Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IPSec Configurtion for PPPoE Router

Hello together,

we have an connection between a outside router (836) to a Router in the HQ (7204VXR) via L2TP using PPPoE.

This is working fine.

Now we like to configure IPSec between the two Routers. We have used the configuration that Cisco provides under :

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009475c.shtml

But it seems that it is not working correctly.

We see that the 836 Router has matches in the ACL and we also see that the router encrypts the packets.

836#show crypto ipsec sa

interface: Dialer1

Crypto map tag: test, local addr. 20.20.20.20

local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)

current_peer: 30.30.30.30

PERMIT, flags={origin_is_acl,}

#pkts encaps: 208, #pkts encrypt: 208, #pkts digest 208

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

The Remote 7204vxr Router decrypts the packets

But we didn´t see that the remote Router encrypts packets although we see matches in the acl.

7204vxr#show crypto ipsec sa

interface: FastEthernet 0/0

Crypto map tag: test, local addr. 30.30.30.30

local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)

current_peer: 20.20.20.20

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 208, #pkts decrypt: 208, #pkts verify 208

The ISAKMP state is QM_IDLE.

We also receive an error message on the 836 when we ping LAN-LAN:

%CRYPTO-4-RECVD_PKT_NOT_IPSEC : Rec'd packet not an IPSEC packet.\n\n(ip) vrf/dest_addr= 192.168.100.10/,src_addr= 192.168.200.10, prot= 1

We are not using NAT like in the example.

Did anybody has experience for this issue ?

We are thankful for any help.

1 REPLY
Gold

Re: IPSec Configurtion for PPPoE Router

Hello JUERGEN,

If possible can you provide any debug output i.e.

> debug crypto isakmp

What you should look out for is 'return status is IKMP_NO_ERROR which will indicate that the IPSec SAs were set up properly.

Remember not to debug on production line equipment!

And also makesure to stop debug on the router when you have finished!

Jay.

103
Views
0
Helpful
1
Replies
CreatePlease to create content