Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

router to router IPSEC issue

I have a 2691 (gateway a) and (gateway b)

I can establish a connection, I can ping public address. any ideas.

my config looks like this

Gateway A -----------------------------

crypto map cm-cryptomap 40 ipsec-isakmp

description GWA to GWB

set peer xx.xx.xx.195

set transform-set cm-transformset-10

match address 140

!

crypto ipsec transform-set cm-transformset-10 esp-aes 256 esp-sha-hmac

!

crypto isakmp key xxxxxxxxxx address xx.xx.xx.195

!

Access-list 140 permit ip 192.168.0.0 0.0.0.255 10.10.0.0 0.0.0.255

!

interface fa0/1

crypto map cm-cryptomap

Gateway B -----------------------------

crypto map cm-cryptomap 40 ipsec-isakmp

description GWB to GWA

set peer xx.xx.xx.200

set transform-set cm-transformset-10

match address 140

!

crypto ipsec transform-set cm-transformset-10 esp-aes 256 esp-sha-hmac

!

crypto isakmp key xxxxxxxxxx address xx.xx.xx.200

!

Access-list 140 permit ip 10.10.0.0 0.0.0.255 192.168.0.0 0.0.0.255

!

interface fa0/1

crypto map cm-cryptomap

---------------------------------------

show crypto ipsec sa

interface: FastEthernet0/1

Crypto map tag: cm-cryptomap, local addr xx.xx.xx.200

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.10.0.0/255.255.255.0/0/0)

current_peer xx.xx.xx.195 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: xx.xx.xx.200, remote crypto endpt.: xx.xx.xx.195

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

itv-gw#show run | include crypto

crypto isakmp policy 40

crypto isakmp key xxxxxxxxxx address xx.xx.xx.195

crypto ipsec transform-set cm-transformset-10 esp-aes 256 esp-sha-hmac

crypto map cm-cryptomap 40 ipsec-isakmp

crypto map cm-cryptomap

itv-gw#

itv-gw#show crypto map

Crypto Map "cm-cryptomap" 40 ipsec-isakmp

Description: GWA to GWB

Peer = xx.xx.xx.195

Extended IP access list 140

access-list 140 permit ip 10.10.0.0 0.0.0.255 192.168.0.0 0.0.0.255

Current peer: xx.xx.xx.195

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={cm-transformset-10, }

Interfaces using crypto map cm-cryptomap: FastEthernet0/1

1 REPLY
Cisco Employee

Re: router to router IPSEC issue

It looks like Phase 2 is failing because you do not have SA.

Could you please initiate the tunnel and paste the debugs from both sides in the forum?

deb cry isa

deb cry ipsec

110
Views
0
Helpful
1
Replies
CreatePlease to create content