ISAKMP is off , throw some light

rprasant82 · ‎04-03-2013

Hi

I have two devices directly connected.

Between these two devices I am setting up a IPSEC tunnel.

Below is my config on the router.

Can someone help me on this ?

Thanks in advance

Prashant R

rprasant82 · ‎04-03-2013

Router#show crypto isakmp policy

Global IKE policy

Protection suite of priority 5

encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Pre-Shared Key

Diffie-Hellman group: #2 (1024 bit)

lifetime: 86400 seconds, no volume limit

Router#

Router#show crypto map

Crypto Map IPv4 "TODUT" 5 ipsec-isakmp

Peer = 192.168.2.5

Extended IP access list MY_PROTECT

access-list MY_PROTECT permit ip host 192.168.2.5 host 192.168.2.1

Current peer: 192.168.2.5

Security association lifetime: 4608000 kilobytes/3600 seconds

Responder-Only (Y/N): N

PFS (Y/N): N

Transform sets={

router_to_DUT: { esp-aes esp-sha-hmac } ,

}

Interfaces using crypto map TODUT:

GigabitEthernet4/2

Router#show crypto session

Crypto session current status

Interface: GigabitEthernet4/2

Session status: DOWN

Peer: 192.168.2.5 port 500

IPSEC FLOW: permit ip host 192.168.2.5 host 192.168.2.1

Active SAs: 0, origin: crypto map

Router#

*Apr 3 11:19:04.601: No peer struct to get peer description

With this config, my sa's do not come up. I see the below error wjhen I enable debug

Apr 3 10:30:23.061: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF

*Apr 3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.

*Apr 3 10:30:29.621: IPSEC: Expand action denied, notify RP

*Apr 3 10:30:29.621: IPSEC: Expand action denied, discard or forward packet.

*Apr 3 10:30:29.621: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF

cadet alain · ‎04-03-2013

Hi,

1) your crypto ACL is not correct:

Extended IP access list MY_PROTECT

access-list MY_PROTECT permit ip host 192.168.2.5 host 192.168.2.1

you should use IP addresses of your LAN as source and of remote LAN as destination and not the peer IP addresses.

the crypto ACL on the other peer should be a mirror of this one( own LAN as source and remote LAN as destination) and

2) both crypto ACLs should be applied to the WAN interface( the one used to go to your peer).

Regards

Alain

Don't forget to rate helpful posts.

rprasant82 · ‎04-03-2013

Hi

The two routers between which I am setting up tunnel are directly connected hence in the same subnet.

My router IP address is 192.168.2.5 and the DUT ip address is 192.168.2.1

What access-list do I write in this scenario ?

"

2) both crypto ACLs should be applied to the WAN interface( the one used to go to your peer)."

On the router gig4/2 is the DUT facing interface. Do we need to apply access-list on this interface when we have given "match address MY_PROTECT" under crypto map ?

Please help.

Thanks

Prashant R

cadet alain · ‎04-03-2013

Hi,

1) the crypto ACL is the one you are referencing in the crypto map with the match address command and here you put as source and destination the outside interface or WAN interface( that is the interface going to the other peer) IPs but you must use the IP of your LAN as source and destination

2) yes that's correct

Regards

Alain

Don't forget to rate helpful posts.

rprasant82 · ‎04-03-2013

Hi

DUT (192.168.2.1)------------------Router (192.168.2.5)

This is my topology. I have just 2 devices between which I have the tunnel.

In this case what is the source IP and destination IP I need to give in my ACL ?

Thanks

Prashant R

cadet alain · ‎04-03-2013

Hi,

LAN1---DUT-------Router---LAN2

on DUT: source is LAN1 and destination is LAN2

on Router: source is LAN2 and destination is LAN1

Regards

Alain

Don't forget to rate helpful posts.

paul driver · ‎06-21-2013

Hello

Can you post your run config of the router?

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

jaime.pedraza · ‎06-20-2013

Hello Prashant,

Could you have this issue solved? I have the same problem but a don´t see any traffic going out from the router

Regards,

Jaime