Can't negotiate IKE SA using dynamips

MinQuant.Kuo · ‎03-23-2007

hello,all

I do some experiments about VPN with four router running 3640 IOS using dynamips.I have checked serveral times the configurations are normal,The outside interfaces on two border routers can ping each other.but IKE phase 1 cann't negotiate each other.Topology is as follows:

--R4(border)---R1---R2---R3(border)---

Configuration PLS refer to attachments.

kaachary · ‎03-23-2007

Configs look fine. What are the debugs you are getting on the routers ?

debug cry isa

debug cry ipsec

-Kanishka

MinQuant.Kuo · ‎03-23-2007

debug crypto isa is Null

debug crypto cry ipsec is Null

R3#debug crypto isakmp

Crypto ISAKMP debugging is on

R3#debug crypto ipsec

Crypto IPSEC debugging is on

R3#sh crypto isakmp sa

dst src state conn-id slot status

R3#show crypto ipsec sa

interface: Serial1/1

Crypto map tag: VPN-MAP, local addr 202.106.0.2

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)

current_peer 201.106.0.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 202.106.0.2, remote crypto endpt.: 201.106.0.2

path mtu 1500, ip mtu 1500, ip mtu idb Serial1/1

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

R3#

kaachary · ‎03-23-2007

You need to iniitate some interesting traffic for tunnel to start negotiating. Then only you will get the debugs.

Also, if you are accessing the routers through telnet, please enter this :

term mon

-Kanishka

MinQuant.Kuo · ‎03-26-2007

Thank you,Kanishka

I will try it.

Min-quan Kuo