04-03-2017 09:06 AM - edited 02-21-2020 09:13 PM
Hi everybody, I have a trouble with an IPSec tunnel between two routers. When I do a ping then use the command "show crypto ipsec sa" I have 0 packet encrypted and 0 packet desyncrypted too. Here is the configuration of the two routers:
Router 1:
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname router_outside
!
!
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
!
!
!
!
aaa new-model
!
aaa authentication login default group radius local
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
lifetime 3600
!
crypto isakmp key 12345 address 192.168.60.1
!
!
!
crypto ipsec transform-set 50 esp-3des esp-md5-hmac
!
crypto map MAP_SECU 10 ipsec-isakmp
set peer 192.168.60.1
set security-association lifetime seconds 900
set transform-set 50
match address 101
!
!
!
!
ip ssh version 2
ip domain-name hddsecu.com
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.70.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.60.2 255.255.255.0
duplex auto
speed auto
crypto map MAP_SECU
!
interface Vlan1
no ip address
shutdown
!
interface Vlan70
mac-address 0060.5c7a.1c01
no ip address
!
router ospf 1
log-adjacency-changes
redistribute static metric-type 1
network 192.168.60.0 0.0.0.255 area 0
network 192.168.70.0 0.0.0.255 area 0
!
ip classless
ip route 192.168.10.0 255.255.255.0 192.168.70.240
ip route 192.168.1.0 255.255.255.0 192.168.70.240
!
ip flow-export version 9
!
!
access-list 101 permit ip 192.168.70.0 0.0.0.255 192.168.50.0 0.0.0.255
!
!
radius-server host 192.168.10.247 auth-port 1645 key 123456789
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login authentication default
transport input ssh
!
!
!
end
Router 2:
Building configuration...
Current configuration : 1136 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
lifetime 3600
!
crypto isakmp key 12345 address 192.168.60.2
!
!
!
crypto ipsec transform-set 50 esp-3des esp-md5-hmac
!
crypto map MAP_SECU 10 ipsec-isakmp
set peer 192.168.60.2
set security-association lifetime seconds 900
set transform-set 50
match address 101
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.60.1 255.255.255.0
duplex auto
speed auto
crypto map MAP_SECU
!
interface FastEthernet0/1
ip address 192.168.50.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 192.168.50.0 0.0.0.255 area 0
network 192.168.60.0 0.0.0.255 area 0
!
ip classless
!
ip flow-export version 9
!
!
access-list 101 permit ip 192.168.70.0 0.0.0.255 192.168.50.0 0.0.0.255
!
!
!
!
!
line con 0
!
Router#
Router#sh cr
Router#sh crypto is
Router#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
Router#sh cr
Router#sh crypto ip
Router#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: MAP_SECU, local addr 192.168.60.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.70.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)
current_peer 192.168.60.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.60.1, remote crypto endpt.:192.168.60.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
Router#sh run
Building configuration...
Current configuration : 1136 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
lifetime 3600
!
crypto isakmp key 12345 address 192.168.60.2
!
!
!
crypto ipsec transform-set 50 esp-3des esp-md5-hmac
!
crypto map MAP_SECU 10 ipsec-isakmp
set peer 192.168.60.2
set security-association lifetime seconds 900
set transform-set 50
match address 101
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.60.1 255.255.255.0
duplex auto
speed auto
crypto map MAP_SECU
!
interface FastEthernet0/1
ip address 192.168.50.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 192.168.50.0 0.0.0.255 area 0
network 192.168.60.0 0.0.0.255 area 0
!
ip classless
!
ip flow-export version 9
!
!
access-list 101 permit ip 192.168.70.0 0.0.0.255 192.168.50.0 0.0.0.255
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
Router#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
Router#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: MAP_SECU, local addr 192.168.60.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.70.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)
current_peer 192.168.60.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.60.1, remote crypto endpt.:192.168.60.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Thank you for your help !!!
04-03-2017 09:22 AM
post
show crypto isakmp sa
what address are you pinging?
Gareth
04-03-2017 09:29 AM
Hi, here is the show:
Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
I'm pinging one PC in my DMZ :
192.168.10.200
04-03-2017 09:43 AM
Your isakmp key address is wrong on both routers and your ping won't match your crypto map.
04-03-2017 10:36 AM
Thanks for your answer but I think that the adddress are correctly fixed:
Router 0:
crypto isakmp key 12345 address 192.168.60.1
Router 1:
crypto isakmp key 12345 address 192.168.60.2
About the ping, I did an access list which matches with any host for the moment.
04-04-2017 12:21 AM
yea sorry I misread the config on the isakmp addresses.
have you tried 'debug crypto isakmp'?
Gareth
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: