Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IP sec issue

hi all,

i had configure ip sec but link can't up so,could you help me to configure ipsee

  • WAN Routing and Switching
9 REPLIES

Re: IP sec issue

Hi,

1.Don't start with IPSec configuration directly.

2.First see the whether link is up between peers & peer can ping each other.

3.Use show interface to see the interface status..

HTH..rate if helpful..

New Member

Re: IP sec issue

hello...every thing is ok...could u send me a ip sec config

Re: IP sec issue

1.tell me on which devices you are trying to establish the IPsec ??

New Member

Re: IP sec issue

ip sec between router to router

Re: IP sec issue

First Router Config

---------------------------------------

hostname R2

crypto isakmp policy 10

authentication pre-share

!

crypto isakmp key ciscokey address 200.1.1.1

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto map myvpn 10 ipsec-isakmp

set peer 200.1.1.1

set transform-set myset

!--- Include the private-network-to-private-network traffic

!--- in the encryption process:

match address 101

!

!

!

interface Ethernet0/0

description------LAN Interface-----

ip address 172.16.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

interface Ethernet1/0

description----WAN interface where other peer is connected---

ip address 100.1.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly

crypto map myvpn

ip route 0.0.0.0 0.0.0.0 100.1.1.254

!--- Except the private network from the NAT process:

ip nat inside source list 175 interface Ethernet1/0 overload

!--- Include the private-network-to-private-network traffic

!--- in the encryption process:

access-list 101 permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255

!--- Except the private network from the NAT process:

access-list 175 deny ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 175 permit ip 172.16.1.0 0.0.0.255 any

--------------------------------------------Router R3

hostname R3

crypto isakmp policy 10

authentication pre-share

crypto isakmp key ciscokey address 100.1.1.1

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto map myvpn 10 ipsec-isakmp

set peer 100.1.1.1

set transform-set myset

!--- Include the private-network-to-private-network traffic

!--- in the encryption process:

match address 101

!

!

!

interface Ethernet0/0

descrption-----LAN Interface----

ip address 10.1.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Ethernet1/0

description---WAN Interface

ip address 200.1.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly

crypto map myvpn

!

!

ip route 0.0.0.0 0.0.0.0 200.1.1.254

!--- Except the private network from the NAT process:

ip nat inside source list 122 interface Ethernet1/0 overload

!--- Except the static-NAT traffic from the NAT process if destined

!--- over the encrypted tunnel:

!

access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

!--- Except the private network from the NAT process:

access-list 122 deny ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 122 permit ip 10.1.1.0 0.0.0.255 any

!--- Except the static-NAT traffic from the NAT process if destined

!--- over the encrypted tunnel:

-------------------------------------------

HTH...rate if helpful...

Re: IP sec issue

Make sure you are adding proper default routes..

New Member

Re: IP sec issue

when i prompt crypto ipsec transform-set command then i can't enter this myset esp-3des esp-md5-hmac

!

Re: IP sec issue

hi,

myset is the name of transform set, so you need to type it as it is. It is not the keyword, but esp-3des & esp-md5-hmac are keyword, you can get this by using "?" or pressing tab.

New Member

Re: IP sec issue

Thank you satish.

101
Views
0
Helpful
9
Replies
This widget could not be displayed.