I'm having a problem applying the crypto map on the external interface of the main site. When I try to apply it, I get "cannot apply empty map to interface". This is after I've created the crypto map exactly as instructed in that guide.
If I issue a sh run, I see that the crypto map isn't in the config, but I DEFINITELY created it. If I issue the command to create the crypto map again, it will show in the config, but when I apply it to the interface, I don't see the "ISAKMP is ON" message.
I'm not sure if I'm doing something wrong, if the guide is wrong, or if there's a bug in the IOS I'm using. I'm running IOS 15.0(1)M8.
I beleive you configured the crypto map first and then the dynamic map. Ideally, you should configure the dynamic map first and then bind that to the crypto map. Now, when we apply the dynamic map to the crypto map (when there is no dynamic map configured yet), we should see the following error message:
Are you able to ping the vlan1 of Router2 (10.0.16.44) from vlan1 of HQ (10.5.0.1)? Try running "ping 10.0.16.44 source vlan1" on the HQ router.
Request you to share the output of "show crypto ipsec sa".
Also, when we try to access the hosts through the tunnel, please run the command "show crypto ipsec sa | i ident|encaps|decaps" multiple times to check if we see corresponding encaps on the local router and corresponding decaps on the remote router.
Also, ensure that the hosts have a route for the remote subnet pointing to the router.
I wiped and reconfigured everything to try again from scratch.
I am able to ping from vlan1 of Router2 (10.0.16.44) to vlan1 of HQ (10.5.0.1), which brings up the tunnel. After doing so, I am also able to ping from vlan1 of HQ (10.5.0.1) to vlan1 of Router2 (10.0.16.44). The output of "show crypto ipsec sa | i ident|encaps|decaps", shows the identical amount of packets on both routers when conducting these pings.
I am unable to ping a host on the LAN side of HQ (10.5.0.0/24) from Router2.
I am unable to ping a host on the LAN side of Router2 (10.0.16.0/28) from HQ.
If I try to ping 10.5.0.5 from Router2 (with a source of vlan1), I see encaps and encrypts increment upwards on Router2, but I do not see the decaps and decryps increment on the HQ router.
If I try to ping 10.0.16.38 from HQ (with a source of vlan1), I see only the encap and encrypts increase on the HQ router, but both encaps, encrypts as well as decaps, decrypts increas on Router2.
As for the routes, I'm not sure what I need to create. Since Router2 has a dynamic IP, I don't really know what I need to set.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...