This topic is to discuss the following lesson:
what is the configuration of R2?
Nothing has been configured on R2, just the IP addresses on its FastEthernet interfaces.
Rene ā¦Not working for me. 1.1.1.1/32 and 3.3.3.3/32 are not reachable. i checked all configuration , almost same as above. But not working
**
R3#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: CRYPTOMAP, local addr 192.168.23.3
protected vrf: (none)
local ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
current_peer 192.168.12.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.23.3, remote crypto endpt.: 192.168.12.1
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
R3#Hi Amit,
This show command only tells you that no packets are encrypted or decrypted. You need to check the following in order:
Is routing configured correctly?
Are your ACLs for the VPN configured correctly?
Are the crypto maps configured correctly?
Do you have a security association?
If those are all OKā¦do a debug for the security association to see what is wrong.
Hi
Donāt you need the tunnel ip address, so you can use that as next hop.
R1(config)#ex. ip route 3.3.3.3 255.255.255.255 192.168.13.3
best regards mpo
Its not working. Can u pls advise if any routing protocol is needed?
Hi Chiru,
The example is complete, Iām using static routes for connectivity so you wonāt need a routing protocol.
Weāll need a little bit more details than ānot workingā to find out what the problem is 
Rene
At first I got some issues, I thought there was an issue with the LAB itself, then I followed the troubleshooting RENE suggested and I found the ISSUE
I Created a LAB with IPSEC tunnels and sub-interfaces,if you want it just let me know.
Rene,Thanks for all your help.
Hi Renee!
I am wondering, is there anyway to initialize phase 1 or 2 from the router itself? For example, if I have an ACL such as permit host A to host B, normally I would have to ping from host A to B in order to initialize the tunnel. However, Iām wondering if there is anyway to initialize phase from from just the 2 peers without having to generate traffic from the end points?
I hope thatās clear, Thanks!
I went through this IPsec Tunnel configuration and checked the R1#āshow crypto ipsec saā table; but it did not come up with local and remote ident: ip addresses. that shows in your post as well as in ipsec site-to-site vpn. Everything else fine.
R1#show crypto ipsec sa
interface: Serial1/0
Crypto map tag: cryptomap, local addr 12.12.12.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
ā¦
please help to know why it is?
Hmm are you sure the VPN is working? Do you see the number of encrypted/decrypted packets increase?
differences between Diffie-Hellman and Authantication
hello , i have mixed up in my mind the two concepts. If we have already used pre-shared keys why is necessary to use Diffie-Hellman group? Of course i understand DIffie-Hellman parameter is mandatory to the configuration. Diffie-Hellman isnāt for exchange keys for origin authentication encryption and for integrity ? i am wonder if all these methods are linked together with share secret key
Thanks in advance
Geia sou Dionisis
Authentication and the use of the Diffie-Hellman algorithm are two distinct and separate functionalities of ISAKMP negotiation.
The authentication pre-share command indicates that a pre-shared key will be used (configured manually on each device) as the method by which the devices will establish the identity of each other as an IPsec peers.
The group 2 command on the other hand indicates the use of Group 2 Diffie-Hellman identifier to derive a shared symmetric secret without transmitting it. This is used for the purpose of encryption.
So the preshared key is to identify the peer, while the DH secret key is for encryption and decryption purposes.
I hope this helps!
Laz
1 Like
Geia sou Lazare ,
your answered me very clear and you have simplified it for me . Are there any sources that you know that they can help me to learn more about IPsec . Not about configuraton because Rene explains about it very nice but for details about the protocols that we use . Like could we use HMAC with PKI player ( private- public key )instead for pre-share key authentication ? Now you understand how much confuse my mind all these concepts. 
Thanks a lot
1 Like
Hello again Dionisis
IPsec has been developed by IETF and as such there are quite a few RFCs that describe it and how it functions at a very low level. Because there are very many of these, the IETF has published RFC 6071 which is a snapshot of IPsec- and IKE-related RFCs. This can be found here.
Also, Wikipediaās page on IPsec has a list of links to related RFCs that include HMAC, PKI and other cryptographic algorithms and modes of operation.
I hope this has been helpful!
Laz
Hello Laz ,
It is helpful
Thanks again about the information you have gave me
1 Like
Rene,
I am not sure how to add a comment at the end of a lesson.
I just finished the Lesson on IPSEC tunnel mode and had trouble getting my GNS3 to work. After looking through your configs, I noticed that you had an extra command.
In the lesson you failed to mention the mode tunnel under the Crypto IPsec transform command.
Thanks for such great work,
John Harmon
Hi John,
Did you use IOS 12.4T? I think thatās the problem then.
In IOS 15, tunnel mode is added automatically under the crypto ipsec transform-set.
Rene
Hi Rene !
As I read your lesson introduction to IPsec I saw that in phase 1 it will do the Negotiation on several items include Hashing, but in your configuration of phase 1 i cannot found configuration of hash value
Could you help to explain me.
Thank you
Sovandara