12-02-2005 02:39 AM - edited 03-09-2019 01:14 PM
i have configure my 2 router for vpn site to site but no packet encrypted :
sh crypto isakmp sa :
result :
dest-ip src-ip MM_NO_STATE 0 0
sh crypto engine conn active :
result :
ID Interface IP-Address State Algorithm Encrypt De
crypt
21 FastEthernet0 <my-source-ip> alloc NONE 0
0
22 FastEthernet0 <my-source-ip> alloc NONE 0
0
I think no algorithm is applied !
Please help !
12-02-2005 03:41 AM
Hi
Can you post out the configs here with the ip and password infos masked ??
regds
12-02-2005 07:22 AM
Ok,
Router A config :
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key abjcot29092005 address
!
!
crypto ipsec transform-set robuste esp-3des esp-md5-hmac
!
crypto map abull 10 ipsec-isakmp
set peer
set transform-set robuste
match address 120
interface FastEthernet0
ip address
speed auto
crypto map abull
access-list 120 permit ip LAN-A-network mask LAN-A-network mask
Router B config :
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key abjcot29092005 address
!
!
crypto ipsec transform-set robuste esp-3des esp-md5-hmac
!
crypto map abjdat 10 ipsec-isakmp
set peer
set transform-set robuste
match address 101
interface FastEthernet0
ip address
speed auto
crypto map abjdat
access-list 101 permit ip LAN-B-network mask LAN-B-network mask
Thanks !
12-03-2005 03:15 AM
the crypto acl are not accurate.
on router a,
"access-list 120 permit ip LAN-A-network mask LAN-A-network mask"should be
"access-list 120 permit ip LAN-A-network mask LAN-B-network mask"
on router b,
"access-list 101 permit ip LAN-B-network mask LAN-B-network mask" should be
"access-list 101 permit ip LAN-B-network mask LAN-A-network mask"
12-03-2005 03:34 AM
Hi Jackko,
I noticed that too. But i think in that scenario atleast ISAKMP would have been successful, the IKE itself seems to be in MM_NO_State instead of QM_IDLE. Pls correct me if iam wrong there.
12-03-2005 03:36 AM
Hi,
No, no it is a mistake due to a copy/paste i have done when reporting this message.
My access-list is correct :
access-list 120 permit ip LAN-A-network mask LAN-B-network mask
and
access-list 101 permit ip LAN-B-network mask LAN-A-network mask
Regards
12-03-2005 04:01 AM
2 Questions
i) The Source of the IPSec should be the peer on the other side. If not force using crypto map local address
ii) Is the End-to-end rachability fine ? Conduits in any firewall on the path would help.
One of these may solve ur issue
12-03-2005 04:14 AM
Hi,
the answer :
ii) Yes, the two router have network connectivity and ping each other from their public addresses. There is no firewall between them.
i)for router A exemple :
crypto map abull local-address FastEthernet0
I put this command in the two router ?
Regards
12-04-2005 12:16 PM
Hi all,
Before you troubleshoot any IPSec SA issues, make sure that phase I is coming UP, if you are in the state MM_NO_STATE that means that there is no SA created at all for phase I. Also make sure udp 500 is open between the two VPN headends and once you get QM_IDLE you can start TS phase II, for ACL mismatchs or encryption authentication mismatchs for the transform sets.
Always apply the crypto map to the physical interface where you want to perform encryption, in a case where to want to src the VPN tunnel from a different address you use the command crypto map local-address int, but is not mandatory.
To recap:
Troubleshoot phase I first,
pre-share key
phase I parameters
lifetimes
and again make sure that you can send upd 500 between the two ISP's.
Hope it helps,
Equant
12-05-2005 01:43 AM
hi,
Note :
router A ip : 213.xxx.xxx.A
router B ip : 213.xxx.xxx.B
For phase I, I put :
for router A
crypto isakmp policy 1
authentication pre-share
encr 3des
hash md5
lifetime 3600
crypto isakmp key xxxx address 213.xxx.xxx.B
for router B
crypto isakmp policy 1
authentication pre-share
encr 3des
hash md5
lifetime 3600
crypto isakmp key xxxx address 213.xxx.xxx.A
To permit udp port 500 :
in router A :
access-list 103 permit udp host 213.xxx.xxx.B eq isakmp host 213.xxx.xxx.A
accees-list 103 permit ah host 213.xxx.xxx.B host 213.xxx.xxx.A
accees-list 103 permit esp host 213.xxx.xxx.B host 213.xxx.xxx.A
in router B:
access-list 103 permit udp host 213.xxx.xxx.A eq isakmp host 213.xxx.xxx.B
accees-list 103 permit ah host 213.xxx.xxx.A host 213.xxx.xxx.B
accees-list 103 permit esp host 213.xxx.xxx.A host 213.xxx.xxx.B
And note that each peer can ping each other.
Always the same PROBLEM !!!! (MM_NO_STATE) on the two router !
Regards
12-05-2005 06:31 AM
12-05-2005 04:25 PM
dominique,
on router a,
"access-list 103 permit udp host 213.xxx.xxx.B eq isakmp host 213.xxx.xxx.A" should be
"access-list 103 permit udp host 213.xxx.xxx.B host 213.xxx.xxx.A eq isakmp"
on router b,
"access-list 103 permit udp host 213.xxx.xxx.A eq isakmp host 213.xxx.xxx.B" should be
"access-list 103 permit udp host 213.xxx.xxx.A host 213.xxx.xxx.B eq isakmp"
further on both routers, inbound acl needs to cover the private lan-lan traffic as well:.
on router a,
access-list 103 permit ip 10.xxx.0.0 0.0.255.255 192.168.xx.0 0.0.0.255
on router b,
access-list 103 permit ip 192.168.xx.0 0.0.0.255 10.xxx.0.0 0.0.255.255
12-03-2005 11:15 PM
I have a similar issue when VPN from PIX 704 to 18xx router. The pix shows no encryped packets.
Anyone got a successful working config for IPSEC VPN between PIX and 1821 router..will greatly appreciate it.
Also, the 1821 is a spoke. I want all traffic fro this to come to PIX and then either go to internal networks or go to internet. What is the knob to make it go to internet as well?
thx
raj
12-04-2005 01:46 AM
1. is there an inbound acl applied on the router. if so, it needs to include the traffic originated from the remote site as well.
e.g.
access-list inbound permit ip
2. with pix v7.04, it is possible to tunnel all traffic from the router, and the pix will redirect the internet traffic.
the configuration example doesn't match your scenario 100%, but it should give you an idea.
if further assistance is required, please post all the configs with public ip masked.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: