Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Ipsec site to site

Hi,

Am using Ipsec between two Routers (site to site) in lab environment for testing.

. The Router A local LNA is not pinging to remote Router B and crypto section is showing down. Please provide the solution for making up this scenario.

The detailed configuration is as follows

Router B

Building configuration...

Current configuration : 957 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname AIRTEL-DELHI

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

ip cef

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco123 address 192.168.10.2

!

!

crypto ipsec transform-set manju ah-sha-hmac esp-des

!

crypto map 1 10 ipsec-isakmp

set peer 192.168.10.2

set transform-set manju

match address 110

!

!

!

!

interface FastEthernet0

ip address 10.97.37.212 255.255.255.0

speed auto

crypto map 1

!

interface Serial0

description AIRTEL-BANG [192.168.10.2]

ip address 192.168.10.1 255.255.255.252

!

!

!

no ip http server

no ip http secure-server

!

access-list 110 permit ip host 192.168.10.1 host 192.168.10.2

!

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 3

login

line vty 4

password cisco

login

!

end

Router A

Building configuration...

Current configuration : 955 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname AIRTEL-BANG

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

ip cef

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco123 address 192.168.10.1

!

!

crypto ipsec transform-set manju ah-sha-hmac esp-des

!

crypto map 1 10 ipsec-isakmp

set peer 192.168.10.1

set transform-set manju

match address 110

!

!

!

!

interface FastEthernet0

ip address 172.26.8.10 255.255.255.0

speed auto

crypto map 1

!

interface Serial0

description AIRTEL-DELHI[192.168.10.1]

ip address 192.168.10.2 255.255.255.252

!

interface Serial1

no ip address

shutdown

!

!

!

no ip http server

no ip http secure-server

!

access-list 110 permit ip host 192.168.10.2 host 192.168.10.1

!

!

!

control-plane

!

line con 0

line aux 0

line vty 0 4

login

!

end

2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Re: Ipsec site to site

Hi,

I suppose your interesting traffic is between 10.97.37.0/24 and 172.26.8.0/24 networks, and your peers are 192.168.10.1 and 192.168.10.2 respectively.

Isn't it something like the following that you are looking for?

Try pinging between these networks and see whether it is through the tunnel(debug crypto <> options)

Router B

Building configuration...

Current configuration : 957 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname AIRTEL-DELHI

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

ip cef

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco123 address 192.168.10.2

!

!

crypto ipsec transform-set manju ah-sha-hmac esp-des

!

crypto map 1 10 ipsec-isakmp

set peer 192.168.10.2

set transform-set manju

match address 110

!

!

!

!

interface FastEthernet0

ip address 10.97.37.212 255.255.255.0

speed auto

!

interface Serial0

description AIRTEL-BANG [192.168.10.2]

ip address 192.168.10.1 255.255.255.252

crypto map 1

!

!

!

no ip http server

no ip http secure-server

!

access-list 110 permit ip 10.97.37.212 0.0.0.255 172.26.8.10 0.0.0.255

ip route 172.26.8.0 255.255.255.0 192.168.10.2

!

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 3

login

line vty 4

password cisco

login

!

end

Router A

Building configuration...

Current configuration : 955 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname AIRTEL-BANG

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

ip cef

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco123 address 192.168.10.1

!

!

crypto ipsec transform-set manju ah-sha-hmac esp-des

!

crypto map 1 10 ipsec-isakmp

set peer 192.168.10.1

set transform-set manju

match address 110

!

!

!

!

interface FastEthernet0

ip address 172.26.8.10 255.255.255.0

speed auto

!

interface Serial0

description AIRTEL-DELHI[192.168.10.1]

ip address 192.168.10.2 255.255.255.252

crypto map 1

!

interface Serial1

no ip address

shutdown

!

!

!

no ip http server

no ip http secure-server

!

access-list 110 permit ip 172.26.8.10 0.0.0.255 10.97.37.212 0.0.0.255

ip route 10.97.37.0 255.255.255.0 192.168.10.1

!

!

!

control-plane

!

line con 0

line aux 0

line vty 0 4

login

!

end

HTH

New Member

Re: Ipsec site to site

Try this command sh ip crypto isakmp sa

Then check the status

14 REPLIES
Hall of Fame Super Bronze

Re: Ipsec site to site

The 'interesting' traffic in your ACL should be your LAN subnets, not the serial links.

For instance:

Router B:

access-list 110 permit ip 10.97.37.0 0.0.0.255 172.26.8.0 0.0.0.255

Router A:

access-list 110 permit ip 172.26.8.0 0.0.0.255 10.97.37.0 0.0.0.255

HTH,

__

Edison.

Please rate helpful posts

New Member

Re: Ipsec site to site

Hi,

I suppose your interesting traffic is between 10.97.37.0/24 and 172.26.8.0/24 networks, and your peers are 192.168.10.1 and 192.168.10.2 respectively.

Isn't it something like the following that you are looking for?

Try pinging between these networks and see whether it is through the tunnel(debug crypto <> options)

Router B

Building configuration...

Current configuration : 957 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname AIRTEL-DELHI

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

ip cef

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco123 address 192.168.10.2

!

!

crypto ipsec transform-set manju ah-sha-hmac esp-des

!

crypto map 1 10 ipsec-isakmp

set peer 192.168.10.2

set transform-set manju

match address 110

!

!

!

!

interface FastEthernet0

ip address 10.97.37.212 255.255.255.0

speed auto

!

interface Serial0

description AIRTEL-BANG [192.168.10.2]

ip address 192.168.10.1 255.255.255.252

crypto map 1

!

!

!

no ip http server

no ip http secure-server

!

access-list 110 permit ip 10.97.37.212 0.0.0.255 172.26.8.10 0.0.0.255

ip route 172.26.8.0 255.255.255.0 192.168.10.2

!

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 3

login

line vty 4

password cisco

login

!

end

Router A

Building configuration...

Current configuration : 955 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname AIRTEL-BANG

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

ip cef

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco123 address 192.168.10.1

!

!

crypto ipsec transform-set manju ah-sha-hmac esp-des

!

crypto map 1 10 ipsec-isakmp

set peer 192.168.10.1

set transform-set manju

match address 110

!

!

!

!

interface FastEthernet0

ip address 172.26.8.10 255.255.255.0

speed auto

!

interface Serial0

description AIRTEL-DELHI[192.168.10.1]

ip address 192.168.10.2 255.255.255.252

crypto map 1

!

interface Serial1

no ip address

shutdown

!

!

!

no ip http server

no ip http secure-server

!

access-list 110 permit ip 172.26.8.10 0.0.0.255 10.97.37.212 0.0.0.255

ip route 10.97.37.0 255.255.255.0 192.168.10.1

!

!

!

control-plane

!

line con 0

line aux 0

line vty 0 4

login

!

end

HTH

New Member

Re: Ipsec site to site

Hi,

After doing above said configuration the output is as follows.

Router#sh crypto session

Interface: Serial0

Session status: UP-IDLE

Peer: 192.168.10.1 port 500

IKE SA: local 192.168.10.2/500 remote 192.168.10.1/500 Active

IPSEC FLOW: permit ip 172.26.8.0/255.255.255.0 10.97.37.0/255.255.255.0

Active SAs: 0, origin: crypto map

How to check the secured tunnel between to peers.

Hall of Fame Super Bronze

Re: Ipsec site to site

show crypto ipsec sa is the command I use the most.

More commands and explanation can be found at:

http://www.cisco.com/warp/public/707/20.html

HTH,

__

Edison.

New Member

Re: Ipsec site to site

For you've setup a testbed, it would be interesting to study the output of debug crypto in order to have a better understanding.

HTH.

New Member

Re: Ipsec site to site

Hi ,

Thank for your support....My rating is 5

New Member

Re: Ipsec site to site

Hi there is there is no routing between the LAN Subnets so. Please try to add this

Router A

IP route 10.97.37.0 255.255.255.0 192.168.10.1

Router B

IP route 172.26.8.0 255.255.255.0 192.168.10.2

New Member

Re: Ipsec site to site

Did you manage to perform required tests successfully?

New Member

Re: Ipsec site to site

Yes I did .After successful configuration the site was working and session was up. Unexpectedly I used clear crypto isakmp common and session never came up and still its showing down only

New Member

Re: Ipsec site to site

Even when you try to put some interesting traffic (e.g. by pinging from one internal network to the other) ?

Have you tried debug crypto {isakmp/ipsec/verbose} to see what they say?

New Member

Re: Ipsec site to site

I tried for pinging from local Ethernet to remote and still it's showing the same status.

Do u know how to enable display for debug.

When I try the command debug crypto isakmp nothing is display.

New Member
New Member

Re: Ipsec site to site

New Member

Re: Ipsec site to site

Try this command sh ip crypto isakmp sa

Then check the status

195
Views
3
Helpful
14
Replies