Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
490
Views
0
Helpful
2
Replies

IPSEc not working with VTI interface

hemanths6869
Level 1
Level 1

‎07-02-2014 03:12 AM - edited ‎03-03-2019 07:29 AM

Dear All,

 

  I had tried IPsec with fast Ethernet 0/1 it works fine but when i tried to map same ipsec crypto to tunnel1 {VTI} interface IPsec not working.

 My remote Site checks for source IP of fast Ethernet 0/0 {Proxy ID in Juniper}

 I tried to MAP crypto map to tunnel 1 interface but it not work

 below here is my config {Peer IP, Pre-Shared Key, Names removed for security}

PuTTY log 2014.06.26 16:46:48
sh run
Building configuration...

Current configuration : 1556 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xyz
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!


username xyz password 0 xyz

!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
group 5
crypto isakmp key MYKEY@123 address XX.XX.XX.XX
 !
 !
crypto ipsec transform-set ABC esp-3des esp-sha-hmac
!
crypto ipsec profile Tunnel
 !
crypto ipsec profile tunnel
  set transform-set ABC
set pfs group5
!
!
crypto map ABC 1 ipsec-isakmp
set peer XX.XX.XX.XX
set transform-set ABC
match address 108
 !
 
 interface Tunnel1
 description Branch_End
ip unnumbered FastEthernet0/1
 tunnel source FastEthernet0/1
 tunnel destination XX.XX.XX.XX
  tunnel mode ipsec ipv4
 tunnel protection ipsec profile tunnel
!
 interface FastEthernet0/0
 description LAN
 ip address 10.1.10.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.1.2 255.255.255.0
 duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
 clock rate 2000000
 
interface Serial0/0/1
no ip address
shutdown
 clock rate 2000000
 !
 ip forward-protocol nd
 ip route 0.0.0.0 0.0.0.0 Tunnel1
!
!
ip http server
no ip http secure-server
!
 access-list 108 permit ip 10.1.10.0 0.0.0.255 any
!
!
!
control-plane

 
 line con 0
line aux 0
line vty 0 4
login

scheduler allocate 20000 1000
 end

MYROUTER#
MYROUTER#sh crypto session
Crypto session current status

Interface: tunnel 1
Session status: DOWN-NEGOTIATING
Peer: XX.XX.XX.XX port 500
  IKE SA: local 192.168.1.2/4500 remote 223.30.69.138/4500 Active
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 2, origin: crypto map

MYROUTER#

 

 Because of  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 IPsec not up Remote Device checks for IPSEC FLOW: permit ip 10.1.10.0/255.255.255.0 0.0.0.0/0.0.0.0

 Please help me thanks in advance.

 

Regards

Hemant

 

Labels:
0 Helpful
2 Replies 2

bhnegi
Cisco Employee
Cisco Employee

‎07-02-2014 05:45 AM

Hi Hemant,

Can you put a  route to the tunnel destination and see if it helps.

Best Regards,

Bheem

0 Helpful

rus-admin
Level 1
Level 1

‎07-03-2014 03:48 AM

Crypto map not needed, if you use ipsec vti. Need only crypto ipsec profile. 

Try without crypto map.

 

 

0 Helpful
Customers Also Viewed These Support Documents