Thank you for response. I have followed the procedure to setup the router. How can I prove them is working? When I do the

sh crypto engine connection active

It shows nothing. Do I need estimablish the tunnel to connect two site. Please advice. Thanks

Godwin

Hi Godwin,

Once the configurations on the routers are done, you need to send some interesting traffic that could match the crypto access-list and trigger an ISAKMP negotiation. Once the IPSec SAs are up (after Phase-2 negotiation), the interesting traffic will get forced to go through IPSec tunnel.

To check if SAs have come up or not, the best command is "show crypto isakmp sa" or "show crypto ipsec sa". There are a couple of other commands that might help you. Use them for better understanding.

show pas isa int

show pas isa ?

show cry engine config

debug crypto isakmp

debug crypto ipsec

Regards,

Naveen

mnaveen@cisco.com

Thanks Naveen. I would like to ask the stupid question. Is the workflow of IPSec tunnel trigger are

1. Trigger interesting traffic

2. The package will trigger the dialer to caller remote site

3. Matching the key

4. Estiblish the IPSec tunnel.

The question is I am now sure do we need to enter dialer configure or not. Please advice.

Regards

Godwin

Sorry, one more things. Do I set the static route going to remote site? I try to do the ping to the remote site but the show crypto isakmp sa is doing nothing? Please advice. Thanks

Regards

Godwin

Hi Godwin,

The IPSec doesn't bother whether you have a static route or you are using a routing protocol as long as you are able to reach it. That is to say, even before you establish the IPSec tunnel, the WAN interfaces should be up and running. Only then ISAKMP can start Phase-1 negotiation. If you want the SAs to come up when you ping, then the crypto access-list should look like

access-list 101 permit ip host host

Then a simple ping will trigger ISAKMP negotiations. Otherwise, whatever networks you mention in the crypto access-list to be permitted, packets from that network will trigger the ISAKMP negotiations. Its that easy :-))

For the other question you had asked... Dialer configs are used when you want some interesting traffic to be send to the ISDN network whereas crypto configs are used to select interesting traffic (based on the crypto access-list) for encryption and send it out of the crypto interface. If the crypto interface is your dialer interface, then the packets are first protected with IPSec and then are sent out through the Dialer/crypto interface (since both are same). Note that this may not be the case always. All traffic going through the dialer interface need not be IPSec protected !! Think over ... :-))

If you need more info, you can write to me directly to my cisco id.

Naveen.

mnaveen@cisco.com

Naveen

Thank you for your supporting. I think I have configured the IPSec. The question is when I issue a ping from N1 to N2 like ping 10.2.0.1 but they are no response. I have configured the VPN on R2. How can I trigger the VPN client connection from R1 to R2. Please advice. By the way, what is the cisco id, mnaveen@cisco.com?? Many thanks

Regards

Godwin

Can u give me plain ipsec configuration on both sides ?