cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
745
Views
0
Helpful
3
Replies

why the problem with my confige ?

li-he
Level 1
Level 1

i confige ipsec with two router connected by lan :

1)router1 configuration :

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Router-7206

!

enable password cisco

ip subnet-zero

no ip domain-lookup

!

ip cef

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key nantian address xx.xxx.xx.xx

crypto isakmp keepalive 30 5

!

!

crypto ipsec transform-set myset esp-des esp-md5-hmac

!

crypto map mymap 1 ipsec-isakmp

set peer 10.30.1.2

set transform-set myset

match address 101

!

interface Loopback0

ip address xxx.xx.1.1 255.255.255.0

!

interface FastEthernet0/0

ip address 10.30.1.1 255.255.255.252

half-duplex

crypto map mymap

!

!

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

no ip http server

!

access-list 101 permit ip 72.1.1.0 0.0.0.255 26.1.1.0 0.0.0.255

!

!

line con 0 line aux 0

line vty 0 4

password xxx

login

!

end

Router-7206#

***********************************

2)router2 configuration :

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Router-2620

!

enable password cisco

memory-size iomem 10

ip subnet-zero

no ip domain-lookup

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key nantian address 10.30.1.1

crypto isakmp keepalive 30 5

!

!

crypto ipsec transform-set myset esp-des esp-md5-hmac

!

crypto dynamic-map mymap 10

set transform-set myset

!

!

crypto map mainmap 1 ipsec-isakmp dynamic mymap

!

interface Loopback0

ip address 26.1.1.1 255.255.255.0

!

interface FastEthernet0/0

ip address 10.30.1.2 255.255.255.252

duplex auto

speed auto

crypto map mainmap

!

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/1

no ip address

shutdown

!

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

ip http server

!

!

!

line con 0

line aux 0

line vty 0 4

password xxxx

login

!

end

Router-2620#

my question :

when i use these command "show crypto ipsec sa" "show crypto isakmp sa " ,nothing is output . what's the problem with my configuration ?

3 Replies 3

gfullage
Cisco Employee
Cisco Employee

Change your default routes on each router to point specifically to the other routers IP address, not just out teh FA0/0 interface. Then do a ping to the others loopback address, making sure you source it from the local routers loopback interface, that should bring the tunnel up.

Remember that the tunnel is only built when traffic is sent, so if you don't do a ping or the like then you won't see the tunnel built.

If it still fails, please run:

> debug crypto isakmp

> debug crypto ipsec

on both routers, try the ping again and send us the output.

yes. i changge the default route to specific route ,and now it run well .Thks.

dpatkins
Level 1
Level 1

Do you need a set peer 10.30.1.1 in router2? Or did I overlook something?