cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7497
Views
5
Helpful
8
Replies

show crypto isakmp sa empty

umbernaut
Level 1
Level 1

I can ping and NAT is working.  I've built the phase 1 and 2, the ACL several times using access-list and ip access-list extended and double-checked both routers.

Other than that, "show crypto isakmp sa" just gives:

"IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status"

And "sh cry ipsec sa peer [ip]" is also returning nothing.

I'm stumped.  Any suggestions?

Here is the new routers vpn config, mirrored/reversed on the other:

crypto isakmp policy 5

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key [key] address [other routers public ip]

crypto ipsec transform-set [name] esp-3des esp-sha-hmac

crypto map [name] 10 ipsec-isakmp

set peer [other routers public ip]

set transform-set [name]

match address [name]

ip access-list extended [name]

permit ip 172.16.31.0 0.0.0.31 192.168.17.0 0.0.0.255

8 Replies 8

Muhammed AKYUZ
Level 1
Level 1

can you ping the other router?

Sent from Cisco Technical Support iPhone App

Yes.  I can ping both routers from each other by their outside interfaces/public IPs.  The existing router is a 2811 and houses 2 working VPN tunnels atm, both working fine.  It is doing NAT just fine too.

The new router is an 1811 and all is good including NAT (I have a laptop hooked to a switch, then the to the 1811 and it NATs good and pings google.com.

I simply cannot get the VPN tunnel to work at all.

Hi,

I don't see the crypto map applied to any interface and do you exempt traffic going through the tunnel from being natted?

Alain.

Don't forget to rate helpful posts.

Here are the interfaces on the 1811:

interface FastEthernet0

ip address [public ip] 255.255.255.240

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map [name]

!

interface FastEthernet1

ip address 172.16.31.5 255.255.255.224

ip nat inside

ip nat enable

ip virtual-reassembly

duplex auto

speed auto

Here are the access lists and NAT:

ip nat inside source list 110 interface FastEthernet0 overload

!

ip access-list extended [name]

permit ip 172.16.31.0 0.0.0.31 192.168.17.0 0.0.0.255

!

access-list 110 deny   ip 172.16.31.0 0.0.0.31 192.168.17.0 0.0.0.255

access-list 110 permit ip 172.16.31.0 0.0.0.31 any

Update:

Before giving that last reply, I had the deny below the permit in access-list 110.  I reversed it, and now I get this with "show crypto isakmp sa":

1811#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

[2811publicip]   [1811publicip]    QM_IDLE           2001    0 ACTIVE

The 2811 shows the reverse.  So good so far, but I'm still not getting a reply with ping from either router or the laptop.

Hi,

so phase 1 is ok, that's a great news.

Now what does sh crypto ipsec sa tells?

Can you do a debug crypto ipsec sa while you are doing your ping and tell us what ping you are doing

Alain.

Don't forget to rate helpful posts.

Ok, I just now got back on this.  I am now able to ping the 2811's inside int from the 1811 via the tunnel.  I had to redo access-list 110 and put the deny up above the permits:

access-list 110 deny   ip 192.168.17.0 0.0.0.255 172.16.31.0 0.0.0.31

access-list 110 permit ip 192.168.17.0 0.0.0.255 any

access-list 110 permit ip 172.16.8.0 0.0.0.255 any

It was like this:

access-list 110 permit ip 192.168.17.0 0.0.0.255 any

access-list 110 permit ip 172.16.8.0 0.0.0.255 any

access-list 110 deny   ip 192.168.17.0 0.0.0.255 172.16.31.0 0.0.0.31

Once I did that, pinging from the laptop to the 2811's inside int (192.168.17.22) started working, and the 2 routers could ping each other's inside int.

The problem now is that I cannot ping any other IP on the 192.168.17.0/24 network from anything on the 172.16.31.0/31 network.  BUT the opposite way, I can ping the laptop, the router and the switch from the 192.168.17.0/24 side.

I'm sure this is an access-list, but I cannot figure it out.

Any thoughts?

Hi,

what does sh crypto ipsec sa tells?

What is working and not working?

what is debug crypto ipsec is telling?

Alain

Don't forget to rate helpful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: