06-16-2012 11:08 AM - edited 02-21-2020 06:08 PM
Hi All,
I'm really struggling in getting this up and connected, i have attached some configurations and copy and pasted some info below if any one has any suggestion pls help.
----
c1841#show crypto session
Crypto session current status
Interface: FastEthernet0/1
Session status: UP-IDLE
Peer: 172.16.50.253 port 500
IKE SA: local 172.16.51.253/500 remote 172.16.50.253/500 Active
IPSEC FLOW: permit ip 172.16.32.0/255.255.254.0 192.168.100.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.100.0/255.255.255.0 172.16.32.0/255.255.254.0
Active SAs: 0, origin: crypto map
----
c1841#show crypto session map
Crypto Map "SDM_CMAP_1" 1 ipsec-isakmp
Description: Tunnel to172.16.50.253
Peer = 172.16.50.253
Extended IP access list 100
access-list 100 permit ip 192.168.100.0 0.0.0.255 172.16.32.0 0.0.1.255
access-list 100 permit ip 172.16.32.0 0.0.1.255 192.168.100.0 0.0.0.255
Current peer: 172.16.50.253
Security association lifetime: 4608000 kilobytes/28800 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group2
Transform sets={
Cisco: { esp-3des esp-sha-hmac } ,
}
Interfaces using crypto map SDM_CMAP_1:
FastEthernet0/1
----
c1841#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
172.16.50.253 172.16.51.253 QM_IDLE 1002 ACTIVE
IPv6 Crypto ISAKMP SA
----
c1841#show crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: SDM_CMAP_1, local addr 172.16.51.253
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.32.0/255.255.254.0/0/0)
remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
current_peer 172.16.50.253 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.51.253, remote crypto endpt.: 172.16.50.253
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
--More-- inbound ah sas:
--More--
--More-- inbound pcp sas:
--More--
--More-- outbound esp sas:
--More--
--More-- outbound ah sas:
--More--
--More-- outbound pcp sas:
--More--
--More-- protected vrf: (none)
--More-- local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
--More-- remote ident (addr/mask/prot/port): (172.16.32.0/255.255.254.0/0/0)
--More-- current_peer 172.16.50.253 port 500
--More-- PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
--More-- #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
--More-- #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
--More-- #pkts compressed: 0, #pkts decompressed: 0
--More-- #pkts not compressed: 0, #pkts compr. failed: 0
--More-- #pkts not decompressed: 0, #pkts decompress failed: 0
--More-- #send errors 25229, #recv errors 0
--More--
--More-- local crypto endpt.: 172.16.51.253, remote crypto endpt.: 172.16.50.253
--More-- path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
--More-- current outbound spi: 0x0(0)
--More-- PFS (Y/N): N, DH group: none
--More--
--More-- inbound esp sas:
--More--
--More-- inbound ah sas:
--More--
--More-- inbound pcp sas:
--More--
--More-- outbound esp sas:
--More--
--More-- outbound ah sas:
--More--
--More-- outbound pcp sas:
06-16-2012 08:40 PM
Crypto ACL should only contains 1 line, please remove the following line from your router config:
access-list 100 permit ip 172.16.32.0 0.0.1.255 192.168.100.0 0.0.0.255
Also remote subnets configured on the TMG does not mirror image to what has been configured on the router. Remote subnets should have only been 192.168.100.0/24, currently it has many subnets as follows that needs to be changed to just 192.168.100.0/24:
Remote Network 'Cisco 1841' IP Subnets:
Subnet: 172.16.51.253/255.255.255.255
Subnet: 192.168.100.1/255.255.255.255
Subnet: 192.168.100.254/255.255.255.255
Subnet: 192.168.100.2/255.255.255.254
Subnet: 192.168.100.252/255.255.255.254
Subnet: 192.168.100.4/255.255.255.252
Subnet: 192.168.100.248/255.255.255.252
Subnet: 192.168.100.8/255.255.255.248
Subnet: 192.168.100.240/255.255.255.248
Subnet: 192.168.100.16/255.255.255.240
Subnet: 192.168.100.224/255.255.255.240
Subnet: 192.168.100.32/255.255.255.224
Subnet: 192.168.100.192/255.255.255.224
Subnet: 192.168.100.64/255.255.255.192
Subnet: 192.168.100.128/255.255.255.192
06-17-2012 03:25 AM
thanks for the reply the ACL's probably wasent helping but unfortunaly i still cant bring the tunnel up
06-17-2012 03:41 AM
Can you please run both debugs:
debug cry isa
debug cry ipsec
Earlier there wasn't anything showing for Phase 2. Phase 1 is UP, but lots of sent errors on Phase 2.
Did you change the TMG end as well?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide