07-07-2007 01:44 AM - edited 03-03-2019 05:45 PM
Hello
kindly check attachment
10xs
Ali
07-07-2007 04:35 AM
Are the tunnel destination reachable from both ends? i do not see any routes except for one static route to tunnel
can you post sh ip route
Can you also add the transform set under the crypto profile
crypto ipsec profile VTI
set transform-set ali
HTH
Narayan
07-07-2007 07:50 AM
Hi Narayan
the tunel interface on both side are Down:
Tunnel0 192.168.3.2 YES manual reset down
sh ip route
Gateway of last resort is not set
C 192.1.1.0/24 is directly connected, Serial1/1
C 192.168.1.0/24 is directly connected, FastEthernet0/0
Router-A#
07-07-2007 07:57 AM
Hi
new entry:
Tunnel0 192.168.3.1 YES manual up down
ROUTER-B#sh crypto isakmp sa
dst src state conn-id slot status
192.1.1.1 193.1.1.1 MM_NO_STATE 0 0 ACTIVE (deleted)
10xs
07-07-2007 08:19 AM
Ali,
How are routerA and router B connected?
with the information you provided, routerA does not seem to have a route for the tunnel destination and hence the tunnel is not coming up. The VPN will come up only when your tunnel is up
HTH
Narayan
07-07-2007 08:38 AM
Ali,
Add static route to the tunnel destination address on both routers. You should be able to ping the GRE tunnel IP address of each other. IPSEC SA should come up after that.
HTH
Sundar
07-07-2007 09:01 AM
hello sundar!
we have already static route configured;plz check attachment
10xs
Ali
07-07-2007 09:05 AM
are these routers connected directly?
07-07-2007 09:29 AM
Hello
yes they are;via serial interface
10xs
07-07-2007 09:31 AM
Ali,
The static route(s) you have is for the LAN at the far end but you need a static route to get to the tunnel destination address itself. Can you add the following static routes on both routers. This would cause the tunnel int to come up and you should be able to ping the tunnel IP of each other router.
Router-A:
ip route 193.1.1.1 255.255.255.255 (next-hop-address)
Router-B:
ip route 192.1.1.1 255.255.255.255 (next-hop-address)
HTH
Sundar
07-07-2007 09:35 AM
I just noticed you posted that these are routers are directly connected to each other via serial int. If they are directly connected to each other the serial interface of both routers need to be on the same subnet. Can you reconfigure it that way.
07-07-2007 09:40 AM
Ali,
The serial interfaces are connected together but yet in o yur configuration they lie in a seperate subnet
on router B configure
interface Serial1/2
ip address 192.1.1.2 255.255.255.0
interface Tunnel0
tunnel source 192.1.1.2
tunnel destination 192.1.1.1
On router A
nterface Tunnel0
tunnel source 192.1.1.1
tunnel destination 192.1.1.2
and also set the transform set under the crypto profile
crypto ipsec profile VTI
set transform-set ali
have a look at this for an example configuration
http://www.cisco.com/en/US/products/ps6635/products_white_paper0900aecd8029d629.shtml
HTH, rate if it does
Narayan
07-07-2007 09:45 AM
Freinds Narayan;sundar
10xs for all ur replys
realy 10xs
Ali
07-07-2007 09:54 AM
hello
how can i fix this:
*Mar 1 23:03:17.994: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 192.1.1.1
07-07-2007 10:07 AM
this generally means the devices are not configured with the same properties.
Make sure the profile parameters are similar in both the peers otherwise negotiations will fail
Narayan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide