09-08-2008 11:07 PM - edited 03-03-2019 11:27 PM
hi all,
i had configure ip sec but link can't up so,could you help me to configure ipsee
09-08-2008 11:11 PM
Hi,
1.Don't start with IPSec configuration directly.
2.First see the whether link is up between peers & peer can ping each other.
3.Use show interface to see the interface status..
HTH..rate if helpful..
09-08-2008 11:14 PM
hello...every thing is ok...could u send me a ip sec config
09-08-2008 11:38 PM
1.tell me on which devices you are trying to establish the IPsec ??
09-08-2008 11:42 PM
ip sec between router to router
09-09-2008 12:00 AM
First Router Config
---------------------------------------
hostname R2
crypto isakmp policy 10
authentication pre-share
!
crypto isakmp key ciscokey address 200.1.1.1
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
set peer 200.1.1.1
set transform-set myset
!--- Include the private-network-to-private-network traffic
!--- in the encryption process:
match address 101
!
!
!
interface Ethernet0/0
description------LAN Interface-----
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Ethernet1/0
description----WAN interface where other peer is connected---
ip address 100.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
crypto map myvpn
ip route 0.0.0.0 0.0.0.0 100.1.1.254
!--- Except the private network from the NAT process:
ip nat inside source list 175 interface Ethernet1/0 overload
!--- Include the private-network-to-private-network traffic
!--- in the encryption process:
access-list 101 permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
!--- Except the private network from the NAT process:
access-list 175 deny ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 175 permit ip 172.16.1.0 0.0.0.255 any
--------------------------------------------Router R3
hostname R3
crypto isakmp policy 10
authentication pre-share
crypto isakmp key ciscokey address 100.1.1.1
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
set peer 100.1.1.1
set transform-set myset
!--- Include the private-network-to-private-network traffic
!--- in the encryption process:
match address 101
!
!
!
interface Ethernet0/0
descrption-----LAN Interface----
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Ethernet1/0
description---WAN Interface
ip address 200.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
crypto map myvpn
!
!
ip route 0.0.0.0 0.0.0.0 200.1.1.254
!--- Except the private network from the NAT process:
ip nat inside source list 122 interface Ethernet1/0 overload
!--- Except the static-NAT traffic from the NAT process if destined
!--- over the encrypted tunnel:
!
access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
!--- Except the private network from the NAT process:
access-list 122 deny ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 122 permit ip 10.1.1.0 0.0.0.255 any
!--- Except the static-NAT traffic from the NAT process if destined
!--- over the encrypted tunnel:
-------------------------------------------
HTH...rate if helpful...
09-09-2008 12:08 AM
Make sure you are adding proper default routes..
09-09-2008 12:50 AM
when i prompt crypto ipsec transform-set command then i can't enter this myset esp-3des esp-md5-hmac
!
09-09-2008 01:26 AM
hi,
myset is the name of transform set, so you need to type it as it is. It is not the keyword, but esp-3des & esp-md5-hmac are keyword, you can get this by using "?" or pressing tab.
09-09-2008 04:35 AM
Thank you satish.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide