08-09-2008 02:22 AM - edited 03-03-2019 11:05 PM
Hi,
Am using Ipsec between two Routers (site to site) in lab environment for testing.
. The Router A local LNA is not pinging to remote Router B and crypto section is showing down. Please provide the solution for making up this scenario.
The detailed configuration is as follows
Router B
Building configuration...
Current configuration : 957 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname AIRTEL-DELHI
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 192.168.10.2
!
!
crypto ipsec transform-set manju ah-sha-hmac esp-des
!
crypto map 1 10 ipsec-isakmp
set peer 192.168.10.2
set transform-set manju
match address 110
!
!
!
!
interface FastEthernet0
ip address 10.97.37.212 255.255.255.0
speed auto
crypto map 1
!
interface Serial0
description AIRTEL-BANG [192.168.10.2]
ip address 192.168.10.1 255.255.255.252
!
!
!
no ip http server
no ip http secure-server
!
access-list 110 permit ip host 192.168.10.1 host 192.168.10.2
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 3
login
line vty 4
password cisco
login
!
end
Router A
Building configuration...
Current configuration : 955 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname AIRTEL-BANG
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco123 address 192.168.10.1
!
!
crypto ipsec transform-set manju ah-sha-hmac esp-des
!
crypto map 1 10 ipsec-isakmp
set peer 192.168.10.1
set transform-set manju
match address 110
!
!
!
!
interface FastEthernet0
ip address 172.26.8.10 255.255.255.0
speed auto
crypto map 1
!
interface Serial0
description AIRTEL-DELHI[192.168.10.1]
ip address 192.168.10.2 255.255.255.252
!
interface Serial1
no ip address
shutdown
!
!
!
no ip http server
no ip http secure-server
!
access-list 110 permit ip host 192.168.10.2 host 192.168.10.1
!
!
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
!
end
Solved! Go to Solution.
08-09-2008 04:47 AM
Hi,
I suppose your interesting traffic is between 10.97.37.0/24 and 172.26.8.0/24 networks, and your peers are 192.168.10.1 and 192.168.10.2 respectively.
Isn't it something like the following that you are looking for?
Try pinging between these networks and see whether it is through the tunnel(debug crypto <> options)
Router B
Building configuration...
Current configuration : 957 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname AIRTEL-DELHI
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 192.168.10.2
!
!
crypto ipsec transform-set manju ah-sha-hmac esp-des
!
crypto map 1 10 ipsec-isakmp
set peer 192.168.10.2
set transform-set manju
match address 110
!
!
!
!
interface FastEthernet0
ip address 10.97.37.212 255.255.255.0
speed auto
!
interface Serial0
description AIRTEL-BANG [192.168.10.2]
ip address 192.168.10.1 255.255.255.252
crypto map 1
!
!
!
no ip http server
no ip http secure-server
!
access-list 110 permit ip 10.97.37.212 0.0.0.255 172.26.8.10 0.0.0.255
ip route 172.26.8.0 255.255.255.0 192.168.10.2
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 3
login
line vty 4
password cisco
login
!
end
Router A
Building configuration...
Current configuration : 955 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname AIRTEL-BANG
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco123 address 192.168.10.1
!
!
crypto ipsec transform-set manju ah-sha-hmac esp-des
!
crypto map 1 10 ipsec-isakmp
set peer 192.168.10.1
set transform-set manju
match address 110
!
!
!
!
interface FastEthernet0
ip address 172.26.8.10 255.255.255.0
speed auto
!
interface Serial0
description AIRTEL-DELHI[192.168.10.1]
ip address 192.168.10.2 255.255.255.252
crypto map 1
!
interface Serial1
no ip address
shutdown
!
!
!
no ip http server
no ip http secure-server
!
access-list 110 permit ip 172.26.8.10 0.0.0.255 10.97.37.212 0.0.0.255
ip route 10.97.37.0 255.255.255.0 192.168.10.1
!
!
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
!
end
HTH
08-11-2008 04:21 AM
08-09-2008 04:44 AM
The 'interesting' traffic in your ACL should be your LAN subnets, not the serial links.
For instance:
Router B:
access-list 110 permit ip 10.97.37.0 0.0.0.255 172.26.8.0 0.0.0.255
Router A:
access-list 110 permit ip 172.26.8.0 0.0.0.255 10.97.37.0 0.0.0.255
HTH,
__
Edison.
Please rate helpful posts
08-09-2008 04:47 AM
Hi,
I suppose your interesting traffic is between 10.97.37.0/24 and 172.26.8.0/24 networks, and your peers are 192.168.10.1 and 192.168.10.2 respectively.
Isn't it something like the following that you are looking for?
Try pinging between these networks and see whether it is through the tunnel(debug crypto <> options)
Router B
Building configuration...
Current configuration : 957 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname AIRTEL-DELHI
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 192.168.10.2
!
!
crypto ipsec transform-set manju ah-sha-hmac esp-des
!
crypto map 1 10 ipsec-isakmp
set peer 192.168.10.2
set transform-set manju
match address 110
!
!
!
!
interface FastEthernet0
ip address 10.97.37.212 255.255.255.0
speed auto
!
interface Serial0
description AIRTEL-BANG [192.168.10.2]
ip address 192.168.10.1 255.255.255.252
crypto map 1
!
!
!
no ip http server
no ip http secure-server
!
access-list 110 permit ip 10.97.37.212 0.0.0.255 172.26.8.10 0.0.0.255
ip route 172.26.8.0 255.255.255.0 192.168.10.2
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 3
login
line vty 4
password cisco
login
!
end
Router A
Building configuration...
Current configuration : 955 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname AIRTEL-BANG
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco123 address 192.168.10.1
!
!
crypto ipsec transform-set manju ah-sha-hmac esp-des
!
crypto map 1 10 ipsec-isakmp
set peer 192.168.10.1
set transform-set manju
match address 110
!
!
!
!
interface FastEthernet0
ip address 172.26.8.10 255.255.255.0
speed auto
!
interface Serial0
description AIRTEL-DELHI[192.168.10.1]
ip address 192.168.10.2 255.255.255.252
crypto map 1
!
interface Serial1
no ip address
shutdown
!
!
!
no ip http server
no ip http secure-server
!
access-list 110 permit ip 172.26.8.10 0.0.0.255 10.97.37.212 0.0.0.255
ip route 10.97.37.0 255.255.255.0 192.168.10.1
!
!
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
!
end
HTH
08-09-2008 05:47 AM
Hi,
After doing above said configuration the output is as follows.
Router#sh crypto session
Interface: Serial0
Session status: UP-IDLE
Peer: 192.168.10.1 port 500
IKE SA: local 192.168.10.2/500 remote 192.168.10.1/500 Active
IPSEC FLOW: permit ip 172.26.8.0/255.255.255.0 10.97.37.0/255.255.255.0
Active SAs: 0, origin: crypto map
How to check the secured tunnel between to peers.
08-09-2008 07:08 AM
show crypto ipsec sa is the command I use the most.
More commands and explanation can be found at:
http://www.cisco.com/warp/public/707/20.html
HTH,
__
Edison.
08-09-2008 08:06 AM
For you've setup a testbed, it would be interesting to study the output of debug crypto in order to have a better understanding.
HTH.
08-19-2008 10:34 PM
Hi ,
Thank for your support....My rating is 5
08-09-2008 04:54 AM
Hi there is there is no routing between the LAN Subnets so. Please try to add this
Router A
IP route 10.97.37.0 255.255.255.0 192.168.10.1
Router B
IP route 172.26.8.0 255.255.255.0 192.168.10.2
08-11-2008 12:24 AM
Did you manage to perform required tests successfully?
08-11-2008 12:40 AM
Yes I did .After successful configuration the site was working and session was up. Unexpectedly I used clear crypto isakmp common and session never came up and still its showing down only
08-11-2008 12:49 AM
Even when you try to put some interesting traffic (e.g. by pinging from one internal network to the other) ?
Have you tried debug crypto {isakmp/ipsec/verbose} to see what they say?
08-11-2008 01:25 AM
I tried for pinging from local Ethernet to remote and still it's showing the same status.
Do u know how to enable display for debug.
When I try the command debug crypto isakmp nothing is display.
08-11-2008 01:32 AM
If you are on a terminal session, http://www.cisco.com/en/US/docs/ios/12_1/configfun/command/reference/frd1003.html#wp1019329
If on console,
http://www.cisco.com/en/US/docs/ios/12_3/configfun/command/reference/cfr_1g04.html#wp1031439
HTH
08-11-2008 03:38 AM
For further analysis,
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_ipsvm.html#wp1056862
HTH
08-11-2008 04:21 AM
Try this command sh ip crypto isakmp sa
Then check the status
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: