07-11-2008 10:28 AM - edited 03-09-2019 09:04 PM
Hello everybody!!!
I'm test just now, in a lab enviromment, a simple solution to join 2 networks at diferent location. There are in this lab 2 cisco 1841 with C1841-ADVSECURITYK9-M both. I'm not so good when subject is VPN, I configure the both routers and does not work. Now I don't know how to start a debug to help me.
I did the command "sh crypto session detail" and the session is down.
Someone can help me on this issue.
See the att below.
Thanks.
Solved! Go to Solution.
07-11-2008 12:35 PM
Didn't recognize any issues with your configuration.
Have you generated any traffic to bring the tunnel up?
Your crypto ACLs:
Router A:
access-list 150 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
Router B:
access-list 150 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
... define the traffic that is to be forwarded to the crypto engine.
If you don't generate traffic requiring protection, the two tunnel endpoints won't commence negotiation of an ISAKMP SA (used as a secure channel to negotiate IPSec SAs).
Ping a host on the far side network, and see if tunnel negotiation commences.
Noticed an unimplemented NAT ACL. If you later decide to implement NAT, be sure to exempt the traffic requiring crypto protection, from the NAT process.
07-11-2008 12:27 PM
try send traffic from 192.168.0.0/24 to 192.168.1.0/24
sh crypto isakmp sa
sh crypto ipsec sa
07-11-2008 12:35 PM
Didn't recognize any issues with your configuration.
Have you generated any traffic to bring the tunnel up?
Your crypto ACLs:
Router A:
access-list 150 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
Router B:
access-list 150 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
... define the traffic that is to be forwarded to the crypto engine.
If you don't generate traffic requiring protection, the two tunnel endpoints won't commence negotiation of an ISAKMP SA (used as a secure channel to negotiate IPSec SAs).
Ping a host on the far side network, and see if tunnel negotiation commences.
Noticed an unimplemented NAT ACL. If you later decide to implement NAT, be sure to exempt the traffic requiring crypto protection, from the NAT process.
07-11-2008 12:54 PM
Damm, I'm so stupid, the session doesn't up because there are no host on LAN ports opn both routers, after connect to LAN the VPN works.
Thanks Very Much for all.
Thanks again for the experts always on line
07-11-2008 01:27 PM
In future lab scenarios, you could bring up and maintain the tunnel by synchronizing the clock of one router with that of the other using the Network Time Protocol.
i.e.:
- configure a loopback interface as the "NTP source interface" on each device.
- include the traffic between the two loopback interfaces in your crypto acl.
- configure Router-A as the NTP Server with which Router-B is to synchronize its clock.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide