08-14-2003 07:20 AM - edited 03-09-2019 04:26 AM
i confige ipsec with two router connected by lan :
1)router1 configuration :
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router-7206
!
enable password cisco
ip subnet-zero
no ip domain-lookup
!
ip cef
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key nantian address xx.xxx.xx.xx
crypto isakmp keepalive 30 5
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer 10.30.1.2
set transform-set myset
match address 101
!
interface Loopback0
ip address xxx.xx.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.30.1.1 255.255.255.252
half-duplex
crypto map mymap
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
no ip http server
!
access-list 101 permit ip 72.1.1.0 0.0.0.255 26.1.1.0 0.0.0.255
!
!
line con 0 line aux 0
line vty 0 4
password xxx
login
!
end
Router-7206#
***********************************
2)router2 configuration :
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router-2620
!
enable password cisco
memory-size iomem 10
ip subnet-zero
no ip domain-lookup
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key nantian address 10.30.1.1
crypto isakmp keepalive 30 5
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto dynamic-map mymap 10
set transform-set myset
!
!
crypto map mainmap 1 ipsec-isakmp dynamic mymap
!
interface Loopback0
ip address 26.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.30.1.2 255.255.255.252
duplex auto
speed auto
crypto map mainmap
!
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip http server
!
!
!
line con 0
line aux 0
line vty 0 4
password xxxx
login
!
end
Router-2620#
my question :
when i use these command "show crypto ipsec sa" "show crypto isakmp sa " ,nothing is output . what's the problem with my configuration ?
08-14-2003 03:55 PM
Change your default routes on each router to point specifically to the other routers IP address, not just out teh FA0/0 interface. Then do a ping to the others loopback address, making sure you source it from the local routers loopback interface, that should bring the tunnel up.
Remember that the tunnel is only built when traffic is sent, so if you don't do a ping or the like then you won't see the tunnel built.
If it still fails, please run:
> debug crypto isakmp
> debug crypto ipsec
on both routers, try the ping again and send us the output.
08-14-2003 09:21 PM
yes. i changge the default route to specific route ,and now it run well .Thks.
08-14-2003 03:58 PM
Do you need a set peer 10.30.1.1 in router2? Or did I overlook something?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide