Can't negotiate IKE SA using dynamips

Unanswered Question
Mar 23rd, 2007
User Badges:

hello,all


I do some experiments about VPN with four router running 3640 IOS using dynamips.I have checked serveral times the configurations are normal,The outside interfaces on two border routers can ping each other.but IKE phase 1 cann't negotiate each other.Topology is as follows:


--R4(border)---R1---R2---R3(border)---


Configuration PLS refer to attachments.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kaachary Fri, 03/23/2007 - 02:49
User Badges:
  • Cisco Employee,

Configs look fine. What are the debugs you are getting on the routers ?


debug cry isa

debug cry ipsec


-Kanishka

MinQuant.Kuo Fri, 03/23/2007 - 03:40
User Badges:

debug crypto isa is Null

debug crypto cry ipsec is Null





R3#debug crypto isakmp

Crypto ISAKMP debugging is on


R3#debug crypto ipsec

Crypto IPSEC debugging is on


R3#sh crypto isakmp sa

dst src state conn-id slot status


R3#show crypto ipsec sa


interface: Serial1/1

Crypto map tag: VPN-MAP, local addr 202.106.0.2


protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)

current_peer 201.106.0.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0


local crypto endpt.: 202.106.0.2, remote crypto endpt.: 201.106.0.2

path mtu 1500, ip mtu 1500, ip mtu idb Serial1/1

current outbound spi: 0x0(0)


inbound esp sas:


inbound ah sas:

inbound pcp sas:


outbound esp sas:


outbound ah sas:


outbound pcp sas:

R3#


kaachary Fri, 03/23/2007 - 05:11
User Badges:
  • Cisco Employee,

You need to iniitate some interesting traffic for tunnel to start negotiating. Then only you will get the debugs.


Also, if you are accessing the routers through telnet, please enter this :


term mon


-Kanishka

Actions

This Discussion