cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
176
Views
0
Helpful
5
Replies

show crypto isakmp sa empty?

kennylee88
Level 1
Level 1

Hello VPN gurus,

I need help here. I trying setup a 3 routers vpn.  the R2 as hub.   So far i can every network, but the encap,decap packets is all empy.

that mean the tunnel is not established. I even do ping -t xxxx.xx.xxx and do a show crypto ipsec sa  on each routers and still shows empty no packets was forwards.   Here is my config file for all 3 router..  Im sure I missing some parameter, but I don't know where.

R1

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

 

hostname R1

no ip cef

no ipv6 cef

 

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

 

crypto isakmp key cisco123 address 10.0.0.2

crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac

crypto map VPN-MAP 10 ipsec-isakmp

set peer 10.0.0.2

set transform-set TRANSFORM_SET

match address VPN-TO-R2

spanning-tree mode pvst

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

duplex auto

speed auto

crypto map VPN-MAP

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

interface Serial0/0/0

ip address 10.0.0.1 255.255.255.252

clock rate 2000000

interface Serial0/1/0

no ip address

clock rate 2000000

shutdown

interface Vlan1

no ip address

shutdown

ip classless

ip route 192.168.3.0 255.255.255.0 10.0.0.2

ip flow-export version 9

ip access-list extended VPN-TO-R2

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

!

line con 0

line aux 0

line vty 0 4

login

 

R2:

Current configuration : 1256 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

hostname R2

!

!

no ip cef

no ipv6 cef

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp key cisco123 address 10.0.0.1

crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac

crypto map VPN-MAP 10 ipsec-isakmp

set peer 10.0.0.1

set transform-set TRANSFORM_SET

match address VPN-TO-R1

!

spanning-tree mode pvst

!

!

interface FastEthernet0/0

ip address 192.168.2.1 255.255.255.0

duplex auto

speed auto

crypto map VPN-MAP

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

interface Serial0/0/0

ip address 10.0.0.2 255.255.255.252

interface Serial0/1/0

ip address 10.0.1.1 255.255.255.252

clock rate 2000000

interface Vlan1

no ip address

shutdown

ip classless

ip route 192.168.1.0 255.255.255.0 10.0.0.1

ip route 192.168.3.0 255.255.255.0 10.0.1.2

ip flow-export version 9

ip access-list extended VPN-TO-R1

permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

!

line con 0

line aux 0

line vty 0 4

login

 

R3:

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

hostname Router

no ip cef

no ipv6 cef

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp key cisco123 address 10.0.1.1

crypto isakmp key cisco123 address 10.0.1.2

crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac

crypto map VPN-MAP 10 ipsec-isakmp

set peer 10.0.1.1

set transform-set TRANSFORM_SET

match address VPN-TO-R1

crypto map VPN-MAP 20 ipsec-isakmp
set peer 10.0.1.2
set transform-set TRANSFORM_SET
match address VPN-TO-R3

spanning-tree mode pvst

interface FastEthernet0/0

ip address 192.168.3.1 255.255.255.0

duplex auto

speed auto

crypto map VPN-MAP

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

interface Serial0/0/0

ip address 10.0.1.2 255.255.255.252

interface Serial0/1/0

no ip address

clock rate 2000000

shutdown

interface Vlan1

no ip address

shutdown

ip classless

ip route 192.168.1.0 255.255.255.0 10.0.1.1

ip flow-export version 9

ip access-list extended VPN-TO-R2

permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

!

line con 0

line aux 0

line vty 0 4

login

 

 

 

 

 

 

 

 

 

 

5 Replies 5

Gopinath_Pigili
Spotlight
Spotlight

Hello kennylee88,

As you have mentioned R2 is playing the role of HUB.

But in your configuration R3 is configured with following two peer command:

crypto isakmp key cisco123 address 10.0.1.1

crypto isakmp key cisco123 address 10.0.1.2

only R2 should configured with two ipsec peers. R1 and R3 is having one peer.

You might have interchanged the configurations of R2 and R3...Please check and modify accordingly.

Best regards
******* If This Helps, Please Rate *******

You might 

is this issue solved ??

MHM

kennylee88
Level 1
Level 1

Still not working.  Maybe is CPT bugs?

I'm redoing it over again.. I will upload PKT file maybe you can see it better in the picture.

@kennylee88

 This router does not support VPN. On PacketTracer you need to use 29xx and you need to enable It with license command.

I dont know about if router support ipsec or not. 

But idea about ipsec hub and spoke is list below

Topolgy hub spoke1 spoke2 

1- the spoke1 must have route toward hub for spoke2 lan

2- the spoke2 must have route toward hub for spoke1 lan

3- the hub IPsec acl must be

A- acl1 from spoke1 to spoke2 

B- acl2 from spoke2 to spoke1

4- spoke1 acl from spoke1 lan to spoke2 lan

5- spoke2 acl from spoke2 lan to spoke1 lan

6- the hub must have ipsec key address 0.0.0.0

MHM