cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16506
Views
9
Helpful
8
Replies

ISAKMP is off , throw some light

rprasant82
Level 1
Level 1

Hi

I have  two devices directly connected.

Between these two devices I am setting up a IPSEC tunnel.

Below is my config on the router.

Can someone help me on this ?

Thanks in advance

Prashant R

8 Replies 8

rprasant82
Level 1
Level 1

Router#show crypto isakmp policy

Global IKE policy

Protection suite of priority 5

        encryption algorithm:  AES - Advanced Encryption Standard (128 bit keys).

        hash algorithm:        Secure Hash Standard

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:  #2 (1024 bit)

        lifetime:              86400 seconds, no volume limit

Router#

Router#show crypto map

Crypto Map IPv4 "TODUT" 5 ipsec-isakmp

        Peer = 192.168.2.5

        Extended IP access list MY_PROTECT

            access-list MY_PROTECT permit ip host 192.168.2.5 host 192.168.2.1

        Current peer: 192.168.2.5

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                router_to_DUT:  { esp-aes esp-sha-hmac  } ,

        }

        Interfaces using crypto map TODUT:

                GigabitEthernet4/2

Router#show crypto session

Crypto session current status

Interface: GigabitEthernet4/2

Session status: DOWN

Peer: 192.168.2.5 port 500

  IPSEC FLOW: permit ip host 192.168.2.5 host 192.168.2.1

        Active SAs: 0, origin: crypto map

Router#

*Apr  3 11:19:04.601: No peer struct to get peer description

With this config, my sa's do not come up. I see the below error wjhen I enable debug

Apr  3 10:30:23.061: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF

*Apr  3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.617: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.621: IPSEC: Expand action denied, notify RP

*Apr  3 10:30:29.621: IPSEC: Expand action denied, notify RP

*Apr  3 10:30:29.621: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.621: IPSEC: Expand action denied, discard or forward packet.

*Apr  3 10:30:29.621: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF

Hi,

1) your crypto ACL is not correct:

Extended IP access list MY_PROTECT

            access-list MY_PROTECT permit ip host 192.168.2.5 host 192.168.2.1

  you should use IP addresses of  your LAN as source and of remote LAN as destination and not the peer IP addresses.

the crypto ACL on the other peer should be a mirror of this one( own LAN as  source and remote LAN as destination) and

2) both crypto ACLs should be applied to the WAN interface( the one used to go to your peer).

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hi

The two routers between which I am setting up tunnel are directly connected hence in the same subnet.

My router IP address is 192.168.2.5 and the DUT ip address is 192.168.2.1

What access-list do I write in this scenario ?

"

2) both crypto ACLs should be applied to the WAN interface( the one used to go to your peer)."

On the router gig4/2 is the DUT facing interface.  Do we need to apply access-list on this interface when we have given "match address MY_PROTECT" under crypto map ?

Please help.

Thanks

Prashant R

Hi,

1) the crypto ACL is the one you are referencing in the crypto map with the match address command and here you put as source and destination the outside interface or WAN interface( that is the interface going to the other peer) IPs but you must  use the IP of your LAN as source and destination

2) yes that's correct

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hi

DUT (192.168.2.1)------------------Router (192.168.2.5)

This is my topology. I have just 2 devices between which I have the tunnel.

In this case what is the source IP and destination IP I need to give in my ACL ?

Thanks

Prashant R

Hi,

LAN1---DUT-------Router---LAN2

on DUT: source is LAN1 and destination is LAN2

on Router: source is LAN2 and destination is LAN1

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hello

Can you post your run config of the router?

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello Prashant,

Could you have this issue solved? I have the same problem but a don´t see any traffic going out from the router

Regards,

Jaime

Review Cisco Networking for a $25 gift card