Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

crypto-IPSEC problem after configuration

Hi Experts,

I faced with the problem after ipsec configuration. Attached is the debug crypto message for ipsec,isakmp and engine. Hope able to get some lights from you guys.

Thanks.

7 REPLIES
Hall of Fame Super Blue

Re: crypto-IPSEC problem after configuration

Hi Cindy

1) Can you post the debug from both devices - sometimes it is helpful to see what both ends are doing.

2) When you run a "sh crypto isa sa" do you see "MM_NO_STATE" in the output ?

It looks like it is failing on phase 1 - usually means one of 2 things

1) There are no matching isakmp policies

2) The shared key does not match.

Could you post configs as well together with the IP addressing details ie. what IP are you connecting from and what IP are you trying to connect to ?

Jon

Community Member

Re: crypto-IPSEC problem after configuration

Thanks Jon.

1) I am trying to get the debug, but seems like the debug is not running although I console in to the routers.

I have done a "term mon" but to no avail.

Did a "show debug" and the debugging is on.

Need your advise here.

2) There is no output.

The config as attached.

20.20.20.20 and 20.20.20.21 (ROUTERS' WAN CONNECTION) are on Interface FastEthernet and they are configured to crypto map.

Thanks.

Hall of Fame Super Blue

Re: crypto-IPSEC problem after configuration

Cindy

Can you confirm which IP address you are connecting from and which IP address you are connecting to.

The config looks fine as far as i can see.

Jon

Community Member

Re: crypto-IPSEC problem after configuration

Jon,

PC (192.168.1.1) - SW - 192.168.1.254 (rtrira) WAN IP: 20.20.20.20 <----> 20.20.20.21 (rtrhbc) 192.168.2.254 - SW - PC (192.168.2.1)

Not sure if this is clear to you, if not , let me know again ya..

Thanks.

Community Member

Re: crypto-IPSEC problem after configuration

Another info is..

I am trying to ping to 192.168.2.1 to establish if the ipsec is working..but got request timed out..

Thanks.

Hall of Fame Super Blue

Re: crypto-IPSEC problem after configuration

Cindy

Contrary to what i said before from the debugging it looks like Phase 1 is completing and Phase 2 is the issue.

Your configs look absolutely fine to me, the only thing that i wouldn't normally put in are the static routes to the remote networks ie.

rtrhbc

ip route 192.168.1.0 255.255.255.0 20.20.20.20

rtrira

ip route 192.168.2.0 255.255.255.0 20.20.20.21

You don't need these routes as the crypto access-lists, access-list 105 in your configs, are what tells the router how to reach the remote network.

Could you remove these static routes and try again.

Jon

Community Member

Re: crypto-IPSEC problem after configuration

Jon,

Not sure how it happened..i removed the crypto config and put it back again.

Seems like it is working now.. :)

Thanks for your help again..

140
Views
3
Helpful
7
Replies
CreatePlease to create content