Re: show crypto isakmp/ipsec sa shows nothing

EYENAIN · ‎01-16-2019

R1#show run
Building configuration...

Current configuration : 2418 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
voice dsp waitstate 24922
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
hash md5
group 2
crypto isakmp key ccie address 190.2.0.1
!
!
crypto ipsec transform-set T-SET esp-3des esp-sha-hmac
!
crypto map IMAP 1 ipsec-isakmp
set peer 190.2.0.1
set transform-set T-SET
match address 100
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface Loopback1
ip address 172.16.0.1 255.255.0.0
!
interface Loopback2
ip address 172.17.0.1 255.255.0.0
!
interface Loopback3
ip address 172.18.0.1 255.255.0.0
!
interface FastEthernet0/0
ip address 190.1.0.1 255.255.0.0
duplex half
crypto map IMAP
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 190.1.0.2
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
access-list 100 permit ip 172.16.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 172.16.0.0 0.0.255.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 172.16.0.0 0.0.255.255 192.168.3.0 0.0.0.255
access-list 100 permit ip 172.17.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 172.17.0.0 0.0.255.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 172.17.0.0 0.0.255.255 192.168.3.0 0.0.0.255
access-list 100 permit ip 172.18.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 172.18.0.0 0.0.255.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 172.18.0.0 0.0.255.255 192.168.3.0 0.0.0.255
no cdp log mismatch duplex
!
!
!
!
!
!
!
control-plane
!
!
!
mgcp fax t38 ecm
mgcp behavior g729-variants static-pt
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
end

....................... . . . . . . . .. . . . . . .. . . . . .. . . . . .. .. . . . . . .. . ..................................... . . . . . . . . . ...

R3#sh run
Building configuration...

Current configuration : 2427 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
voice dsp waitstate 24922
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
hash md5
group 2
crypto isakmp key ccie address 190.1.0.1
!
!
crypto ipsec transform-set T-SET esp-3des esp-sha-hmac
!
crypto map IMAP 1 ipsec-isakmp
set peer 190.1.0.1
set transform-set T-SET
match address 100
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface Loopback1
ip address 192.168.1.1 255.255.255.0
!
interface Loopback2
ip address 192.168.2.1 255.255.255.0
!
interface Loopback3
ip address 192.168.3.1 255.255.255.0
!
interface FastEthernet0/0
ip address 190.2.0.1 255.255.0.0
duplex half
crypto map IMAP
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 190.2.0.2
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 172.18.0.0 0.0.255.255
no cdp log mismatch duplex
!
!
!
!
!
!
!
control-plane
!
!
!
mgcp fax t38 ecm
mgcp behavior g729-variants static-pt
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
end

. . .. . . . .............................................. . . . ............................................................................. ..

balaji.bandi · ‎01-16-2019

First check basic routing here, Do you have undelay L3 reachbility between R1 and R2 and R2 and R3, and finally R1 and R3.

until that is not fixed, VPN will not established.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

EYENAIN · ‎01-16-2019

I have done default route toward R2 from R1 and R3 respectively.Where am I lacking can u plz help.

balaji.bandi · ‎01-16-2019

Can you post the output of the below :

From R1 can you ping 190.2.0.1
From R3 can you ping 190.1.0.1

if you see the ping success, then follow below guide for diagnosis the IPSEC issue.

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

EYENAIN · ‎01-17-2019

yes I can ping from R1 to R3

R1#ping 190.2.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 190.2.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/62/76 ms
R1#

...............................................................................................

R3#ping 190.1.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 190.1.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/37/52 ms
R3#

balaji.bandi · ‎01-17-2019

Can you check the logs while intiating the VPN connection, enable debug as provided in the debug document in other thread.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Francesco Molino · ‎01-16-2019

Hi

Can you ping R3 f0/0 from R1 f0/0?
Why did you configure f0/0 on both routers with duplex half?

If connectivity is ok end to end (just wan interfaces should ping, not loopbacks), can you run a debug crypto isakmp on R3 while trying to ping R3 loopback from R1 loopback? And share the output into a text file please.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question