satish_zanjurne Mon, 09/08/2008 - 23:11
User Badges:
  • Silver, 250 points or more


Hi,


1.Don't start with IPSec configuration directly.

2.First see the whether link is up between peers & peer can ping each other.

3.Use show interface to see the interface status..


HTH..rate if helpful..

arupbiet2006 Mon, 09/08/2008 - 23:14
User Badges:

hello...every thing is ok...could u send me a ip sec config

satish_zanjurne Mon, 09/08/2008 - 23:38
User Badges:
  • Silver, 250 points or more

1.tell me on which devices you are trying to establish the IPsec ??



satish_zanjurne Tue, 09/09/2008 - 00:00
User Badges:
  • Silver, 250 points or more

First Router Config

---------------------------------------


hostname R2


crypto isakmp policy 10

authentication pre-share

!

crypto isakmp key ciscokey address 200.1.1.1

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto map myvpn 10 ipsec-isakmp

set peer 200.1.1.1

set transform-set myset


!--- Include the private-network-to-private-network traffic

!--- in the encryption process:


match address 101

!

!

!

interface Ethernet0/0

description------LAN Interface-----

ip address 172.16.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly


interface Ethernet1/0

description----WAN interface where other peer is connected---

ip address 100.1.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly

crypto map myvpn


ip route 0.0.0.0 0.0.0.0 100.1.1.254

!--- Except the private network from the NAT process:


ip nat inside source list 175 interface Ethernet1/0 overload


!--- Include the private-network-to-private-network traffic

!--- in the encryption process:


access-list 101 permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255


!--- Except the private network from the NAT process:


access-list 175 deny ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 175 permit ip 172.16.1.0 0.0.0.255 any


--------------------------------------------Router R3


hostname R3

crypto isakmp policy 10

authentication pre-share

crypto isakmp key ciscokey address 100.1.1.1

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto map myvpn 10 ipsec-isakmp

set peer 100.1.1.1

set transform-set myset


!--- Include the private-network-to-private-network traffic

!--- in the encryption process:


match address 101

!

!

!

interface Ethernet0/0

descrption-----LAN Interface----

ip address 10.1.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Ethernet1/0

description---WAN Interface

ip address 200.1.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly

crypto map myvpn

!

!

ip route 0.0.0.0 0.0.0.0 200.1.1.254


!--- Except the private network from the NAT process:


ip nat inside source list 122 interface Ethernet1/0 overload


!--- Except the static-NAT traffic from the NAT process if destined

!--- over the encrypted tunnel:


!

access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255


!--- Except the private network from the NAT process:


access-list 122 deny ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 122 permit ip 10.1.1.0 0.0.0.255 any


!--- Except the static-NAT traffic from the NAT process if destined

!--- over the encrypted tunnel:


-------------------------------------------


HTH...rate if helpful...

satish_zanjurne Tue, 09/09/2008 - 00:08
User Badges:
  • Silver, 250 points or more


Make sure you are adding proper default routes..

arupbiet2006 Tue, 09/09/2008 - 00:50
User Badges:

when i prompt crypto ipsec transform-set command then i can't enter this myset esp-3des esp-md5-hmac

!

satish_zanjurne Tue, 09/09/2008 - 01:26
User Badges:
  • Silver, 250 points or more

hi,


myset is the name of transform set, so you need to type it as it is. It is not the keyword, but esp-3des & esp-md5-hmac are keyword, you can get this by using "?" or pressing tab.



Actions

This Discussion