Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IPsec 2600 to Pix - poss routing issue

Real basic config here people. I have an IPsec config from 2600 to Pix and an ACL limited to one host at either end. When the Pix end initiates the tunnel everything is ok, but there is no communication between the hosts. (ie pings fail)

The router cannot initiate the tunnel at all and it looks as though there is a routing issue. I have defined a single host to host ACL and this is in my crypto map which has been configured on my ethernet port. When I debug the ACL and ping from the router side host I can see traffic arrive at the router but not bring the tunnel up ..

I'm baffled and sure it's it something very simple. IOS Ver 12.1

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname MyRouter

!

!

!

!

!

ip subnet-zero

!

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

lifetime 10800

crypto isakmp key ****** address 76.12.32.1

!

crypto ipsec security-association lifetime seconds 10800

!

crypto ipsec transform-set Mine esp-des esp-md5-hmac

!

crypto map CryMap local-address FastEthernet0/0

crypto map CryMap 20 ipsec-isakmp

set peer 76.12.32.1

set transform-set Mine

match address 105

!

!

!

!

!

!

interface FastEthernet0/0

ip address 213.93.97.17 255.255.255.248 secondary

ip address 213.93.97.9 255.255.255.248

no ip route-cache

no ip mroute-cache

duplex auto

speed auto

no cdp enable

crypto map CryMap

!

interface Serial0/0

ip address 213.93.127.50 255.255.255.252

encapsulation frame-relay

no ip route-cache

no ip mroute-cache

frame-relay lmi-type ansi

!

interface Serial0/0.1 point-to-point

no ip route-cache

no ip mroute-cache

no cdp enable

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

no cdp enable

!

router igrp 15

redistribute connected

network 213.93.97.0

network 213.93.127.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 213.93.127.49

no ip http server

!

access-list 105 permit ip host 213.93.97.13 host 76.12.32.5

dialer-list 1 protocol ip permit

dialer-list 1 protocol ipx permit

no cdp run

!

!

line con 0

line aux 0

line vty 0 4

password Mine

login

!

end

PLEASE help before I tear out my hair!!

Thanks

6 REPLIES
New Member

Re: IPsec 2600 to Pix - poss routing issue

I think you want to move the crypto map CryMap statement off the inside interface and on the serial interface.

Also, get rid of the statement:

crypto map CryMap local-address FastEthernet0/0

There may be a problem using this command with secondary intrerfaces.

New Member

Re: IPsec 2600 to Pix - poss routing issue

Thanks a lot for your reply.

I have removed the local-address statement but it's still not working. I have a feeling that the frame relay configuration on the serial interface was causing me problems as I originally had the tunnel terminating on this interface but was having problems getting traffic up in either direction. I thought that it was because they haven't defined sub interfaces for their traffic. Wasn't sure really though!

I have since upgraded from 12.0 to 12.1 though .. and at your suggestion have changed the interface .. I am now getting IPsec traffic across .. thanks so much!

New Member

Re: IPsec 2600 to Pix - poss routing issue

Hello guys ,

i have the same senario PIX and 2600 but with E1 controler configure. my prob is that the ipsec tunnel sometime is down why ?

i set the Isakmp lifetime for both site Router and Pix on 86400 but it still going down and up (flaping)

thanks for any help

Cisco Employee

Re: IPsec 2600 to Pix - poss routing issue

During the typical life of the IKE SA, as defined by the RFCs, packets are only exchanged over this SA when an IPSec QM negotiation is required at the expiration of the IPSec SAs. For a Cisco IOS device the default lifetime of an IKE SA is 24 hours and that of an IPSec SA is one hour. As mentioned earlier there is no standards-based mechanism for either type of SA to detect loss of a peer, except when the QM negotiation fails. These facts imply that for IOS defaults an IPSec termination point could be forwarding data into a black hole for as long as one hour before the protocol detects a loss of connectivity.

By implementing a keepalive feature over the IKE SA in Cisco IOS software, Cisco has provided network designers with a simple and non-intrusive mechanism for detecting loss of connectivity between two IPSec peers. The keepalive packets by default are sent every 10 seconds. Once three packets are missed, an IPSec termination point concludes that it has lost connectivity with its peer.

http://www.cisco.com/warp/public/cc/so/neso/vpn/vpne/vpne_an.htm

HTH

R/Yusuf

New Member

Re: IPsec 2600 to Pix - poss routing issue

Thanks Yusurf,

It is possible to configure my failover Pix as a second IPSec peer ?

Thanks

New Member

Re: IPsec 2600 to Pix - poss routing issue

I believe it's possible to do this, I believe you can also identify multiple peers in your 2600 crypto map so if the first is unavailable it tries the second.

I have had it occur that when a secondary address is defined on an interface, the crypto map has used the secondary address rather than the primary for negotiation. It's visible using the show crypto ipsec sa comand on the router

159
Views
0
Helpful
6
Replies
CreatePlease to create content