Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
15701
Views
9
Helpful
8
Replies

ISAKMP is off , throw some light

rprasant82
Level 1
Level 1

ā€Ž04-03-2013 04:25 AM - edited ā€Ž03-07-2019 12:36 PM

Hi

I have  two devices directly connected.

Between these two devices I am setting up a IPSEC tunnel.

Below is my config on the router.

Can someone help me on this ?

Thanks in advance

Prashant R

2 people had this problem
Labels:
0 Helpful
8 Replies 8

rprasant82
Level 1
Level 1

ā€Ž04-03-2013 04:25 AM

Router#show crypto isakmp policy

Global IKE policy

Protection suite of priority 5

        encryption algorithm:  AES - Advanced Encryption Standard (128 bit keys).

        hash algorithm:        Secure Hash Standard

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:  #2 (1024 bit)

        lifetime:              86400 seconds, no volume limit

Router#

Router#show crypto map

Crypto Map IPv4 "TODUT" 5 ipsec-isakmp

        Peer = 192.168.2.5

        Extended IP access list MY_PROTECT

            access-list MY_PROTECT permit ip host 192.168.2.5 host 192.168.2.1

        Current peer: 192.168.2.5

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                router_to_DUT:  { esp-aes esp-sha-hmac  } ,

        }

        Interfaces using crypto map TODUT:

                GigabitEthernet4/2

Router#show crypto session

Crypto session current status

Interface: GigabitEthernet4/2

Session status: DOWN

Peer: 192.168.2.5 port 500

  IPSEC FLOW: permit ip host 192.168.2.5 host 192.168.2.1

        Active SAs: 0, origin: crypto map

Router#

*Apr  3 11:19:04.601: No peer struct to get peer description

With this config, my sa's do not come up. I see the below error wjhen I enable debug

Apr  3 10:30:23.061: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF

*Apr  3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.621: IPSEC: Expand action denied, notify RP

*Apr  3 10:30:29.621: IPSEC: Expand action denied, notify RP

*Apr  3 10:30:29.621: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.621: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.621: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to rprasant82

ā€Ž04-03-2013 04:33 AM

Hi,

1) your crypto ACL is not correct:

Extended IP access list MY_PROTECT

            access-list MY_PROTECT permit ip host 192.168.2.5 host 192.168.2.1

  you should use IP addresses of  your LAN as source and of remote LAN as destination and not the peer IP addresses.

the crypto ACL on the other peer should be a mirror of this one( own LAN as  source and remote LAN as destination) and

2) both crypto ACLs should be applied to the WAN interface( the one used to go to your peer).

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

rprasant82
Level 1
Level 1
In response to cadet alain

ā€Ž04-03-2013 04:41 AM

Hi

The two routers between which I am setting up tunnel are directly connected hence in the same subnet.

My router IP address is 192.168.2.5 and the DUT ip address is 192.168.2.1

What access-list do I write in this scenario ?

"

2) both crypto ACLs should be applied to the WAN interface( the one used to go to your peer)."

On the router gig4/2 is the DUT facing interface.  Do we need to apply access-list on this interface when we have given "match address MY_PROTECT" under crypto map ?

Please help.

Thanks

Prashant R

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to rprasant82

ā€Ž04-03-2013 06:22 AM

Hi,

1) the crypto ACL is the one you are referencing in the crypto map with the match address command and here you put as source and destination the outside interface or WAN interface( that is the interface going to the other peer) IPs but you must  use the IP of your LAN as source and destination

2) yes that's correct

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

rprasant82
Level 1
Level 1
In response to cadet alain

ā€Ž04-03-2013 10:05 PM

Hi

DUT (192.168.2.1)------------------Router (192.168.2.5)

This is my topology. I have just 2 devices between which I have the tunnel.

In this case what is the source IP and destination IP I need to give in my ACL ?

Thanks

Prashant R

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to rprasant82

ā€Ž04-03-2013 11:00 PM

Hi,

LAN1---DUT-------Router---LAN2

on DUT: source is LAN1 and destination is LAN2

on Router: source is LAN2 and destination is LAN1

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

paul driver
VIP
VIP
In response to rprasant82

ā€Ž06-21-2013 01:28 AM

Hello

Can you post your run config of the router?

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the communityā€™s global network.

Kind Regards
Paul
0 Helpful

jaime.pedraza
Level 1
Level 1
In response to rprasant82

ā€Ž06-20-2013 09:59 PM

Hello Prashant,

Could you have this issue solved? I have the same problem but a donĀ“t see any traffic going out from the router

Regards,

Jaime

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card