04-01-2013 10:09 AM - edited 02-21-2020 06:47 PM
Solved! Go to Solution.
04-02-2013 01:40 AM
Ali,
VTI tunnels are supposed to be down when there are no active SPIs negotiatied.
The tunnel will go up/up when there is a way to transport packets - i.e. SPIs are present.
You can monitor SPIs in "show crypto ipsec sa peer
For debugging:
debug crypto isa
debug crypto ipsec
M.
04-02-2013 01:40 AM
Ali,
VTI tunnels are supposed to be down when there are no active SPIs negotiatied.
The tunnel will go up/up when there is a way to transport packets - i.e. SPIs are present.
You can monitor SPIs in "show crypto ipsec sa peer
For debugging:
debug crypto isa
debug crypto ipsec
M.
04-02-2013 04:09 AM
Hi Marcin,
Thanks for your great help, actually i was testing the same configuration on 7200 (15.0(1) IOS. My tunnel was not UP.
Now i tried the same configs on 3725 Version 12.4(15) and my tunnel is up even without gerating the traffic.
I have one question, i only call the IPSec profile which only include (transform set) on my tunnel interface. Do it also required to put the ISAKMP profile on in the ipsec profile as best practice?
following are the configs.
crypto ipsec transform-set ipv6_tran esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile ipv6_ipsec_pro
set transform-set ipv6_tran
!
crypto isakmp profile 3des
self-identity address ipv6
match identity address ipv6 2001:1:1::2/64
keyring default
!
!
int tunnel 1
ipv6 enable
ipv6 address 2012:2:2::1/64
tunnel source 2001:1:1::1
tunnel destination 2001:1:1::2
tunnel mode ipsec ipv6
tunnel protection ipsec profile ipv6_ipsec_pro
!
In above configs i am not using isakmp profile on tunnle only i use the ipsec profile will it be the best practice?
04-02-2013 04:34 AM
Ali,
I would not say it's recommended to use isakmp profile, it's a feature that allows a bit more flexability and several functionalities.
If you use isakmp profile (for example if you want to use VRF-list deployment) yes it's best to map it in the ipsec profile, for best results.
In most scenarios this step will not be required.
M.
04-02-2013 05:03 AM
Marcin,
Thanks a lot.
Regards,
Ali...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide