Hello everyone,
My case i used chr 6.46.6 in gns3 2.2.8 and the same version of gns3 2.2.8 in VMware workstation.
In this lab i will show you in picture below:
I need to connect vpn ipsec between R1 and R2 through R Internet,
Applied to configure ipsec in R1 and R2 all configure of Routers show below:
R1
[admin@R1] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 10.10.10.1/30 10.10.10.0 ether2
1 192.168.10.1/24 192.168.10.0 ether1
[admin@R1] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADC 10.10.10.0/30 10.10.10.1 ether2 0
1 A S 11.11.11.0/30 10.10.10.2 1
2 A S 12.12.12.0/24 192.168.10.2 1
3 ADC 192.168.10.0/24 192.168.10.1 ether1 0
[admin@R1] > ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 name="peer1" address=11.11.11.1/32 profile=profile1 exchange-mode=main
send-initial-contact=no
[admin@R1] >
[admin@R1] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active,
* - default
# TUN SRC-ADDRESS
0 T * ::/0
1 yes 192.168.10.0/24
[admin@R1] > ip ipsec profile print
Flags: * - default
0 * name="default" hash-algorithm=sha1 enc-algorithm=aes-128,3des
dh-group=modp2048,modp1024 lifetime=1d proposal-check=obey
nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5
1 name="profile1" hash-algorithm=md5 enc-algorithm=camellia-128
dh-group=modp1024 lifetime=1d proposal-check=obey nat-traversal=yes
dpd-interval=2m dpd-maximum-failures=5
[admin@R1] >
[admin@R1] > ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1
enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m
pfs-group=modp1024
1 name="proposal1" auth-algorithms=md5 enc-algorithms=camellia-128
lifetime=30m pfs-group=modp1024
[admin@R1] >
[admin@R1] > ip ipsec key print
Flags: P - private-key, R - rsa
# NAME KEY-SIZE
0 PR secrt 1024-bit
[admin@R1] >
R3
[admin@R3] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 12.12.12.1/24 12.12.12.0 bridge1
1 192.168.10.2/24 192.168.10.0 ether1
[admin@R3] >
[admin@R3] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADC 12.12.12.0/24 12.12.12.1 bridge1 0
1 ADC 192.168.10.0/24 192.168.10.2 ether1 0
[admin@R3] >
R Internet
[admin@Internet] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 11.11.11.2/30 11.11.11.0 ether2
1 10.10.10.2/30 10.10.10.0 ether1
[admin@Internet] >
[admin@Internet] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADC 10.10.10.0/30 10.10.10.2 ether1 0
1 ADC 11.11.11.0/30 11.11.11.2 ether2 0
2 A S 192.168.10.0/24 10.10.10.1 1
3 A S 192.168.20.0/24 11.11.11.1 1
[admin@Internet] >
[admin@Internet] > ip neighbor print
# INTERFACE ADDRESS
0 ether1 10.10.10.1
1 ether2 11.11.11.1
[admin@Internet] >
R2
[admin@R2] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.20.1/24 192.168.20.0 ether3
1 11.11.11.1/30 11.11.11.0 ether2
[admin@R2] >
[admin@R2] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 10.10.10.0/30 11.11.11.2 1
1 ADC 11.11.11.0/30 11.11.11.1 ether2 0
2 A S 13.13.13.0/24 192.168.20.2 1
3 ADC 192.168.20.0/24 192.168.20.1 ether3 0
[admin@R2] >
[admin@R2] > ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 name="peer1" address=10.10.10.1/32 profile=profile1 exchange-mode=main
send-initial-contact=no
[admin@R2] >
[admin@R2] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active,
* - default
# TUN SRC-ADDRESS
0 T * ::/0
1 yes 192.168.20.0/24
[admin@R2] >
[admin@R2] > ip ipsec profile print
Flags: * - default
0 * name="default" hash-algorithm=sha1 enc-algorithm=aes-128,3des
dh-group=modp2048,modp1024 lifetime=1d proposal-check=obey
nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5
1 name="profile1" hash-algorithm=md5 enc-algorithm=camellia-128
dh-group=modp1024 lifetime=1d proposal-check=obey nat-traversal=yes
dpd-interval=2m dpd-maximum-failures=5
[admin@R2] >
[admin@R2] > ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1
enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m
pfs-group=modp1024
1 name="proposal1" auth-algorithms=md5 enc-algorithms=camellia-128
lifetime=30m pfs-group=modp1024
[admin@R2] >
[admin@R2] > ip ipsec key print
Flags: P - private-key, R - rsa
# NAME KEY-SIZE
0 R secrt 1024-bit
[admin@R2] >
R4
[admin@R4] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.20.2/24 192.168.20.0 ether1
1 13.13.13.1/24 13.13.13.0 bridge1
[admin@R4] >
[admin@R4] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADC 13.13.13.0/24 13.13.13.1 bridge1 0
1 ADC 192.168.20.0/24 192.168.20.2 ether1 0
[admin@R4] >
Where the problem because my case the vpn ipsec not established where i found "no phase2" in R1 and the same in R2?
Any help?