cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
519
Views
0
Helpful
13
Replies

no packets encrypted

dom.a
Level 1
Level 1

i have configure my 2 router for vpn site to site but no packet encrypted :

sh crypto isakmp sa :

result :

dest-ip src-ip MM_NO_STATE 0 0

sh crypto engine conn active :

result :

ID Interface IP-Address State Algorithm Encrypt De

crypt

21 FastEthernet0 <my-source-ip> alloc NONE 0

0

22 FastEthernet0 <my-source-ip> alloc NONE 0

0

I think no algorithm is applied !

Please help !

13 Replies 13

spremkumar
Level 9
Level 9

Hi

Can you post out the configs here with the ip and password infos masked ??

regds

Ok,

Router A config :

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

lifetime 3600

crypto isakmp key abjcot29092005 address

!

!

crypto ipsec transform-set robuste esp-3des esp-md5-hmac

!

crypto map abull 10 ipsec-isakmp

set peer

set transform-set robuste

match address 120

interface FastEthernet0

ip address

speed auto

crypto map abull

access-list 120 permit ip LAN-A-network mask LAN-A-network mask

Router B config :

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

lifetime 3600

crypto isakmp key abjcot29092005 address

!

!

crypto ipsec transform-set robuste esp-3des esp-md5-hmac

!

crypto map abjdat 10 ipsec-isakmp

set peer

set transform-set robuste

match address 101

interface FastEthernet0

ip address

speed auto

crypto map abjdat

access-list 101 permit ip LAN-B-network mask LAN-B-network mask

Thanks !

the crypto acl are not accurate.

on router a,

"access-list 120 permit ip LAN-A-network mask LAN-A-network mask"should be

"access-list 120 permit ip LAN-A-network mask LAN-B-network mask"

on router b,

"access-list 101 permit ip LAN-B-network mask LAN-B-network mask" should be

"access-list 101 permit ip LAN-B-network mask LAN-A-network mask"

Hi Jackko,

I noticed that too. But i think in that scenario atleast ISAKMP would have been successful, the IKE itself seems to be in MM_NO_State instead of QM_IDLE. Pls correct me if iam wrong there.

Hi,

No, no it is a mistake due to a copy/paste i have done when reporting this message.

My access-list is correct :

access-list 120 permit ip LAN-A-network mask LAN-B-network mask

and

access-list 101 permit ip LAN-B-network mask LAN-A-network mask

Regards

2 Questions

i) The Source of the IPSec should be the peer on the other side. If not force using crypto map local address

ii) Is the End-to-end rachability fine ? Conduits in any firewall on the path would help.

One of these may solve ur issue

Hi,

the answer :

ii) Yes, the two router have network connectivity and ping each other from their public addresses. There is no firewall between them.

i)for router A exemple :

crypto map abull local-address FastEthernet0

I put this command in the two router ?

Regards

Hi all,

Before you troubleshoot any IPSec SA issues, make sure that phase I is coming UP, if you are in the state MM_NO_STATE that means that there is no SA created at all for phase I. Also make sure udp 500 is open between the two VPN headends and once you get QM_IDLE you can start TS phase II, for ACL mismatchs or encryption authentication mismatchs for the transform sets.

Always apply the crypto map to the physical interface where you want to perform encryption, in a case where to want to src the VPN tunnel from a different address you use the command crypto map local-address int, but is not mandatory.

To recap:

Troubleshoot phase I first,

pre-share key

phase I parameters

lifetimes

and again make sure that you can send upd 500 between the two ISP's.

Hope it helps,

Equant

hi,

Note :

router A ip : 213.xxx.xxx.A

router B ip : 213.xxx.xxx.B

For phase I, I put :

for router A

crypto isakmp policy 1

authentication pre-share

encr 3des

hash md5

lifetime 3600

crypto isakmp key xxxx address 213.xxx.xxx.B

for router B

crypto isakmp policy 1

authentication pre-share

encr 3des

hash md5

lifetime 3600

crypto isakmp key xxxx address 213.xxx.xxx.A

To permit udp port 500 :

in router A :

access-list 103 permit udp host 213.xxx.xxx.B eq isakmp host 213.xxx.xxx.A

accees-list 103 permit ah host 213.xxx.xxx.B host 213.xxx.xxx.A

accees-list 103 permit esp host 213.xxx.xxx.B host 213.xxx.xxx.A

in router B:

access-list 103 permit udp host 213.xxx.xxx.A eq isakmp host 213.xxx.xxx.B

accees-list 103 permit ah host 213.xxx.xxx.A host 213.xxx.xxx.B

accees-list 103 permit esp host 213.xxx.xxx.A host 213.xxx.xxx.B

And note that each peer can ping each other.

Always the same PROBLEM !!!! (MM_NO_STATE) on the two router !

Regards

Hi,

Found the router config in attachment !!!

Tanks for your availability

Regards

dominique,

on router a,

"access-list 103 permit udp host 213.xxx.xxx.B eq isakmp host 213.xxx.xxx.A" should be

"access-list 103 permit udp host 213.xxx.xxx.B host 213.xxx.xxx.A eq isakmp"

on router b,

"access-list 103 permit udp host 213.xxx.xxx.A eq isakmp host 213.xxx.xxx.B" should be

"access-list 103 permit udp host 213.xxx.xxx.A host 213.xxx.xxx.B eq isakmp"

further on both routers, inbound acl needs to cover the private lan-lan traffic as well:.

on router a,

access-list 103 permit ip 10.xxx.0.0 0.0.255.255 192.168.xx.0 0.0.0.255

on router b,

access-list 103 permit ip 192.168.xx.0 0.0.0.255 10.xxx.0.0 0.0.255.255

raj.bansal
Level 1
Level 1

I have a similar issue when VPN from PIX 704 to 18xx router. The pix shows no encryped packets.

Anyone got a successful working config for IPSEC VPN between PIX and 1821 router..will greatly appreciate it.

Also, the 1821 is a spoke. I want all traffic fro this to come to PIX and then either go to internal networks or go to internet. What is the knob to make it go to internet as well?

thx

raj

1. is there an inbound acl applied on the router. if so, it needs to include the traffic originated from the remote site as well.

e.g.

access-list inbound permit ip

2. with pix v7.04, it is possible to tunnel all traffic from the router, and the pix will redirect the internet traffic.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

the configuration example doesn't match your scenario 100%, but it should give you an idea.

if further assistance is required, please post all the configs with public ip masked.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: