12-05-2007 02:22 AM - edited 03-03-2019 07:48 PM
Hi Experts,
I faced with the problem after ipsec configuration. Attached is the debug crypto message for ipsec,isakmp and engine. Hope able to get some lights from you guys.
Thanks.
12-05-2007 02:34 AM
Hi Cindy
1) Can you post the debug from both devices - sometimes it is helpful to see what both ends are doing.
2) When you run a "sh crypto isa sa" do you see "MM_NO_STATE" in the output ?
It looks like it is failing on phase 1 - usually means one of 2 things
1) There are no matching isakmp policies
2) The shared key does not match.
Could you post configs as well together with the IP addressing details ie. what IP are you connecting from and what IP are you trying to connect to ?
Jon
12-05-2007 06:16 PM
Thanks Jon.
1) I am trying to get the debug, but seems like the debug is not running although I console in to the routers.
I have done a "term mon" but to no avail.
Did a "show debug" and the debugging is on.
Need your advise here.
2) There is no output.
The config as attached.
20.20.20.20 and 20.20.20.21 (ROUTERS' WAN CONNECTION) are on Interface FastEthernet and they are configured to crypto map.
Thanks.
12-05-2007 11:41 PM
Cindy
Can you confirm which IP address you are connecting from and which IP address you are connecting to.
The config looks fine as far as i can see.
Jon
12-06-2007 06:05 AM
Jon,
PC (192.168.1.1) - SW - 192.168.1.254 (rtrira) WAN IP: 20.20.20.20 <----> 20.20.20.21 (rtrhbc) 192.168.2.254 - SW - PC (192.168.2.1)
Not sure if this is clear to you, if not , let me know again ya..
Thanks.
12-06-2007 04:39 PM
Another info is..
I am trying to ping to 192.168.2.1 to establish if the ipsec is working..but got request timed out..
Thanks.
12-06-2007 10:01 PM
Cindy
Contrary to what i said before from the debugging it looks like Phase 1 is completing and Phase 2 is the issue.
Your configs look absolutely fine to me, the only thing that i wouldn't normally put in are the static routes to the remote networks ie.
rtrhbc
ip route 192.168.1.0 255.255.255.0 20.20.20.20
rtrira
ip route 192.168.2.0 255.255.255.0 20.20.20.21
You don't need these routes as the crypto access-lists, access-list 105 in your configs, are what tells the router how to reach the remote network.
Could you remove these static routes and try again.
Jon
12-07-2007 12:28 AM
Jon,
Not sure how it happened..i removed the crypto config and put it back again.
Seems like it is working now.. :)
Thanks for your help again..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide