0 Replies Latest reply: May 16, 2018 3:27 AM by Mohamed Jawad RSS

    VPN Configuration between 2 CSR

    Mohamed Jawad

      Hi folks,

       

      Please help me out to solve this vpn connectivity issue

       

      Here am adding my configuration of both the routers

       

      CSR 1

       

      Current configuration : 4762 bytes

      !

      ! Last configuration change at 09:26:53 UTC Wed May 16 2018 by ec2-user

      !

      version 16.7

      service timestamps debug datetime msec

      service timestamps log datetime msec

      platform qfp utilization monitor load 80

      no platform punt-keepalive disable-kernel-core

      platform console virtual

      !

      hostname AWS-CSR

      !

      boot-start-marker

      boot-end-marker

      !

      !

      logging persistent size 1000000 filesize 8192 immediate

      !

      no aaa new-model

      !

      !

      !

      !

      !

      subscriber templating

      !

      !       

      !       

      multilink bundle-name authenticated

      !       

      !      

      !       

      !       

      license udi pid CSR1000V sn 9GQCYMRQR26

      no license smart enable

      diagnostic bootup level minimal

      !       

      spanning-tree extend system-id

      !       

      !       

      !      

      !       

      redundancy

      !      

      !       

      crypto keyring keyring-vpn-tensult123

        local-address GigabitEthernet1

        pre-shared-key address 34.x.x.x key key-tensult123

      !       

      !        

      !       

      crypto isakmp policy 200

      encr aes

      authentication pre-share

      group 2

      lifetime 28800

      crypto isakmp keepalive 10 10

      crypto isakmp profile isakmp-vpn-tensult123

        keyring keyring-vpn-tensult123

        match identity address 34.x.x.x 255.255.255.255

        local-address GigabitEthernet1

      !       

      crypto ipsec security-association replay window-size 128

      !       

      crypto ipsec transform-set ipsec-prop-vpn-tensult123 esp-aes esp-sha-hmac

      mode tunnel

      crypto ipsec df-bit clear

      !       

      !       

      crypto ipsec profile ipsec-vpn-tensult123

      set transform-set ipsec-prop-vpn-tensult123

      set pfs group2

      !          

      !       

      interface Tunnel1

      ip address 192.168.10.10 255.255.255.0

      ip tcp adjust-mss 1387

      tunnel source GigabitEthernet1

      tunnel mode ipsec ipv4

      tunnel destination 34.x.x.x

      tunnel protection ipsec profile ipsec-vpn-tensult123

      !       

      interface GigabitEthernet1

      ip address dhcp

      negotiation auto

      no mop enabled

      no mop sysid

      !       

      !       

      virtual-service csr_mgmt

      ip shared host-interface GigabitEthernet1

      !       

      ip forward-protocol nd

      ip tcp window-size 131072

      ip http server

      ip http authentication local

      ip http secure-server

      ip route 0.0.0.0 0.0.0.0 GigabitEthernet1 172.16.1.1

      ip route 172.31.0.0 255.255.0.0 Tunnel1

      ip route 192.168.10.0 255.255.255.0 Tunnel1

      !       

      ip ssh window-size 131072

      ip ssh rsa keypair-name ssh-key

      ip ssh version 2

      ip ssh pubkey-chain

        username ec2-user

        key-hash ssh-rsa F1F46211EC2B5BDC1D7D4D200D6B51D5 ec2-user

      ip scp server enable

      !       

      !      

      ip access-list extended tens

      permit ip 172.31.0.0 0.0.255.255 192.168.10.0 0.0.0.255

      !       

      !       

      !       

      control-plane

      !      

      !       

      line con 0

      stopbits 1

      line vty 0 4



      CSR 2

       

      Current configuration : 4882 bytes

      !

      ! Last configuration change at 09:47:34 UTC Wed May 16 2018 by ec2-user

      !

      version 16.7

      service timestamps debug datetime msec

      service timestamps log datetime msec

      platform qfp utilization monitor load 80

      no platform punt-keepalive disable-kernel-core

      platform console virtual

      !

      hostname ON-CSR

      !

      boot-start-marker

      boot-end-marker

      !

      !

      logging persistent size 1000000 filesize 8192 immediate

      !

      no aaa new-model

      !

      !

      subscriber templating

      !

      !        

      multilink bundle-name authenticated

      !           

      !        

      !        

      license udi pid CSR1000V sn 9AAZ2IYYLTH

      no license smart enable

      diagnostic bootup level minimal

      !        

      spanning-tree extend system-id

      !        

      !        

      !        

      !        

      redundancy

      !        

      !        

      !        

      !        

      !        

      !        

      !        

      crypto keyring keyring-vpn-tensult123

        local-address GigabitEthernet1

        pre-shared-key address 13.x.x.x key key-tensult123

      !        

      !       

      !        

      crypto isakmp policy 200

      encr aes

      authentication pre-share

      group 2

      lifetime 28800

      crypto isakmp keepalive 10 10

      crypto isakmp profile isakmp-vpn-tensult123

         keyring keyring-vpn-tensult123

         match identity address 13.x.x.x 255.255.255.255

         local-address GigabitEthernet1

      !        

      crypto ipsec security-association replay window-size 128

      !        

      crypto ipsec transform-set ipsec-prop-vpn-tensult123 esp-aes esp-sha-hmac

      mode tunnel

      crypto ipsec df-bit clear

      !        

      !        

      crypto ipsec profile ipsec-vpn-tensult123

      set transform-set ipsec-prop-vpn-tensult123

      set pfs group2

      !        

      !          

      !        

      !        

      interface Tunnel1

      ip address 192.168.10.20 255.255.255.0

      ip tcp adjust-mss 1387

      tunnel source GigabitEthernet1

      tunnel mode ipsec ipv4

      tunnel destination 13.x.x.x

      tunnel protection ipsec profile ipsec-vpn-tensult123

      !        

      interface GigabitEthernet1

      ip address dhcp

      negotiation auto

      no mop enabled

      no mop sysid

      !        

      !        

      virtual-service csr_mgmt

      ip shared host-interface GigabitEthernet1

      !        

      ip forward-protocol nd

      ip tcp window-size 131072

      ip http server

      ip http authentication local

      ip http secure-server

      ip route 0.0.0.0 0.0.0.0 GigabitEthernet1 172.31.0.1

      ip route 172.16.0.0 255.255.0.0 Tunnel1

      ip route 192.168.10.0 255.255.255.0 Tunnel1

      !        

      ip ssh window-size 131072

      ip ssh rsa keypair-name ssh-key

      ip ssh version 2

      ip ssh pubkey-chain

        username ec2-user

         key-hash ssh-rsa 84F5905277CD80457B42FCB632C4182B ec2-user

      ip scp server enable

      !        

      !        

      ip access-list extended tens

      permit ip 172.31.0.0 0.0.255.255 192.168.10.0 0.0.0.255

      !        

      !        

      !        

      !        

      control-plane

      !        

      !       

      line con 0

      stopbits 1

      line vty 0 4

      login local

      transport input ssh

      !        

      wsma agent exec

      !        

      wsma agent config

      !        

      wsma agent filesys

       

       

       

      Result:

       

      CSR1(config)#do sh ip route

      Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

             D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

             N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

             E1 - OSPF external type 1, E2 - OSPF external type 2

             i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

             ia - IS-IS inter area, * - candidate default, U - per-user static route

             o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

             a - application route

             + - replicated route, % - next hop override, p - overrides from PfR

       

      Gateway of last resort is 172.16.1.1 to network 0.0.0.0

       

      S*    0.0.0.0/0 [1/0] via 172.16.1.1, GigabitEthernet1

            172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

      C        172.16.1.0/24 is directly connected, GigabitEthernet1

      L        172.16.1.20/32 is directly connected, GigabitEthernet1


       

      CSR1#sh crypto session

      Crypto session current status

       

      Interface: Tunnel1

      Session status: DOWN-NEGOTIATING

      Peer: 34.235.183.163 port 500

        Session ID: 0

        IKEv1 SA: local 172.16.1.20/500 remote 34.235.183.163/500 Inactive

        IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0

              Active SAs: 0, origin: crypto map

       

      Interface: (unknown)

      Session status: DOWN-NEGOTIATING

      Peer: 34.235.183.163 port 4500

        Session ID: 0

        IKEv1 SA: local 172.16.1.20/4500 remote 34.235.183.163/4500 Inactive



      same in both