As parveen said apply crypto map on fa 1/0 You are able to ping because of existing routing between the two routers On Saturday, October 27, 2012, Parvees M wrote:
> you are applying cryptomap to the wrong interface. > > apply it on fa1/0 > > your vpn related configuration at both ends are based on this interface > > > > > With best regards, > > Parvees M Davida > CCNP ,CISSP,JNCIS-FWV,ITIL V3 > > > > > > > On Sat, Oct 27, 2012 at 7:02 PM, waheed Ahmed > <[email protected]<javascript:_e({}, 'cvml', '[email protected]');> > > wrote: > >> Dear Team >> >> I have a problem for ipsec VPN configuration. when using show crypto >> session it showing session is down at both ends. Routers configuration >> is mentioned below:- >> >> But i can ping both ends of the routers with the ip 192.168.1.1 and >> 10.0.1.1. please correct my mistake or guide me further for this .... >> >> R1#show run >> Building configuration... >> >> Current configuration : 1193 bytes >> ! >> version 12.4 >> service timestamps debug datetime msec >> service timestamps log datetime msec >> no service password-encryption >> ! >> hostname R1 >> ! >> boot-start-marker >> boot-end-marker >> ! >> ! >> no aaa new-model >> memory-size iomem 5 >> ! >> ! >> ip cef >> no ip domain lookup >> ip domain name lab.local >> ! >> ! >> >> ! >> crypto isakmp policy 10 >> encr aes >> authentication pre-share >> group 2 >> crypto isakmp key 6 cisco address 172.16.1.2 >> ! >> ! >> crypto ipsec transform-set myset esp-aes esp-sha-hmac >> ! >> crypto map mymap 10 ipsec-isakmp >> set peer 172.16.1.2 >> set transform-set myset >> match address 101 >> >> ! >> interface FastEthernet0/0 >> ip address 192.168.1.1 255.255.255.0 >> duplex auto >> speed auto >> crypto map mymap >> ! >> interface FastEthernet1/0 >> ip address 172.16.1.1 255.255.255.0 >> duplex auto >> speed auto >> ! >> router eigrp 10 >> network 172.16.0.0 >> network 192.168.1.0 >> no auto-summary >> ! >> no ip http server >> no ip http secure-server >> ! >> ! >> ! >> access-list 101 permit ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255 >> ! >> ! >> ! >> control-plane >> ! >> >> ! >> line con 0 >> exec-timeout 0 0 >> privilege level 15 >> logging synchronous >> line aux 0 >> exec-timeout 0 0 >> privilege level 15 >> logging synchronous >> line vty 0 4 >> login >> ! >> ! >> end >> >> R1#show ip interface brief >> Interface IP-Address OK? Method >> Status Protocol >> FastEthernet0/0 192.168.1.1 YES manual >> up up >> FastEthernet1/0 172.16.1.1 YES manual >> up up >> >> R1#show crypto session >> Crypto session current status >> >> Interface: FastEthernet0/0 >> Session status: DOWN >> Peer: 172.16.1.2 port 500 >> IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 10.0.1.0/255.255.255.0 >> Active SAs: 0, origin: crypto map >> >> ==================================================================== >> >> R2#sho run >> Building configuration... >> >> Current configuration : 1187 bytes >> ! >> version 12.4 >> service timestamps debug datetime msec >> service timestamps log datetime msec >> no service password-encryption >> ! >> hostname R2 >> ! >> boot-start-marker >> boot-end-marker >> ! >> ! >> no aaa new-model >> memory-size iomem 5 >> ! >> ! >> ip cef >> no ip domain lookup >> ip domain name lab.local >> ! >> >> ! >> ! >> crypto isakmp policy 10 >> encr aes >> authentication pre-share >> group 2 >> crypto isakmp key 6 cisco address 172.16.1.1 >> ! >> ! >> crypto ipsec transform-set myset esp-aes esp-sha-hmac >> ! >> crypto map mymap 10 ipsec-isakmp >> set peer 172.16.1.1 >> set transform-set myset >> match address 101 >> ! >> ! >> ! >> ! >> interface FastEthernet0/0 >> ip address 10.0.1.1 255.255.255.0 >> duplex auto >> speed auto >> crypto map mymap >> ! >> interface FastEthernet1/0 >> ip address 172.16.1.2 255.255.255.0 >> duplex auto >> speed auto >> ! >> router eigrp 10 >> network 10.0.0.0 >> network 172.16.0.0 >> no auto-summary >> ! >> no ip http server >> no ip http secure-server >> ! >> ! >> ! >> access-list 101 permit ip 10.0.1.0 0.0.0.255 192.168.1.0 0.0.0.255 >> ! >> ! >> ! >> control-plane >> >> ! >> ! >> line con 0 >> exec-timeout 0 0 >> privilege level 15 >> logging synchronous >> line aux 0 >> exec-timeout 0 0 >> privilege level 15 >> logging synchronous >> line vty 0 4 >> login >> ! >> ! >> end >> >> >> >> R2#show ip interface brief >> Interface IP-Address OK? Method >> Status Protocol >> FastEthernet0/0 10.0.1.1 Y >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > > -- FNK, CCIE Security#35578
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
