12-02-2005 10:09 AM
i have correctly configure 2 router :
- a Cisco 1721
- a Cisco 2801
My problem is no packets encrypted, so not possible to reach the remote private site.
The debug commands i use to see what is hapening :
(Note that i remplace my real ip by keyword peer-ip, src-ip, dst-ip)
#sh crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt D
crypt
1 FastEthernet0 <peer-ip> alloc NONE 0
0
#sh crypto isakmp sa
dst src state conn-id slot
dst-ip src-ip MM_NO_STATE 0 0
Please, help me to find what's wrong !!
12-02-2005 11:27 PM
please post both router configs with public ip masked.
12-03-2005 02:18 AM
Hi,
the two routers (cisco 1721 & 2801)
Router A config :
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key abjcot29092005 address
!
!
crypto ipsec transform-set robuste esp-3des esp-md5-hmac
!
crypto map abull 10 ipsec-isakmp
set peer
set transform-set robuste
match address 120
interface FastEthernet0
ip address
speed auto
crypto map abull
access-list 120 permit ip LAN-A-network mask LAN-B-network mask
Router B config :
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key abjcot29092005 address
!
!
crypto ipsec transform-set robuste esp-3des esp-md5-hmac
!
crypto map abjdat 10 ipsec-isakmp
set peer
set transform-set robuste
match address 101
interface FastEthernet0
ip address
speed auto
crypto map abjdat
access-list 101 permit ip LAN-B-network mask LAN-A-network mask
Regards
12-03-2005 02:34 AM
2 Questions
i) The Source of the IPSec should be the peer on the other side. If not force using crypto map local address
ii) Is the End-to-end rachability fine ? Conduits in any firewall on the path would help.
One of these may solve ur issue
12-03-2005 04:03 AM
Hi,
the answer :
ii) Yes, the two router have network connectivity and ping each other from their public addresses. There is no firewall between their.
i)for router A exemple :
crypto map abull local-address FastEthernet0
is it correct ?
Regards
12-03-2005 04:14 AM
Yes thats correct say A's FE IP is 10.0.0.1 and B's FE IP is 10.1.0.1 , then peers at A shud be 10.1.0.1 and source as 10.0.0.1 and peer at B shud be 10.0.0.1 with source as 10.1.0.1
Only then ISAKMP will come up.
12-03-2005 04:44 AM
Ok, i summury :
the router A is a 1721 with FE ip public is : 213.XXX.XXX.A
the router A is a 2801 with FE ip public is : 213.XXX.XXX.B
In my Router A when i do "sh crypto isakmp sa" , i have :
dst src state conn-id
213.XXX.XXX.B 213.XXX.XXX.A MM_NO_STATE 0
According what u say, it is not i must have, because the source must be the remote peer.
Ok, so my kestion is
Have I to put the following command like that :
- on router A -
crypto map abull local-address FastEthernet0 ?
- on router B -
crypto map abjdat local-address FastEthernet0/1 ?
Please, help
regards
12-03-2005 06:11 AM
Yes if ur FE IP is 213.xxx.xxx.A and 213.xxx.xxx.B then you wouldnt need this command. If these are loopbacks then you will have to force this command to local-address loopback x. What iam basically trying to say is IPSec should be with symmetrical peers. If it doenst come up with that , the best thing would be do a debug crypto isakmp errors and events and see what are the logs
12-03-2005 06:19 AM
hi,
i have already do :
debug crypto isakmp
debug crypto ipsec
debug crypto engine
from telnet window. But after that nothing like debug messages appears... or i have to do it in console mode or how catch debug messages from telent window.
thinks for ur availability.
Regards
12-03-2005 06:36 AM
need to do "term mon" from telnet session in order to read the live debug outputs.
12-05-2005 04:05 AM
12-05-2005 04:28 AM
i guess the issue can be resolved in a much more efficient way providing you post the entire config with the public ip masked.
12-05-2005 06:25 AM
12-05-2005 07:28 AM
*Mar 16 02:04:51.103: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Mar 16 02:04:51.103: ISAKMP:(0:0:N/A:0): sending packet to 213.xxx.xxx.B my_por
t 500 peer_port 500 (I) MM_NO_STATE
Wondering if there is an ACL block at any point. Is it possible to check any block on the path
12-06-2005 01:43 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: