cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12348
Views
9
Helpful
8
Replies
Beginner

ISAKMP is off , throw some light

Hi

I have  two devices directly connected.

Between these two devices I am setting up a IPSEC tunnel.

Below is my config on the router.

Can someone help me on this ?

Thanks in advance

Prashant R

Everyone's tags (1)
8 REPLIES 8
Highlighted
Beginner

ISAKMP is off , throw some light

Router#show crypto isakmp policy

Global IKE policy

Protection suite of priority 5

        encryption algorithm:  AES - Advanced Encryption Standard (128 bit keys).

        hash algorithm:        Secure Hash Standard

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:  #2 (1024 bit)

        lifetime:              86400 seconds, no volume limit

Router#

Router#show crypto map

Crypto Map IPv4 "TODUT" 5 ipsec-isakmp

        Peer = 192.168.2.5

        Extended IP access list MY_PROTECT

            access-list MY_PROTECT permit ip host 192.168.2.5 host 192.168.2.1

        Current peer: 192.168.2.5

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                router_to_DUT:  { esp-aes esp-sha-hmac  } ,

        }

        Interfaces using crypto map TODUT:

                GigabitEthernet4/2

Router#show crypto session

Crypto session current status

Interface: GigabitEthernet4/2

Session status: DOWN

Peer: 192.168.2.5 port 500

  IPSEC FLOW: permit ip host 192.168.2.5 host 192.168.2.1

        Active SAs: 0, origin: crypto map

Router#

*Apr  3 11:19:04.601: No peer struct to get peer description

With this config, my sa's do not come up. I see the below error wjhen I enable debug

Apr  3 10:30:23.061: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF

*Apr  3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.621: IPSEC: Expand action denied, notify RP

*Apr  3 10:30:29.621: IPSEC: Expand action denied, notify RP

*Apr  3 10:30:29.621: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.621: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.621: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF

Highlighted
Advisor

ISAKMP is off , throw some light

Hi,

1) your crypto ACL is not correct:

Extended IP access list MY_PROTECT

            access-list MY_PROTECT permit ip host 192.168.2.5 host 192.168.2.1

  you should use IP addresses of  your LAN as source and of remote LAN as destination and not the peer IP addresses.

the crypto ACL on the other peer should be a mirror of this one( own LAN as  source and remote LAN as destination) and

2) both crypto ACLs should be applied to the WAN interface( the one used to go to your peer).

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Highlighted
Beginner

ISAKMP is off , throw some light

Hi

The two routers between which I am setting up tunnel are directly connected hence in the same subnet.

My router IP address is 192.168.2.5 and the DUT ip address is 192.168.2.1

What access-list do I write in this scenario ?

"

2) both crypto ACLs should be applied to the WAN interface( the one used to go to your peer)."

On the router gig4/2 is the DUT facing interface.  Do we need to apply access-list on this interface when we have given "match address MY_PROTECT" under crypto map ?

Please help.

Thanks

Prashant R

Highlighted
Advisor

ISAKMP is off , throw some light

Hi,

1) the crypto ACL is the one you are referencing in the crypto map with the match address command and here you put as source and destination the outside interface or WAN interface( that is the interface going to the other peer) IPs but you must  use the IP of your LAN as source and destination

2) yes that's correct

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Highlighted
Beginner

ISAKMP is off , throw some light

Hi

DUT (192.168.2.1)------------------Router (192.168.2.5)

This is my topology. I have just 2 devices between which I have the tunnel.

In this case what is the source IP and destination IP I need to give in my ACL ?

Thanks

Prashant R

Highlighted
Advisor

ISAKMP is off , throw some light

Hi,

LAN1---DUT-------Router---LAN2

on DUT: source is LAN1 and destination is LAN2

on Router: source is LAN2 and destination is LAN1

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Highlighted
VIP Mentor

ISAKMP is off , throw some light

Hello

Can you post your run config of the router?

res

Paul



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted
Beginner

ISAKMP is off , throw some light

Hello Prashant,

Could you have this issue solved? I have the same problem but a don´t see any traffic going out from the router

Regards,

Jaime

CreatePlease to create content
Content for Community-Ad