IPSec newbe question

Unanswered Question
Aug 17th, 2008

I am trying to connect two routes using IPSec but having some trouble as this is my first time. can someone help why there is this 'incomplete' in between the commands? and the tunnel does not seeem to be working.

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

crypto isakmp key cisco address 192.168.3.2

no crypto isakmp ccm

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto map mymap 10 ipsec-isakmp

! Incomplete

set peer 192.168.3.2

set transform-set myset

match address acl_vpn

!

Thanks

ARANA

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Marwan ALshawi Sun, 08/17/2008 - 05:01

try to change the crypto isakmp to the following

crypto isakmp key cisco address 192.168.3.2 255.255.255.255

then

crypto isakmp policy 10

group 2

crypto isakmp enable

i know those not directly related to ur problem but they need to be done anyway

good luck

husycisco Sun, 08/17/2008 - 05:32

Hello Arana,

Whenever you see an "! Incomplete

" in crypto map, that means it is incomplete somehow. Double-check the spelling of acl_vpn in original ACL and in crypto map statement. If you are sure that all fine, then remove the "crypto map mymap 10" entry and write again.

You should not see "! Incomplete " there

Regards

rana_beech Sun, 08/17/2008 - 07:07

Hi Husy,

Thanks. I did make some type on the access list. So now I have made the changes and I do not see the incomplete message displaced. I am making progress .... does this mean that my IPSec is working

R4#sho crypto isakmp sa

dst src state conn-id slot status

192.168.1.2 192.168.3.2 MM_NO_STATE 0 0 ACTIVE (deleted)

192.168.3.2 192.168.1.1 MM_NO_STATE 0 0 ACTIVE (deleted)

Could I also check if this access list covers interesting traffic? source is from net 192.168.4.0 to any destination. Is a specific destination required or will any be ok to use.

ip access-list extended acl-vpn

permit ip 192.168.4.0 0.0.0.255 any

Thanks

ARANA

husycisco Sun, 08/17/2008 - 07:33

Hello Arana,

To say that your IPSEC VPN is working, QM_IDLE is the state that you should be seeing, not MM_NO_STATE,

If you specify destination as "any" than your all traffic including internet will travel over the tunnel. Dont use any statement unless you know what you are doing.

Please post your running config and write exactly what you want to achieve, then let us make suggestions.

Regards

rana_beech Sun, 08/17/2008 - 14:53

Hi Husy,

I want all internet traffic to go through our central site. Does it even work if I do not specify any statement? I was not aware of that. Here is the running config.

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address 192.168.1.2

no crypto isakmp ccm

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto map mymap 10 ipsec-isakmp

set peer 192.168.1.2

set transform-set myset

match address acl-vpn

!

!

!

interface Serial1/0

no ip address

encapsulation frame-relay

serial restart-delay 0

no dce-terminal-timing-enable

no frame-relay inverse-arp

crypto map mymap

!

interface Serial1/0.1 point-to-point

ip address 192.168.3.2 255.255.255.0

frame-relay interface-dlci 401

crypto map mymap

!

interface Serial1/1

ip address 192.168.5.1 255.255.255.0

serial restart-delay 0

no dce-terminal-timing-enable

!

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

no dce-terminal-timing-enable

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

no dce-terminal-timing-enable

!

ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.3.1

!

!

ip access-list extended acl-vpn

permit ip 192.168.5.0 0.0.0.255 any

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

login

!

!

end

Regards,

ARANA

Actions

This Discussion