08-17-2008 04:36 AM - edited 02-21-2020 03:53 PM
I am trying to connect two routes using IPSec but having some trouble as this is my first time. can someone help why there is this 'incomplete' in between the commands? and the tunnel does not seeem to be working.
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key cisco address 192.168.3.2
no crypto isakmp ccm
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
! Incomplete
set peer 192.168.3.2
set transform-set myset
match address acl_vpn
!
Thanks
ARANA
08-17-2008 05:01 AM
try to change the crypto isakmp to the following
crypto isakmp key cisco address 192.168.3.2 255.255.255.255
then
crypto isakmp policy 10
group 2
crypto isakmp enable
i know those not directly related to ur problem but they need to be done anyway
good luck
08-17-2008 05:32 AM
Hello Arana,
Whenever you see an "! Incomplete
" in crypto map, that means it is incomplete somehow. Double-check the spelling of acl_vpn in original ACL and in crypto map statement. If you are sure that all fine, then remove the "crypto map mymap 10" entry and write again.
You should not see "! Incomplete " there
Regards
08-17-2008 07:07 AM
Hi Husy,
Thanks. I did make some type on the access list. So now I have made the changes and I do not see the incomplete message displaced. I am making progress .... does this mean that my IPSec is working
R4#sho crypto isakmp sa
dst src state conn-id slot status
192.168.1.2 192.168.3.2 MM_NO_STATE 0 0 ACTIVE (deleted)
192.168.3.2 192.168.1.1 MM_NO_STATE 0 0 ACTIVE (deleted)
Could I also check if this access list covers interesting traffic? source is from net 192.168.4.0 to any destination. Is a specific destination required or will any be ok to use.
ip access-list extended acl-vpn
permit ip 192.168.4.0 0.0.0.255 any
Thanks
ARANA
08-17-2008 07:33 AM
Hello Arana,
To say that your IPSEC VPN is working, QM_IDLE is the state that you should be seeing, not MM_NO_STATE,
If you specify destination as "any" than your all traffic including internet will travel over the tunnel. Dont use any statement unless you know what you are doing.
Please post your running config and write exactly what you want to achieve, then let us make suggestions.
Regards
08-17-2008 02:53 PM
Hi Husy,
I want all internet traffic to go through our central site. Does it even work if I do not specify any statement? I was not aware of that. Here is the running config.
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.1.2
no crypto isakmp ccm
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set myset
match address acl-vpn
!
!
!
interface Serial1/0
no ip address
encapsulation frame-relay
serial restart-delay 0
no dce-terminal-timing-enable
no frame-relay inverse-arp
crypto map mymap
!
interface Serial1/0.1 point-to-point
ip address 192.168.3.2 255.255.255.0
frame-relay interface-dlci 401
crypto map mymap
!
interface Serial1/1
ip address 192.168.5.1 255.255.255.0
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.3.1
!
!
ip access-list extended acl-vpn
permit ip 192.168.5.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
Regards,
ARANA
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide