IPSec Tunnel doesn't work

bolotov-11b · August 5, 2018, 10:31pm

Hi all,
I’m studying IPSec standard and I’ve got the following lab in Cisco Packet Tracer.

I want to configure two IPSec tunnels, one between R1 and R3 and the second between R1 and R4. Also I want traffic between R4 and R3 to go through R1. I can ping PC0 from PC1 and I can ping PC2 from PC1, but for some reason I can’t ping PC0 from PC2. I’ve checked configuration several times and it looks correct. Can anybody help me, what might be wrong? Here is the configuration of all three routers. Thanks!

hostname R1
!
 crypto isakmp policy 1
 encr aes
 authentication pre-share
!
crypto isakmp key cisco address 200.0.0.1
crypto isakmp key cisconew address 202.0.0.1
!
crypto ipsec transform-set AES128-SHA esp-aes esp-sha-hmac
!
crypto map MAP1 10 ipsec-isakmp 
 set peer 200.0.0.1
 set transform-set AES128-SHA 
 match address 101
!
crypto map MAP1 20 ipsec-isakmp 
 set peer 202.0.0.1
 set transform-set AES128-SHA 
 match address 102
!
!
interface FastEthernet0/0
 ip address 100.0.0.1 255.255.255.252
 duplex auto
 speed auto
 crypto map MAP1
!
interface FastEthernet0/1
 ip address 10.0.0.1 255.255.255.0
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 100.0.0.2 
!
!
access-list 101 permit ip 10.0.0.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 102 permit ip 10.0.0.0 0.0.0.255 10.2.2.0 0.0.0.255
access-list 102 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

hostname R2
!
interface FastEthernet0/0
 ip address 100.0.0.2 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 200.0.0.2 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 202.0.0.2 255.255.255.252
 duplex auto
 speed auto

hostname R3
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
!
crypto isakmp key cisco address 100.0.0.1
!
crypto ipsec transform-set AES128-SHA esp-aes esp-sha-hmac
!
crypto map MAP1 10 ipsec-isakmp 
 set peer 100.0.0.1
 set transform-set AES128-SHA 
 match address 101
!
interface FastEthernet0/0
 ip address 200.0.0.1 255.255.255.252
 duplex auto
 speed auto
 crypto map MAP1
!
interface FastEthernet0/1
 ip address 10.1.1.1 255.255.255.0
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 200.0.0.2 
!
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

hostname R4
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
!
crypto isakmp key cisconew address 100.0.0.1
!
crypto ipsec transform-set AES128-SHA esp-aes esp-sha-hmac
!
crypto map MAP1 10 ipsec-isakmp 
 set peer 100.0.0.1
 set transform-set AES128-SHA 
 match address 101
!
interface FastEthernet0/0
 ip address 202.0.0.1 255.255.255.252
 duplex auto
 speed auto
 crypto map MAP1
!
interface FastEthernet0/1
 ip address 10.2.2.1 255.255.255.0
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 202.0.0.2 
!
access-list 101 permit ip 10.2.2.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

ReneMolenaar · August 15, 2018, 11:03am

Hi Andrew,

If you want to solve this, you need to follow that packet and think + verify what happens at each step.

Let’s have a look.

A packet from PC2 to PC0 would look like this (assuming we use .200 on the PCs):

Source: 10.2.2.200
Destination: 10.1.1.200

This packet arrives at R4. R4 needs to route it, checks its routing table and sees a default route to R2. We can verify this with show ip route.

R4 also has a crypto map on its outbound interface.

The crypto map is configured for peer R1, you use ESP and you have a matching access-list so this packet should get encrypted. We can verify this with show crypto ipsec sa. The outer IP header now looks like:

Source: 202.0.0.1
Destination: 100.0.0.1

This packet arrives at R2. To R2, 100.0.0.1 is on the same subnet so it can forward it to R1.

R1 receives an encrypted packet. R4 is a valid peer, It de-encapsulates the packet and ends up with the original IP packet:

Source: 10.2.2.200
Destination: 10.1.1.200

It checks the destination, R1 has a default route towards R2. There is also a crypto map on the outgoing interface. You have a peer and a matching access-list in your crypto-map. You can check a single peer with show crypto ipsec sa peer 200.0.0.1.

The packet is encapsulated and now looks like this:

Source: 100.0.0.1
Destination: 200.0.0.1

R2 receives it, knows how to reach R3 and forwards it to R3.

R3 receives the encrypted packet, R1 is a valid peer so it de-encapsules the packet. We end up with the original packet:

Source: 10.2.2.200
Destination: 10.1.1.200

10.1.1.200 can be delivered on the local interface so the packet makes it to PC0.

Looking at your config and walking through it like this, I don’t see anything that prevents the packet from going to PC2 to PC0. You might want to verify all steps above on your routers, also do this for the return traffic.

Hope this helps!

Rene

bolotov-11b · August 23, 2018, 12:52pm

Thanks a lot of explanation! Basically the issue was in Cisco Packet Tracer itself. In GNS3 the same configuration works.