Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec newbe question

I am trying to connect two routes using IPSec but having some trouble as this is my first time. can someone help why there is this 'incomplete' in between the commands? and the tunnel does not seeem to be working.

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

crypto isakmp key cisco address 192.168.3.2

no crypto isakmp ccm

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto map mymap 10 ipsec-isakmp

! Incomplete

set peer 192.168.3.2

set transform-set myset

match address acl_vpn

!

Thanks

ARANA

5 REPLIES

Re: IPSec newbe question

try to change the crypto isakmp to the following

crypto isakmp key cisco address 192.168.3.2 255.255.255.255

then

crypto isakmp policy 10

group 2

crypto isakmp enable

i know those not directly related to ur problem but they need to be done anyway

good luck

Re: IPSec newbe question

Hello Arana,

Whenever you see an "! Incomplete

" in crypto map, that means it is incomplete somehow. Double-check the spelling of acl_vpn in original ACL and in crypto map statement. If you are sure that all fine, then remove the "crypto map mymap 10" entry and write again.

You should not see "! Incomplete " there

Regards

New Member

Re: IPSec newbe question

Hi Husy,

Thanks. I did make some type on the access list. So now I have made the changes and I do not see the incomplete message displaced. I am making progress .... does this mean that my IPSec is working

R4#sho crypto isakmp sa

dst src state conn-id slot status

192.168.1.2 192.168.3.2 MM_NO_STATE 0 0 ACTIVE (deleted)

192.168.3.2 192.168.1.1 MM_NO_STATE 0 0 ACTIVE (deleted)

Could I also check if this access list covers interesting traffic? source is from net 192.168.4.0 to any destination. Is a specific destination required or will any be ok to use.

ip access-list extended acl-vpn

permit ip 192.168.4.0 0.0.0.255 any

Thanks

ARANA

Re: IPSec newbe question

Hello Arana,

To say that your IPSEC VPN is working, QM_IDLE is the state that you should be seeing, not MM_NO_STATE,

If you specify destination as "any" than your all traffic including internet will travel over the tunnel. Dont use any statement unless you know what you are doing.

Please post your running config and write exactly what you want to achieve, then let us make suggestions.

Regards

New Member

Re: IPSec newbe question

Hi Husy,

I want all internet traffic to go through our central site. Does it even work if I do not specify any statement? I was not aware of that. Here is the running config.

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address 192.168.1.2

no crypto isakmp ccm

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto map mymap 10 ipsec-isakmp

set peer 192.168.1.2

set transform-set myset

match address acl-vpn

!

!

!

interface Serial1/0

no ip address

encapsulation frame-relay

serial restart-delay 0

no dce-terminal-timing-enable

no frame-relay inverse-arp

crypto map mymap

!

interface Serial1/0.1 point-to-point

ip address 192.168.3.2 255.255.255.0

frame-relay interface-dlci 401

crypto map mymap

!

interface Serial1/1

ip address 192.168.5.1 255.255.255.0

serial restart-delay 0

no dce-terminal-timing-enable

!

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

no dce-terminal-timing-enable

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

no dce-terminal-timing-enable

!

ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.3.1

!

!

ip access-list extended acl-vpn

permit ip 192.168.5.0 0.0.0.255 any

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

login

!

!

end

Regards,

ARANA

134
Views
4
Helpful
5
Replies