Friday, 21 January 2011

Troubleshooting IPSec site to site VPN tunnels on Cisco

First, double-check everything (examples below are what you should see in the config). The majority of problems with IPsec tunnels are down to a mis-match in the settings, so it pays to double check all settings before debugging.

Check the peer IP addresses are the correct far end peer IP address:
on Cisco routers check

crypto map ipsectunnels 10 ipsec-isakmp
set peer

and

crypto isakmp key ****** address

On Cisco firewalls check

and


Check the IPsec transform sets match:
on Cisco routers check

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

NB: In the line above, 'ESP-3DES-SHA' is the name of the transform set you have created by using this command, and 'esp-3des esp-sha-hmac' are the actual ipsec methods allowed in the named transform set you have created. You later assign 'ESP-3DES-SHA' to a crypto map (see below)

and

crypto map ipsectunnels 10 ipsec-isakmp
set transform-set ESP-3DES-SHA

On Cisco firewalls check

and


Check the ISAKMP policies match:
on Cisco routers check

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2

On Cisco firewalls check


Re-enter the shared-secret (to make sure it isnt a typo):
on Cisco routers check

crypto isakmp key ****** address

On Cisco firewalls check

and

NB: On Cisco firewalls, the shared-secret is blanked out with **** when you do a normal show run. Make sure you don't just copy the ***


Check the crypto map is correct and matches the far end:
on Cisco routers check

crypto map ipsectunnels 10 ipsec-isakmp
set peer
set security-association lifetime seconds 86400
set transform-set ESP-3DES-SHA
match address 155

In the above, note the match address 155 - this references an access-list, make sure the access lists, both full source and destination IP range AND subnet mask, match EXACTLY for both ends of the tunnel.

and

crypto map ipsectunnels
The above should be applied to the outbound interface of the router where packets should be encrypted - on an ADSL router this would be the dialer interface that has the public IP (assuming its a public ADSL line).

On Cisco firewalls check

and




If that is all ok, check the status of the tunnels:

Router#show crypto ipsec sa
Router#show crypto isakmp sa

Do an extended ping to force traffic down the tunnels in case your expected traffic isn't making it to the tunnel for some reason

Finnaly, have a look at the debug:

Router#debug crypto ipsec

Router#debug crypto isakmp
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)