Hello all,
im having trouble setting up ipsec tunnel between two routers, vsr router is working behind one to one nat and
when i checked the ip i can reach it, so its working correctly, but its unable to establish the ipsec session
any help would be appriciated.
Regards,
Erdem
MSR Configuration
#
interface GigabitEthernet2/0/1
port link-mode route
ip address 91.93.188.206 255.255.255.248
ospf timer hello 2
ospf timer dead 10
ospf network-type p2mp unicast
ospf timer poll 2
ospf 2 area 0.0.0.1
ipsec apply policy msr
#
acl advanced 3000 match-order auto
rule 0 permit ip source 172.16.101.0 0.0.0.255 destination 10.142.20.0 0.0.0.255
rule 1 permit ip source 172.16.102.0 0.0.0.255 destination 10.142.20.0 0.0.0.255
#
ipsec anti-replay window 1024
ipsec sa global-duration traffic-based 86400
ipsec sa idle-time 120
#
ipsec transform-set msr
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy-template msr 1
transform-set msr
security acl 3000
remote-address 88.238.51.202
ike-profile msr
reverse-route dynamic
reverse-route preference 10
reverse-route tag 100
#
ipsec policy msr 1 isakmp template msr
#
ike identity address 91.93.188.206
ike nat-keepalive 5
#
ike profile msr
keychain msr
exchange-mode aggressive
local-identity address 91.93.188.206
match remote identity address 88.238.51.202 255.255.255.255
proposal 1
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike keychain msr
pre-shared-key address 88.238.51.202 255.255.255.255 key cipher $c$3$p/GPavNSjkBGsE89MMJhRJOsKq+vhJC85xz2
#
ip route-static 10.142.20.0 24 GigabitEthernet2/0/1 88.238.51.202
#
VSR Configuration
#
interface GigabitEthernet1/0
port link-mode route
ip address 10.142.20.6 255.255.255.0
ospf timer hello 2
ospf timer dead 10
ospf network-type p2mp unicast
ospf dr-priority 2
ospf timer poll 2
ospf 2 area 0.0.0.1
ipsec apply policy vsr
#
acl advanced 3000 match-order auto
rule 0 permit ip source 10.142.20.0 0.0.0.255 destination 172.16.101.0 0.0.0.255
rule 1 permit ip source 10.142.20.0 0.0.0.255 destination 172.16.102.0 0.0.0.255
#
ipsec anti-replay window 1024
ipsec sa global-duration traffic-based 86400
ipsec sa idle-time 120
#
ipsec transform-set vsr
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy-template vsr 1
transform-set vsr
security acl 3000
remote-address 91.93.188.206
ike-profile vsr
reverse-route dynamic
reverse-route preference 10
reverse-route tag 100
#
ipsec policy vsr 1 isakmp template vsr
#
ike identity address 88.238.51.202
ike nat-keepalive 5
#
ike profile vsr
keychain vsr
exchange-mode aggressive
local-identity address 88.238.51.202
match remote identity address 91.93.188.206 255.255.255.255
proposal 1
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike keychain vsr
pre-shared-key address 91.93.188.206 255.255.255.255 key cipher $c$3$p/GPavNSjkBGsE89MMJhRJOsKq+vhJC85xz2
#
ip route-static 10.142.20.0 24 GigabitEthernet2/0/1 88.238.51.202
#
#MSR#VSR#ipsec#msr2003