04-03-2013 04:25 AM - edited 03-07-2019 12:36 PM
Hi
I have two devices directly connected.
Between these two devices I am setting up a IPSEC tunnel.
Below is my config on the router.
Can someone help me on this ?
Thanks in advance
Prashant R
04-03-2013 04:25 AM
Router#show crypto isakmp policy
Global IKE policy
Protection suite of priority 5
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Router#
Router#show crypto map
Crypto Map IPv4 "TODUT" 5 ipsec-isakmp
Peer = 192.168.2.5
Extended IP access list MY_PROTECT
access-list MY_PROTECT permit ip host 192.168.2.5 host 192.168.2.1
Current peer: 192.168.2.5
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
router_to_DUT: { esp-aes esp-sha-hmac } ,
}
Interfaces using crypto map TODUT:
GigabitEthernet4/2
Router#show crypto session
Crypto session current status
Interface: GigabitEthernet4/2
Session status: DOWN
Peer: 192.168.2.5 port 500
IPSEC FLOW: permit ip host 192.168.2.5 host 192.168.2.1
Active SAs: 0, origin: crypto map
Router#
*Apr 3 11:19:04.601: No peer struct to get peer description
With this config, my sa's do not come up. I see the below error wjhen I enable debug
Apr 3 10:30:23.061: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*Apr 3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.
*Apr 3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.
*Apr 3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.
*Apr 3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.
*Apr 3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.
*Apr 3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.
*Apr 3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.
*Apr 3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.
*Apr 3 10:30:29.621: IPSEC: Expand action denied, notify RP
*Apr 3 10:30:29.621: IPSEC: Expand action denied, notify RP
*Apr 3 10:30:29.621: IPSEC: Expand action denied, discard or forward packet.
*Apr 3 10:30:29.621: IPSEC: Expand action denied, discard or forward packet.
*Apr 3 10:30:29.621: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
04-03-2013 04:33 AM
Hi,
1) your crypto ACL is not correct:
Extended IP access list MY_PROTECT
access-list MY_PROTECT permit ip host 192.168.2.5 host 192.168.2.1
you should use IP addresses of your LAN as source and of remote LAN as destination and not the peer IP addresses.
the crypto ACL on the other peer should be a mirror of this one( own LAN as source and remote LAN as destination) and
2) both crypto ACLs should be applied to the WAN interface( the one used to go to your peer).
Regards
Alain
Don't forget to rate helpful posts.
04-03-2013 04:41 AM
Hi
The two routers between which I am setting up tunnel are directly connected hence in the same subnet.
My router IP address is 192.168.2.5 and the DUT ip address is 192.168.2.1
What access-list do I write in this scenario ?
"
2) both crypto ACLs should be applied to the WAN interface( the one used to go to your peer)."
On the router gig4/2 is the DUT facing interface. Do we need to apply access-list on this interface when we have given "match address MY_PROTECT" under crypto map ?
Please help.
Thanks
Prashant R
04-03-2013 06:22 AM
Hi,
1) the crypto ACL is the one you are referencing in the crypto map with the match address command and here you put as source and destination the outside interface or WAN interface( that is the interface going to the other peer) IPs but you must use the IP of your LAN as source and destination
2) yes that's correct
Regards
Alain
Don't forget to rate helpful posts.
04-03-2013 10:05 PM
Hi
DUT (192.168.2.1)------------------Router (192.168.2.5)
This is my topology. I have just 2 devices between which I have the tunnel.
In this case what is the source IP and destination IP I need to give in my ACL ?
Thanks
Prashant R
04-03-2013 11:00 PM
Hi,
LAN1---DUT-------Router---LAN2
on DUT: source is LAN1 and destination is LAN2
on Router: source is LAN2 and destination is LAN1
Regards
Alain
Don't forget to rate helpful posts.
06-21-2013 01:28 AM
Hello
Can you post your run config of the router?
res
Paul
06-20-2013 09:59 PM
Hello Prashant,
Could you have this issue solved? I have the same problem but a don´t see any traffic going out from the router
Regards,
Jaime
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide