- Cisco Community
- Technology and Support
- Security
- VPN
- Phase 2 issue in IPSEC site-to-site
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2014 06:13 AM - edited 02-21-2020 07:28 PM
Hi All,
I have got an issue while creating an IPSEC site-to-site VPN between cisco2901-15.2(4)M3 ---> cisco861-12.4
Phase#1 is successfully up but when i'm putting command #show crypto ipsec sa i can't see encry & decry packets.
below is the running-conifgs and show crypto output for both side
cisco2901:-
Current configuration : 5668 bytes
!
! Last configuration change at 17:08:59 PCTime Mon Feb 3 2014 by ciscodxb
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DXB-CIT
!
boot-start-marker
boot-end-marker
!
!
logging buffered 52000
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
clock timezone PCTime 4 0
!
ip cef
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.10.1 192.168.10.9
ip dhcp excluded-address 192.168.10.101 192.168.10.254
!
ip dhcp pool dxb-pool
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 80.xxx.xx.xx 213.xxx.xxx.xx
!
!
!
ip domain name channelit
ip name-server 80.xx.xx.xx
ip name-server 213.xx.xx.xx
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1231038404
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1231038404
revocation-check none
rsakeypair TP-self-signed-1231038404
!
!
crypto pki certificate chain TP-self-signed-1231038404
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323331 30333834 3034301E 170D3134 30313331 31333230
30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32333130
33383430 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100ECF1 71B270A3 EFBC3609 C136BC9B 7D54A077 33286BF1 45558928 6DF96244
2DAF0A50 E5DA03C6 E87AD7AE 4544C6B0 2649AE20 83C5F9F1 FA73B5BF 5CC421DE
1FA66C70 FD39938F 8E46AA22 2996FBF9 6C739C35 13F1A287 651A1904 57898B3F
F076A50E F4955677 6D0BD4B3 57FB590D 851500DC D789A175 FA0F18BD 1A982438
63730203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14546BDB F740F993 E0A596EF 93D4991E 751C4240 7F301D06
03551D0E 04160414 546BDBF7 40F993E0 A596EF93 D4991E75 1C42407F 300D0609
2A864886 F70D0101 05050003 8181000E 1FDDF0E2 8D04EFD3 850F2417 B49E1B6B
04CFFED3 D89C032E FEB03641 B5BC830B D60E8F8A 8EB28EA4 1242ECB5 01E91511
08A59585 27260A9F C8470C48 0E5797F8 3C04DE38 3213CF77 ADCACC53 D6771D55
6E6C0027 F11BE11E 06F9BC8A 1C7C3874 9C4B937D 35D0DB0F 0328FC38 DE9916AC
FE4AD16D 1EA2CF64 316146D5 A960DB
quit
voice-card 0
!
!
!
!
!
!
!
!
license udi pid CISCO2901/K9 sn FCZ1716C4QT
hw-module pvdm 0/0
!
!
!
username cisco
username ciscodxb privilege 15 password 0 cisco
username compumate privilege 15 secret 4 YCR80zERMiSH2RJpMWWOYdaDiHRm0U6p9mGMCktErQ2
!
redundancy
!
!
!
!
!
!
crypto ctcp
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxxxxx address 41.xxx.xx.xx
!
crypto isakmp client configuration group CITDXB
key xxxxxx
pool SDM_POOL_1
crypto isakmp profile ciscocp-ike-profile-1
match identity group xxxxx
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set Dxb-to-Nigeria esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
crypto dynamic-map hq-vpn 11
set security-association lifetime seconds 86400
set transform-set CHANNEL-DUBAI
!
!
crypto map Dxb-to-Nigeria 1 ipsec-isakmp
set peer 41.xxx.xxx.xxx
set transform-set Dxb-to-Nigeria
match address 110
!
!
!
crypto map VPN 1 ipsec-isakmp dynamic hq-vpn
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$ETH-WAN$
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description $ES_WAN$
ip address 80.xxx.xxx.xxx 255.255.255.252
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map Dxb-to-Nigeria
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
ip local pool SDM_POOL_1 192.168.20.20 192.168.20.50
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat source list 100 interface GigabitEthernet0/1 overload
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
!
ip sla auto discovery
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 101 deny ip 192.168.10.0 0.0.0.255 41.206.13.192 0.0.0.7
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 110 permit ip 192.168.10.0 0.0.0.255 41.206.13.192 0.0.0.7
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
mgcp profile default
!
!
!
!
!
gatekeeper
shutdown
!
!
!
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input telnet ssh
line vty 5 15
access-class 23 in
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
DXB-CIT#show cry
DXB-CIT#show crypto isa
DXB-CIT#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
41.xxx.xxx.xx 80.xxx.xx.xx QM_IDLE 1011 ACTIVE
IPv6 Crypto ISAKMP SA
DXB-CIT#show cry
DXB-CIT#show crypto ips
DXB-CIT#show crypto ipsec sa
interface: GigabitEthernet0/1
Crypto map tag: Dxb-to-Nigeria, local addr 80.xxx.xx.xx
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (41.xxx.xx.xx/255.255.255.248/0/0)
current_peer 41.xxx.xx.xxx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1467, #recv errors 0
local crypto endpt.: 80.xxx.xxx.xx, remote crypto endpt.: 41.xxx.xx.xx
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
cisco861:-
crypto pki trustpoint TP-self-signed-2499926077
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2499926077
revocation-check none
rsakeypair TP-self-signed-2499926077
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-2499926077
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32343939 39323630 3737301E 170D3032 30333031 30303036
32315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34393939
32363037 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C1D0 0C45FD24 19ECECA0 9F7686A4 42B81E39 F6485ED8 66EBFBF3 4F3DCD64
25D4C2C7 5B56E7EF 7BF1963F F0406CBB 9B782A92 7925BA63 C761D92A 9E97CA4A
4D83CDD3 4B9811B9 734D84AB EFD85F9D 82541A09 4C2B580F E3302B67 97F93286
6D908B49 D936A0D1 78AB3829 56896990 9008E8EC 0333B1F1 8AACD0B2 4BCE81E3
A4A10203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
551D1104 18301682 14434954 5F322E79 6F757264 6F6D6169 6E2E636F 6D301F06
03551D23 04183016 8014E7CE C4274196 09907466 DE068815 C9987EDF 4712301D
0603551D 0E041604 14E7CEC4 27419609 907466DE 068815C9 987EDF47 12300D06
092A8648 86F70D01 01040500 03818100 B546F76E B5A79129 95A37822 132F6685
E5541CD5 0818A4FE 83AD17AC 9C18AAC2 C137AF00 43FB787C 30534B0C 7D494FA8
ACC28C3E 7CBC3BB5 92FAFD2C 5D1766FF 2C8CACE0 E523C53E 7617A9AF 7AD8FDF3
35CD6184 8BB076E4 FBDF86B3 92EA9488 B173ABBD F42B1CA1 ECCB586B 882CC097
DEE688A7 E04797CB 7ED73ED3 E9FFC8D0
quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
ip source-route
ip dhcp excluded-address 10.10.10.1
!
!
ip cef
ip domain name yourdomain.com
!
!
!
!
username emma privilege 15 password 0 PasemmaY
username admin privilege 15 secret 5 $1$GHAV$CuyCKFpaEVCRcTX4jTNzp/
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 7
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key &dtej4$ address 41.xxx.xx.xxx
crypto isakmp key ch@nn#l!t address 41.xx.xx.xx
crypto isakmp key t3l3comch@nn3l&mtn address 196.xx.xx.xx
crypto isakmp key CITDENjan2014 address 80.xxx.xx.xx
!
!
crypto ipsec transform-set MTN-TCWA esp-3des esp-sha-hmac
crypto ipsec transform-set channelit esp-3des esp-md5-hmac
crypto ipsec transform-set MTNG-TCWA esp-3des esp-md5-hmac
crypto ipsec transform-set CHANNEL-DUBAI esp-3des esp-md5-hmac
!
crypto map CHANNEL-DUBAI 14 ipsec-isakmp
set peer 80.xxx.xx.xxx
set transform-set CHANNEL-DUBAI
match address 160
!
crypto map MTNVPN local-address FastEthernet4
crypto map MTNVPN 10 ipsec-isakmp
set peer 41.xxx.xx.xx
set transform-set MTN-TCWA
match address 101
crypto map MTNVPN 11 ipsec-isakmp
set peer 41.xxx.xx.x
set transform-set channelit
match address 150
crypto map MTNVPN 12 ipsec-isakmp
set peer 196.xxx.xx.xx
set transform-set MTNG-TCWA
match address MTNG
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 5
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description This interface connect MTN Fibre
ip address 41.206.xx.xxx 255.255.255.252
duplex auto
speed auto
crypto map MTNVPN
!
interface Vlan1
description This interface connects to CIT LAN
ip address 41.xxx.xx.xxx 255.255.255.248
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 41.xxx.xx.xx
ip route 10.93.128.128 255.255.255.224 41.xxx.xx.x
ip route 10.109.95.64 255.255.255.240 41.xxx.xx.xxx
ip route 10.135.45.0 255.255.255.224 196.xxx.xx.xx
ip route 10.199.174.225 255.255.255.255 41.xxx.xx.xxx
ip route 192.168.10.0 255.255.255.0 80.xxx.xxx.xxx
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip access-list extended MTNG
permit ip 41.xxx.xx.xxx0.0.0.7 10.135.45.0 0.0.0.31
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit any
access-list 101 permit ip 41.206.13.192 0.0.0.7 host 41.206.4.75
access-list 101 permit ip 41.206.13.192 0.0.0.7 10.109.95.64 0.0.0.15
access-list 101 permit ip 41.206.13.192 0.0.0.7 10.109.95.120 0.0.0.7
access-list 101 permit ip 41.206.13.192 0.0.0.7 host 10.199.174.225
access-list 101 permit ip 41.206.13.192 0.0.0.7 10.197.197.64 0.0.0.31
access-list 101 permit ip 41.206.13.192 0.0.0.7 10.197.197.96 0.0.0.31
access-list 150 permit ip host 41.206.13.193 10.197.212.224 0.0.0.31
access-list 150 permit ip host 41.206.13.194 10.197.212.224 0.0.0.31
access-list 150 permit ip host 41.206.13.195 10.197.212.224 0.0.0.31
access-list 150 permit ip host 41.206.13.196 10.197.212.224 0.0.0.31
access-list 150 permit ip host 41.206.13.197 10.197.212.224 0.0.0.31
access-list 150 permit ip host 41.206.13.198 10.197.212.224 0.0.0.31
access-list 160 permit ip 41.206.xx.xxx 0.0.0.7 192.168.10.0 0.0.0.255
no cdp run
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
CIT_2#show cry
CIT_2#show crypto isa
CIT_2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
41.xxx.xx.xxx 80.xxx.xx.xxx QM_IDLE 2003 0 ACTIVE
IPv6 Crypto ISAKMP SA
CIT_2#show cry
CIT_2#show crypto ips
CIT_2#show crypto ipsec sa
interface: FastEthernet4
Crypto map tag: MTNVPN, local addr 41.xxx.xx.xx
protected vrf: (none)
local ident (addr/mask/prot/port): (41.xxx.xx.xxx/255.255.255.248/0/0)
remote ident (addr/mask/prot/port): (41.xxx.x.xx/255.255.255.255/0/0)
current_peer 41.xxx.xx.xxxport 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 41.xxx.xx.xx, remote crypto endpt.: 41.xxx.xx.xxx
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (41.xxx.xx.xxx/255.255.255.248/0/0)
remote ident (addr/mask/prot/port): (10.109.95.120/255.255.255.248/0/0)
current_peer 41.xxx.xx.xxx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 41.xxx.xx.xx, remote crypto endpt.: 41.xxx.xx.xx
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Solved! Go to Solution.
- Labels:
-
IPSEC
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2014 07:08 AM
CHANNEL-DUBAI crypto map is not applied to any interface.
How about just adding a new entry to MTNVPN which is already applied to fa4.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2014 07:08 AM
CHANNEL-DUBAI crypto map is not applied to any interface.
How about just adding a new entry to MTNVPN which is already applied to fa4.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2014 09:02 AM
@Marcin
any suggestion to fix the issue????
i mean if i'll put below commands will i be able to fix the issue???
crypto map MTNVPN 12 ipsec-isakmp
set peer 80.xxx.xx.xxx
set transform-set CHANNEL-DUBAI
match address 160
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide