Re: show crypto ipsec sa / show crypto isakmp sa displays nothing

cryptoclass · ‎02-15-2024

I've attached my "show run" for the 3 routers, I'm trying to establish a VPN tunnel between router1 and router3

(the internal network for Router1 is 192.168.1.0/24, and the internal network for Router3 is 192.168.3.0/24, with router2 in the middle)

ROUTER1

ROUTER1#show run

Building configuration...

Current configuration : 1313 bytes

!

version 15.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname ROUTER1

!

ip cef

no ipv6 cef

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp key cyber123 address 12.1.1.1

!

crypto ipsec transform-set 50 esp-aes esp-sha-hmac

!

crypto map CMAP 10 ipsec-isakmp

set peer 12.1.1.30

set pfs group2

set security-association lifetime seconds 900

set transform-set 50

match address 101

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0/0

ip address 192.168.1.1 255.255.255.0

ip access-group 101 in

duplex auto

speed auto

!

interface GigabitEthernet0/0/1

ip address 11.1.1.1 255.255.255.252

duplex auto

speed auto

crypto map CMAP

!

interface Vlan1

no ip address

shutdown

!

ip classless

ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/0/0

ip route 11.1.1.0 255.255.255.252 GigabitEthernet0/0/1

ip route 12.1.1.0 255.255.255.252 GigabitEthernet0/0/1

ip route 192.168.3.0 255.255.255.0 GigabitEthernet0/0/1

ip route 11.1.1.0 255.255.255.252 11.1.1.2

!

ip flow-export version 9

!

access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

ROUTER2

ROUTER2#show run

Building configuration...

Current configuration : 1033 bytes

!

version 15.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname ROUTER2

!

ip cef

no ipv6 cef

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp key cyber123 address 11.1.1.1

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0/0

ip address 12.1.1.2 255.255.255.252

duplex auto

speed auto

!

interface GigabitEthernet0/0/1

ip address 11.1.1.2 255.255.255.252

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

ip classless

ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/0/1

ip route 11.1.1.0 255.255.255.252 GigabitEthernet0/0/1

ip route 12.1.1.0 255.255.255.252 GigabitEthernet0/0/0

ip route 192.168.3.0 255.255.255.0 GigabitEthernet0/0/0

ip route 12.1.1.0 255.255.255.252 12.1.1.30

ip route 11.1.1.0 255.255.255.252 11.1.1.1

ROUTER3

ROUTER3#show run

Building configuration...

Current configuration : 1224 bytes

!

version 15.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname ROUTER3

!

ip cef

no ipv6 cef

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

lifetime 3600

!

crypto ipsec transform-set 50 esp-aes esp-sha-hmac

!

crypto map CMAP 10 ipsec-isakmp

set peer 11.1.1.1

set pfs group2

set security-association lifetime seconds 900

set transform-set 50

match address 101

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0/0

ip address 12.1.1.1 255.255.255.252

duplex auto

speed auto

crypto map CMAP

!

interface GigabitEthernet0/0/1

ip address 192.168.3.1 255.255.255.0

ip access-group 101 in

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

ip classless

ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/0/0

ip route 11.1.1.0 255.255.255.252 GigabitEthernet0/0/0

ip route 12.1.1.0 255.255.255.252 GigabitEthernet0/0/0

ip route 192.168.3.0 255.255.255.0 GigabitEthernet0/0/1

!

ip flow-export version 9

!

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

liviu.gheorghe · ‎02-15-2024

Hello @cryptoclass ,

This is how your router configs should look like:

ROUTER1

crypto isakmp key cyber123 address 12.1.1.1

crypto ipsec transform-set 50 esp-aes esp-sha-hmac

!

crypto map CMAP 10 ipsec-isakmp

set peer 12.1.1.1

set pfs group2

set security-association lifetime seconds 900

set transform-set 50

match address 101

!

interface GigabitEthernet0/0/0

ip address 192.168.1.1 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/0/1

ip address 11.1.1.1 255.255.255.252

duplex auto

speed auto

crypto map CMAP

!

ip route 12.1.1.0 255.255.255.252 11.1.1.2

ip route 192.168.3.0 255.255.255.0 11.1.1.2

!

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

ROUTER2

!

interface GigabitEthernet0/0/0

ip address 12.1.1.2 255.255.255.252

duplex auto

speed auto

!

interface GigabitEthernet0/0/1

ip address 11.1.1.2 255.255.255.252

duplex auto

speed auto

!

ip route 192.168.1.0 255.255.255.0 11.1.1.1

ip route 192.168.3.0 255.255.255.0 12.1.1.1

ROUTER3

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp key cyber123 address 11.1.1.1

crypto ipsec transform-set 50 esp-aes esp-sha-hmac

!

crypto map CMAP 10 ipsec-isakmp

set peer 11.1.1.1

set pfs group2

set security-association lifetime seconds 900

set transform-set 50

match address 101

!

interface GigabitEthernet0/0/0

ip address 12.1.1.1 255.255.255.252

duplex auto

speed auto

crypto map CMAP

!

interface GigabitEthernet0/0/1

ip address 192.168.3.1 255.255.255.0

duplex auto

speed auto

!

ip route 192.168.1.0 255.255.255.0 12.1.1.2

ip route 11.1.1.0 255.255.255.252 12.1.1.2

!

ip flow-export version 9

!

access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

Regards, LG
*** Please Rate All Helpful Responses ***