Can't negotiate IKE SA using dynamips

Unanswered Question
Mar 23rd, 2007
User Badges:


I do some experiments about VPN with four router running 3640 IOS using dynamips.I have checked serveral times the configurations are normal,The outside interfaces on two border routers can ping each other.but IKE phase 1 cann't negotiate each other.Topology is as follows:


Configuration PLS refer to attachments.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kaachary Fri, 03/23/2007 - 02:49
User Badges:
  • Cisco Employee,

Configs look fine. What are the debugs you are getting on the routers ?

debug cry isa

debug cry ipsec


MinQuant.Kuo Fri, 03/23/2007 - 03:40
User Badges:

debug crypto isa is Null

debug crypto cry ipsec is Null

R3#debug crypto isakmp

Crypto ISAKMP debugging is on

R3#debug crypto ipsec

Crypto IPSEC debugging is on

R3#sh crypto isakmp sa

dst src state conn-id slot status

R3#show crypto ipsec sa

interface: Serial1/1

Crypto map tag: VPN-MAP, local addr

protected vrf: (none)

local ident (addr/mask/prot/port): (

remote ident (addr/mask/prot/port): (

current_peer port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.:, remote crypto endpt.:

path mtu 1500, ip mtu 1500, ip mtu idb Serial1/1

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:


kaachary Fri, 03/23/2007 - 05:11
User Badges:
  • Cisco Employee,

You need to iniitate some interesting traffic for tunnel to start negotiating. Then only you will get the debugs.

Also, if you are accessing the routers through telnet, please enter this :

term mon



This Discussion