IP sec issue

Unanswered Question
Sep 8th, 2008

hi all,

i had configure ip sec but link can't up so,could you help me to configure ipsee

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
satish_zanjurne Mon, 09/08/2008 - 23:11

Hi,

1.Don't start with IPSec configuration directly.

2.First see the whether link is up between peers & peer can ping each other.

3.Use show interface to see the interface status..

HTH..rate if helpful..

satish_zanjurne Tue, 09/09/2008 - 00:00

First Router Config

---------------------------------------

hostname R2

crypto isakmp policy 10

authentication pre-share

!

crypto isakmp key ciscokey address 200.1.1.1

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto map myvpn 10 ipsec-isakmp

set peer 200.1.1.1

set transform-set myset

!--- Include the private-network-to-private-network traffic

!--- in the encryption process:

match address 101

!

!

!

interface Ethernet0/0

description------LAN Interface-----

ip address 172.16.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

interface Ethernet1/0

description----WAN interface where other peer is connected---

ip address 100.1.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly

crypto map myvpn

ip route 0.0.0.0 0.0.0.0 100.1.1.254

!--- Except the private network from the NAT process:

ip nat inside source list 175 interface Ethernet1/0 overload

!--- Include the private-network-to-private-network traffic

!--- in the encryption process:

access-list 101 permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255

!--- Except the private network from the NAT process:

access-list 175 deny ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 175 permit ip 172.16.1.0 0.0.0.255 any

--------------------------------------------Router R3

hostname R3

crypto isakmp policy 10

authentication pre-share

crypto isakmp key ciscokey address 100.1.1.1

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto map myvpn 10 ipsec-isakmp

set peer 100.1.1.1

set transform-set myset

!--- Include the private-network-to-private-network traffic

!--- in the encryption process:

match address 101

!

!

!

interface Ethernet0/0

descrption-----LAN Interface----

ip address 10.1.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Ethernet1/0

description---WAN Interface

ip address 200.1.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly

crypto map myvpn

!

!

ip route 0.0.0.0 0.0.0.0 200.1.1.254

!--- Except the private network from the NAT process:

ip nat inside source list 122 interface Ethernet1/0 overload

!--- Except the static-NAT traffic from the NAT process if destined

!--- over the encrypted tunnel:

!

access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

!--- Except the private network from the NAT process:

access-list 122 deny ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 122 permit ip 10.1.1.0 0.0.0.255 any

!--- Except the static-NAT traffic from the NAT process if destined

!--- over the encrypted tunnel:

-------------------------------------------

HTH...rate if helpful...

arupbiet2006 Tue, 09/09/2008 - 00:50

when i prompt crypto ipsec transform-set command then i can't enter this myset esp-3des esp-md5-hmac

!

satish_zanjurne Tue, 09/09/2008 - 01:26

hi,

myset is the name of transform set, so you need to type it as it is. It is not the keyword, but esp-3des & esp-md5-hmac are keyword, you can get this by using "?" or pressing tab.

Actions

This Discussion