Solved: Packet Tracer ISAKMP empty, but IPSEC is working, how is this possible

davehouser1 · ‎07-27-2022

I have two sites with single routers connected inbetween a 3rd router.

The problem is `show crypto isakmp sa` is empty, however `show crypto ipsec sa` has local crypto working, and traffic is able to traverse the tunnel. I dont understand how this is possible at all.

Also trying to turn of `debug crypto ipsec` or `debug crypto isakmp` showing nothing on the screen.

BTW I learned the hard way that I needed to start pinging from both internal networks to actually check if ipsec is working.

Topology 

R1 ------ R2 ------- R3

R1 & R3 will have the IKE and IPSEC SA's.

R1

cp-rt-01#show run
Building configuration...

Current configuration : 1190 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname cp-rt-01
!
!
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
 lifetime 3600
!
crypto isakmp key cisco123 address 40.0.0.1
!
!
!
crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac
!
crypto map IPSEC-CRYPTOMAP 10 ipsec-isakmp 
 set peer 40.0.0.1
 set pfs group5
 set security-association lifetime seconds 900
 set transform-set 50 
 match address 102
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 10.10.11.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface GigabitEthernet0/0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/1/0
 ip address 50.0.0.1 255.255.255.252
 crypto map IPSEC-CRYPTOMAP
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 50.0.0.2 
!
ip flow-export version 9
!
!
access-list 102 permit ip 10.10.11.0 0.0.0.255 10.10.12.0 0.0.0.255
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end

R2

cp-rt-02#show run
Building configuration...

Current configuration : 710 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname cp-rt-02
!
!
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 10.10.12.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface GigabitEthernet0/0/0
 ip address 40.0.0.2 255.255.255.252
!
interface GigabitEthernet0/1/0
 ip address 50.0.0.2 255.255.255.252
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
!
ip flow-export version 9
!
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end

R3

cp-rt-03#show run
Building configuration...

Current configuration : 1190 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname cp-rt-03
!
!
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
 lifetime 3600
!
crypto isakmp key cisco123 address 50.0.0.1
!
!
!
crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac
!
crypto map IPSEC-CRYPTOMAP 10 ipsec-isakmp 
 set peer 50.0.0.1
 set pfs group5
 set security-association lifetime seconds 900
 set transform-set 50 
 match address 102
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 10.10.12.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface GigabitEthernet0/0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/1/0
 ip address 40.0.0.1 255.255.255.252
 crypto map IPSEC-CRYPTOMAP
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 40.0.0.2 
!
ip flow-export version 9
!
!
access-list 102 permit ip 10.10.12.0 0.0.0.255 10.10.11.0 0.0.0.255
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end

I really dont understand why ISAKMP is empty. What am I missing?

davehouser1 · ‎07-28-2022

Ok I figured out the problem.
This HAD to be a bug in Packet Tracer. I closed packet tracer and re-opened it, now everything is working.

btw I was sending traffic earlier with no problems, and `show crypto ipsec sa` showed traffic was being passed through the tunnel. But `show crypto isakmp sa` showed nothing. I closed Packet Tracer, reopened this morning, and everything is working.

View solution in original post

MHM Cisco World · ‎07-27-2022

ISAKMP is empty because no IPSec tunnel build
and crypto ipsec sa you see not empty it not indicate that the IPsec is run
you must see
input and output SA and you must see encrypt and decrypt counter increase not Zero.

if you want to make IPSec run you need to initiate traffic
try
ping 10.10.11.x source 10.10.12.x
in router cp-rt-03

davehouser1 · ‎07-28-2022

Ok I figured out the problem.
This HAD to be a bug in Packet Tracer. I closed packet tracer and re-opened it, now everything is working.

btw I was sending traffic earlier with no problems, and `show crypto ipsec sa` showed traffic was being passed through the tunnel. But `show crypto isakmp sa` showed nothing. I closed Packet Tracer, reopened this morning, and everything is working.

Kasun Bandara · ‎07-27-2022

you need to initiate some traffic between tunnel, then ISAKMP tunnel will built

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

davehouser1 · ‎07-28-2022

I already tried initiating traffic. I can see packets increase when running `show crypto ipsec sa` but when I check `show crypto isakmp sa` nothing is listed.