Security e-Series

IPSEC Problem between MSR2003 Router and VSR1008 Router

 
eozturk01
Occasional Collector

IPSEC Problem between MSR2003 Router and VSR1008 Router

Hello all,

 

im having trouble setting up ipsec tunnel between two routers, vsr router is working behind one to one nat and 

when i checked the ip i can reach it, so its working correctly, but its unable to establish the ipsec session

any help would be appriciated.

Regards,

Erdem

 

MSR Configuration

#
interface GigabitEthernet2/0/1
 port link-mode route
 ip address 91.93.188.206 255.255.255.248
 ospf timer hello 2
 ospf timer dead 10
 ospf network-type p2mp unicast
 ospf timer poll 2
 ospf 2 area 0.0.0.1
 ipsec apply policy msr
#
acl advanced 3000 match-order auto
 rule 0 permit ip source 172.16.101.0 0.0.0.255 destination 10.142.20.0 0.0.0.255
 rule 1 permit ip source 172.16.102.0 0.0.0.255 destination 10.142.20.0 0.0.0.255
#
 ipsec anti-replay window 1024
 ipsec sa global-duration traffic-based 86400
 ipsec sa idle-time 120
#
ipsec transform-set msr
 esp encryption-algorithm 3des-cbc 
 esp authentication-algorithm md5 
#
ipsec policy-template msr 1
 transform-set msr 
 security acl 3000 
 remote-address 88.238.51.202
 ike-profile msr
 reverse-route dynamic
 reverse-route preference 10
 reverse-route tag 100
#
ipsec policy msr 1 isakmp template msr
#
 ike identity address 91.93.188.206
 ike nat-keepalive 5
#
ike profile msr
 keychain msr
 exchange-mode aggressive
 local-identity address 91.93.188.206
 match remote identity address 88.238.51.202 255.255.255.255
 proposal 1 
#
ike proposal 1
 encryption-algorithm 3des-cbc
 dh group2
 authentication-algorithm md5
#
ike keychain msr
 pre-shared-key address 88.238.51.202 255.255.255.255 key cipher $c$3$p/GPavNSjkBGsE89MMJhRJOsKq+vhJC85xz2
#
ip route-static 10.142.20.0 24 GigabitEthernet2/0/1 88.238.51.202
#

VSR Configuration

 

#
interface GigabitEthernet1/0
port link-mode route
ip address 10.142.20.6 255.255.255.0
ospf timer hello 2
ospf timer dead 10
ospf network-type p2mp unicast
ospf dr-priority 2
ospf timer poll 2
ospf 2 area 0.0.0.1
ipsec apply policy vsr
#
acl advanced 3000 match-order auto
rule 0 permit ip source 10.142.20.0 0.0.0.255 destination 172.16.101.0 0.0.0.255
rule 1 permit ip source 10.142.20.0 0.0.0.255 destination 172.16.102.0 0.0.0.255
#
ipsec anti-replay window 1024
ipsec sa global-duration traffic-based 86400
ipsec sa idle-time 120
#
ipsec transform-set vsr
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy-template vsr 1
transform-set vsr
security acl 3000
remote-address 91.93.188.206
ike-profile vsr
reverse-route dynamic
reverse-route preference 10
reverse-route tag 100
#
ipsec policy vsr 1 isakmp template vsr
#
ike identity address 88.238.51.202
ike nat-keepalive 5
#
ike profile vsr
keychain vsr
exchange-mode aggressive
local-identity address 88.238.51.202
match remote identity address 91.93.188.206 255.255.255.255
proposal 1
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike keychain vsr
pre-shared-key address 91.93.188.206 255.255.255.255 key cipher $c$3$p/GPavNSjkBGsE89MMJhRJOsKq+vhJC85xz2
#
ip route-static 10.142.20.0 24 GigabitEthernet2/0/1 88.238.51.202
#