Dear all,

Let me know why my ipsec tunnel down. i test wiht GNS3.

I use C7200-ADVIPSERVICESK9-M) image.

R2#show crypto session
Crypto session current status

Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 1.1.1.1 port 500
IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 192.168.1.0/255.255.255.0
Active SAs: 0, origin: crypto map

R2#show crypto session
Crypto session current status

Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 1.1.1.1 port 500
IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 192.168.1.0/255.255.255.0
Active SAs: 0, origin: crypto map

R2#sh run
Building configuration...

Current configuration : 1631 bytes
!
! Last configuration change at 05:16:07 UTC Tue Nov 20 2018
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 28800
crypto isakmp key cisco123 address 0.0.0.0
!
!
crypto ipsec transform-set aes256-sha esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map map01 1 ipsec-isakmp
set peer 1.1.1.1
set transform-set aes256-sha
set pfs group5
match address acl-vpn-PA
!
!
!
!
!
interface Loopback0
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
ip address 1.1.1.2 255.255.255.0
media-type gbic
speed 1000
duplex full
negotiation auto
crypto map map01
!
interface GigabitEthernet1/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ip access-list extended acl-vpn-PA
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R1#sh run
Building configuration...

Current configuration : 1631 bytes
!
! Last configuration change at 05:16:39 UTC Tue Nov 20 2018
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 28800
crypto isakmp key cisco123 address 0.0.0.0
!
!
crypto ipsec transform-set aes256-sha esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map map01 1 ipsec-isakmp
set peer 1.1.1.2
set transform-set aes256-sha
set pfs group5
match address acl-vpn-PA
!
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
ip address 1.1.1.1 255.255.255.0
media-type gbic
speed 1000
duplex full
negotiation auto
crypto map map01
!
interface GigabitEthernet1/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ip access-list extended acl-vpn-PA
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R1#