Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

IPSEc not working with VTI interface

Dear All,

 

  I had tried IPsec with fast Ethernet 0/1 it works fine but when i tried to map same ipsec crypto to tunnel1 {VTI} interface IPsec not working.

 My remote Site checks for source IP of fast Ethernet 0/0 {Proxy ID in Juniper}

 I tried to MAP crypto map to tunnel 1 interface but it not work

 below here is my config {Peer IP, Pre-Shared Key, Names removed for security}

PuTTY log 2014.06.26 16:46:48
sh run
Building configuration...

Current configuration : 1556 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xyz
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!


username xyz password 0 xyz

!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
group 5
crypto isakmp key MYKEY@123 address XX.XX.XX.XX
 !
 !
crypto ipsec transform-set ABC esp-3des esp-sha-hmac
!
crypto ipsec profile Tunnel
 !
crypto ipsec profile tunnel
  set transform-set ABC
set pfs group5
!
!
crypto map ABC 1 ipsec-isakmp
set peer XX.XX.XX.XX
set transform-set ABC
match address 108
 !
 
 interface Tunnel1
 description Branch_End
ip unnumbered FastEthernet0/1
 tunnel source FastEthernet0/1
 tunnel destination XX.XX.XX.XX
  tunnel mode ipsec ipv4
 tunnel protection ipsec profile tunnel
!
 interface FastEthernet0/0
 description LAN
 ip address 10.1.10.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.1.2 255.255.255.0
 duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
 clock rate 2000000
 
interface Serial0/0/1
no ip address
shutdown
 clock rate 2000000
 !
 ip forward-protocol nd
 ip route 0.0.0.0 0.0.0.0 Tunnel1
!
!
ip http server
no ip http secure-server
!
 access-list 108 permit ip 10.1.10.0 0.0.0.255 any
!
!
!
control-plane

 
 line con 0
line aux 0
line vty 0 4
login

scheduler allocate 20000 1000
 end

MYROUTER#
MYROUTER#sh crypto session
Crypto session current status

Interface: tunnel 1
Session status: DOWN-NEGOTIATING
Peer: XX.XX.XX.XX port 500
  IKE SA: local 192.168.1.2/4500 remote 223.30.69.138/4500 Active
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 2, origin: crypto map

MYROUTER#

 

 Because of  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 IPsec not up Remote Device checks for IPSEC FLOW: permit ip 10.1.10.0/255.255.255.0 0.0.0.0/0.0.0.0

 Please help me thanks in advance.

 

Regards

Hemant

 

2 REPLIES
Cisco Employee

Hi Hemant,Can you put a 

Hi Hemant,

Can you put a  route to the tunnel destination and see if it helps.

Best Regards,

Bheem

New Member

Crypto map not needed, if you

Crypto map not needed, if you use ipsec vti. Need only crypto ipsec profile. 

Try without crypto map.

 

 

158
Views
0
Helpful
2
Replies
CreatePlease to create content