunnel configs in Router 1:
    Tunnel source G0/3
    Tunnel Destination - CE Router 2 Gi0/3


    Tunnel configs in Router 2:
    Tunnel source G0/3
    Tunnel Destination - CE Router 1 Gi0/3

    No encryption set
    Tunnel protocol/transport GRE/IP

    Tunnel status- Up/Up

    - - - - - - - - - - - -

    CE Router 1
    !
    crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key cisco address 0.0.0.0 0.0.0.0
    !
    crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
    !
    crypto map TEST 10 ipsec-isakmp
    set peer 10.100.22.174 [should the peer be its "peer" 10.100.22.185.please note that ping from .186 to .174 is ok. but ping from .174 is unsuccessful. Should this be enabled to successfully get to peer?]
    set transform-set 3DES
    match address 111
    !
    interface Tunnel1
    crypto map TEST


    !
    interface GigabitEthernet0/3
    ip address 10.100.22.186 255.255.255.252
    speed 100
    full-duplex
    crypto map TEST
    !


    !
    access-list 111 permit ip host 10.100.22.186 host 10.100.22.174

    For CE Router 2
    Same configs but for the IPs

    QUESTIONS:

    Phase 1 is not establishing so there is something wrong.

    Should I involve the PE Routers/TELCO on this ?
    Should Ping be enabled on CE Router 2 to all routers
    Does peer in crypto maps refer to its point to point peer?


    - - - - -- - - - - -- - - -- - - - - - -
    - - -- - -- - - - - - - -- - - - - - --
    LOGS:

    Jun 15 15:51:25.788 PHP: No peer struct to get peer description
    Jun 15 15:51:48.443 PHP: No peer struct to get peer description
    Jun 15 15:51:49.319 PHP: No peer struct to get peer description
    Jun 15 15:51:49.683 PHP: No peer struct to get peer description

    Jun 15 15:48:37.642 PHP: No peer struct to get peer description
    Jun 15 15:49:09.410 PHP: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
    (ip) vrf/dest_addr= /10.100.22.186, src_addr= 10.100.22.174, prot= 47
    Jun 15 15:50:09.416 PHP: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
    (ip) vrf/dest_addr= /10.100.22.186, src_addr= 10.100.22.174, prot= 47
    Jun 15 15:51:10.423 PHP: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
    (ip) vrf/dest_addr= /10.100.22.186, src_addr= 10.100.22.174, prot= 47

    THANKS ALL!!!

    God bless.

  • #2
    Re: Enabling crypto

    I think your problem is with the preshared key.

    crypto isakmp key cisco address 0.0.0.0 0.0.0.0

    Should be;

    crypto isakmp key cisco address 10.100.22.174


    Make sure you have the other end of the tunnel setup properly as well.

    The crypto key entry should look like this on the other endpoint.

    crypto isakmp key cisco address 10.100.22.186

    That's the first thing that sticks out to me. I'm by no means an expert on this topic.
    CCA: XenApp 5.0

    Comment


    • #3
      Re: Enabling crypto

      thanks for the info.
      i will be doing a cleanup on the configs to fix this.

      i have simulated this in GNS3 and everything works fine.

      thanks again!

      Comment

      Working...
      X