No IPsec debugging information

joyce-qu · ‎10-12-2001

I have setup IPSec between two routers,and have made debug crypto isakmp,debug crypto ipsec and debug engine commands enabled on both routers. When I use an extended ping from the source router internal interface to the Peer router internal interface, there is no debugging information showed. what's wrong?

Thanks in advance!

sbirn · ‎10-12-2001

Do you see any console messages? If you've logged in remotely and are not physically on the console port, you have to enable the display of console messages on your terminal. Use the command "term mon".

If you have done this already, then I'd start checking your crypto map and access lists. Check the ACLs, the crypto map and make sure the crypto map is applied to the interface.

simon.meng · ‎10-12-2001

can the sa negotiations be initiated? after ping, use the command "show crypto isakmp sa" to get the status,if no isakmp sa got,perhaps there are some problems in your configurations,you'd better check ACLs and its binding to the map,as well as applying the map to the interface.

joyce-qu · ‎10-14-2001

Yes, I can see some console messages, and I also use the command "term mon" from the remote console port, it dosn't work.

I want to see the debugging information is for the following reason.

We set up IPSec between two 2610 routers to connect two private networks addressed 192.168.x.0 and 192.168.y.0. The NAT are not used in our system, and we use proxies for internet accesse.After the following configuration it works fine (the internal private network can see each other).After one month, when we power off one of the router for about 30 minites, and restart it. the connection has a failure. And after 12 days it works angain without much change to the configuration. The following is the configuration. I want to konw is there any bad influence on the internet from the nonat private address, for in the failure time, we find some strange routing information on internet.

Any help will be appreciated !

Sina@quzhj.com

crypto isakmp policy 10

authentication pre-share

crypto isakmp key * address peer addr.

crypto ipsec transform-set * esp-des esp-md5-hmac

crypto map vpn1 10 ipsec-isakmp

set peer "peer addr"

set transform-set *

match address 101

interface Ethernet0/0

ip address internal addr.

no ip directed-broadcast

interface Ethernet1/0

ip address external addr.

no ip directed-broadcast

crypto map vpn1

!

ip classless

ip route 0.0.0.0 0.0.0.0 external route

ip route 192.168.x.0 255.255.0.0 internal route

ip route 192.168.y.0 255.255.0.0 external route

no ip http server

!

access-list 101 permit ip 192.168.x.0 0.0.255.255 192.168.y.0 0.0.0.255

dcourtier · ‎10-31-2001

In my short (two weeks!) experience with ipSec, I've found that once the connection comes up, if one router is restarted, the other router retains the initial session number and rejects any attempt to renegotiate with the restarted router.

Adding "crypto isakmp keepalive 60" to each of the isakmp policy's overcomes this as the router that hasn't been restarted will send a keepalive after each minute - finding the router at the other end has restarted will result in renegotiating.