I'm trying to bring up a IPsec tunnel between router and a bridge. I can see the Ipsec tunnel configurations are up and running but I think I have made a mistake in the ACL and hence the encr and decr counters are still 0.
Can someone guide me on this?
Desktop(ETH0)-->(FE3 SVI)Router(FE4 WAN)-->(ETH0)Master Bridge(RF0)-->(RF0)Remote Bridge(ETH0)-->>Client.
Tunnel is between Loopback created on Router and RF0 Interface on Remote Bridge.
Configuration: https://pastebin.com/hfSQGpMu
Diagram:https://imgur.com/a/lBPECqE
SGLAB-C881K9# SGLAB-C881K9# SGLAB-C881K9#sh run Building configuration... Current configuration : 2043 bytes ! ! Last configuration change at 11:09:09 UTC Fri Nov 16 2018 version 15.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname SGLAB-C881K9 ! boot-start-marker boot-end-marker ! aqm-register-fnf ! enable secret 5 $1$bEYB$z5Jz9F7gED/aMzosGxRe01 enable password <Masked> ! no aaa new-model ! ! ! ! ! ! ! ! ! ! no ip cef no ipv6 cef ! ! ! ! ! multilink bundle-name authenticated ! ! ! ! ! ! ! license udi pid C881-K9 sn FGL2101208A ! ! username ssn privilege 15 secret 5 $1$2N/d$gqvkb2e6IZLUCEE5oVhG20 ! ! ! ! ! ! ! crypto isakmp policy 1 encr aes authentication pre-share lifetime 3600 crypto isakmp key 4B0u7WnF6vFGSdy2QARJ0U09SaK1CvCW address 10.110.249.1 ! ! crypto ipsec transform-set bridge11f7d8 esp-3des esp-sha-hmac mode tunnel ! ! ! crypto map TST local-address Loopback0 crypto map TST 10 ipsec-isakmp set peer 10.110.249.1 set transform-set bridge11f7d8 match address bridge11f7d8_ACL ! ! ! ! ! ! interface Loopback0 ip address 10.50.50.10 255.255.255.255 ! interface FastEthernet0 no ip address shutdown ! interface FastEthernet1 no ip address shutdown ! interface FastEthernet2 no ip address shutdown ! interface FastEthernet3 no ip address ! interface FastEthernet4 ip address 192.168.2.1 255.255.255.0 duplex full speed auto crypto map TST ! interface Vlan1 ip address 192.168.1.1 255.255.255.0 ! router rip network 10.0.0.0 network 192.168.2.0 ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ! ip access-list extended bridge11f7d8_ACL permit icmp 192.168.1.0 0.0.0.255 10.110.193.0 0.0.0.3 permit tcp 192.168.1.0 0.0.0.255 10.110.193.0 0.0.0.3 eq 20000 ! ! ! control-plane ! ! ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! ! ! ! ! line con 0 no modem enable line aux 0 line vty 0 4 password <Masked> login transport input all ! scheduler allocate 20000 1000 ! end SGLAB-C881K9# sh crypto ipsec sa interface: FastEthernet4 Crypto map tag: TST, local addr 10.50.50.10 protected vrf: (none) local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/6/0) remote ident (addr/mask/prot/port): (10.110.193.0/255.255.255.252/6/20000) current_peer 10.110.249.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 10.50.50.10, remote crypto endpt.: 10.110.249.1 plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/1/0) remote ident (addr/mask/prot/port): (10.110.193.0/255.255.255.252/1/0) current_peer 10.110.249.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 12, #recv errors 0 local crypto endpt.: 10.50.50.10, remote crypto endpt.: 10.110.249.1 plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: SGLAB-C881K9#
No comments:
Post a Comment