Hi,

the two routers (cisco 1721 & 2801)

Router A config :

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

lifetime 3600

crypto isakmp key abjcot29092005 address

!

!

crypto ipsec transform-set robuste esp-3des esp-md5-hmac

!

crypto map abull 10 ipsec-isakmp

set peer

set transform-set robuste

match address 120

interface FastEthernet0

ip address

speed auto

crypto map abull

access-list 120 permit ip LAN-A-network mask LAN-B-network mask

Router B config :

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

lifetime 3600

crypto isakmp key abjcot29092005 address

!

!

crypto ipsec transform-set robuste esp-3des esp-md5-hmac

!

crypto map abjdat 10 ipsec-isakmp

set peer

set transform-set robuste

match address 101

interface FastEthernet0

ip address

speed auto

crypto map abjdat

access-list 101 permit ip LAN-B-network mask LAN-A-network mask

Regards

2 Questions

i) The Source of the IPSec should be the peer on the other side. If not force using crypto map local address

ii) Is the End-to-end rachability fine ? Conduits in any firewall on the path would help.

One of these may solve ur issue

Hi,

the answer :

ii) Yes, the two router have network connectivity and ping each other from their public addresses. There is no firewall between their.

i)for router A exemple :

crypto map abull local-address FastEthernet0

is it correct ?

Regards

Yes thats correct say A's FE IP is 10.0.0.1 and B's FE IP is 10.1.0.1 , then peers at A shud be 10.1.0.1 and source as 10.0.0.1 and peer at B shud be 10.0.0.1 with source as 10.1.0.1

Only then ISAKMP will come up.

Ok, i summury :

the router A is a 1721 with FE ip public is : 213.XXX.XXX.A

the router A is a 2801 with FE ip public is : 213.XXX.XXX.B

In my Router A when i do "sh crypto isakmp sa" , i have :

dst src state conn-id

213.XXX.XXX.B 213.XXX.XXX.A MM_NO_STATE 0

According what u say, it is not i must have, because the source must be the remote peer.

Ok, so my kestion is

Have I to put the following command like that :

- on router A -

crypto map abull local-address FastEthernet0 ?

- on router B -

crypto map abjdat local-address FastEthernet0/1 ?

Please, help

regards

Yes if ur FE IP is 213.xxx.xxx.A and 213.xxx.xxx.B then you wouldnt need this command. If these are loopbacks then you will have to force this command to local-address loopback x. What iam basically trying to say is IPSec should be with symmetrical peers. If it doenst come up with that , the best thing would be do a debug crypto isakmp errors and events and see what are the logs

hi,

i have already do :

debug crypto isakmp

debug crypto ipsec

debug crypto engine

from telnet window. But after that nothing like debug messages appears... or i have to do it in console mode or how catch debug messages from telent window.

thinks for ur availability.

Regards

need to do "term mon" from telnet session in order to read the live debug outputs.

Results of 'debug crypto isakmp' : file attached

see attachments

Regards

i guess the issue can be resolved in a much more efficient way providing you post the entire config with the public ip masked.

Ok i post you the entire config of 1721 and 2801

see file attached

see attachments

I think, an issue will be found to my problem...

Regards

*Mar 16 02:04:51.103: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange

*Mar 16 02:04:51.103: ISAKMP:(0:0:N/A:0): sending packet to 213.xxx.xxx.B my_por

t 500 peer_port 500 (I) MM_NO_STATE

Wondering if there is an ACL block at any point. Is it possible to check any block on the path

More debug messages .

see attachments

Regards