Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN Not Working

Hello

kindly check attachment

10xs

Ali

19 REPLIES

Re: VPN Not Working

Are the tunnel destination reachable from both ends? i do not see any routes except for one static route to tunnel

can you post sh ip route

Can you also add the transform set under the crypto profile

crypto ipsec profile VTI

set transform-set ali

HTH

Narayan

Community Member

Re: VPN Not Working

Hi Narayan

the tunel interface on both side are Down:

Tunnel0 192.168.3.2 YES manual reset down

sh ip route

Gateway of last resort is not set

C 192.1.1.0/24 is directly connected, Serial1/1

C 192.168.1.0/24 is directly connected, FastEthernet0/0

Router-A#

Community Member

Re: VPN Not Working

Hi

new entry:

Tunnel0 192.168.3.1 YES manual up down

ROUTER-B#sh crypto isakmp sa

dst src state conn-id slot status

192.1.1.1 193.1.1.1 MM_NO_STATE 0 0 ACTIVE (deleted)

10xs

Re: VPN Not Working

Ali,

How are routerA and router B connected?

with the information you provided, routerA does not seem to have a route for the tunnel destination and hence the tunnel is not coming up. The VPN will come up only when your tunnel is up

HTH

Narayan

Re: VPN Not Working

Ali,

Add static route to the tunnel destination address on both routers. You should be able to ping the GRE tunnel IP address of each other. IPSEC SA should come up after that.

HTH

Sundar

Community Member

Re: VPN Not Working

hello sundar!

we have already static route configured;plz check attachment

10xs

Ali

Re: VPN Not Working

are these routers connected directly?

Community Member

Re: VPN Not Working

Hello

yes they are;via serial interface

10xs

Re: VPN Not Working

Ali,

The static route(s) you have is for the LAN at the far end but you need a static route to get to the tunnel destination address itself. Can you add the following static routes on both routers. This would cause the tunnel int to come up and you should be able to ping the tunnel IP of each other router.

Router-A:

ip route 193.1.1.1 255.255.255.255 (next-hop-address)

Router-B:

ip route 192.1.1.1 255.255.255.255 (next-hop-address)

HTH

Sundar

Re: VPN Not Working

I just noticed you posted that these are routers are directly connected to each other via serial int. If they are directly connected to each other the serial interface of both routers need to be on the same subnet. Can you reconfigure it that way.

Re: VPN Not Working

Ali,

The serial interfaces are connected together but yet in o yur configuration they lie in a seperate subnet

on router B configure

interface Serial1/2

ip address 192.1.1.2 255.255.255.0

interface Tunnel0

tunnel source 192.1.1.2

tunnel destination 192.1.1.1

On router A

nterface Tunnel0

tunnel source 192.1.1.1

tunnel destination 192.1.1.2

and also set the transform set under the crypto profile

crypto ipsec profile VTI

set transform-set ali

have a look at this for an example configuration

http://www.cisco.com/en/US/products/ps6635/products_white_paper0900aecd8029d629.shtml

HTH, rate if it does

Narayan

Community Member

Re: VPN Not Working

Freinds Narayan;sundar

10xs for all ur replys

realy 10xs

Ali

Community Member

Re: VPN Not Working

hello

how can i fix this:

*Mar 1 23:03:17.994: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 192.1.1.1

Re: VPN Not Working

this generally means the devices are not configured with the same properties.

Make sure the profile parameters are similar in both the peers otherwise negotiations will fail

Narayan

Hall of Fame Super Blue

Re: VPN Not Working

Hi Ali

For Cisco error message doc

=============================================

%CRYPTO-6-IKMP_MODE_FAILURE : Processing of [chars] mode failed with peer at [IP_address]

Explanation Negotiation with the remote peer has failed.

Recommended Action If this situation persists, contact the remote peer.

=============================================

You may see this even if you successfully negotiate a tunnel. Could you post full debug when tunnel is failing.

Jon

Community Member

Re: VPN Not Working

HELLO Experts!

the error was here:

crypto isakmp key 6 cisco123 address 193.1.1.1 no-xauth

i adjusted it to 192.1.1.2

10xs a lot

Re: VPN Not Working

Good to know that you got it working :-)

Community Member

Re: VPN Not Working

freind!

this is from ur help to me

10xs

Ali

Community Member

Re: VPN Not Working

Hello!

Router-A#show crypto session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

M - Continuous Channel Mode

Interface: Tunnel0

Session status: UP-ACTIVE

Peer: 192.1.1.2 port 500 fvrf: (none) ivrf: (none)

Phase1_id: 192.1.1.2

Desc: (none)

IKE SA: local 192.1.1.1/500 remote 192.1.1.2/500 Active

Capabilities:(none) connid:1 lifetime:23:50:07

IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4413422/3010

Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4413422/3010

*********************************************

Gateway of last resort is not set

C 192.1.1.0/24 is directly connected, Serial1/1

C 192.168.1.0/24 is directly connected, FastEthernet0/0

S 192.168.2.0/24 is directly connected, Tunnel0

C 192.168.3.0/24 is directly connected, Tunnel0

Router-A#

*********************************************

Router-A#s

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 192.168.1.1 YES manual up up

Serial1/0 unassigned YES unset administratively down down

Serial1/1 192.1.1.1 YES manual up up

Serial1/2 unassigned YES unset administratively down down

Serial1/3 unassigned YES unset administratively down down

Tunnel0 192.168.3.1 YES manual up up

*********************************************

Router-A#sh crypto isa

Router-A#sh crypto isakmp sa

dst src state conn-id slot status

192.1.1.2 192.1.1.1 QM_IDLE 1 0 ACTIVE

*********************************************

242
Views
45
Helpful
19
Replies
CreatePlease to create content