Now i re-configured crypto map mymap to fastethernet interfaces and i removed
the routing protocols also. but still status is down ....
R1#show crypto session
Crypto session current status
Interface: FastEthernet1/0
Session status: DOWN
Peer: 172.16.1.2 port 500
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 10.0.1.0/255.255.255.0
Active SAs: 0, origin: crypto map
R2#show crypto session
Crypto session current status
Interface: FastEthernet1/0
Session status: DOWN
Peer: 172.16.1.1 port 500
IPSEC FLOW: permit ip 10.0.1.0/255.255.255.0 192.168.1.0/255.255.255.0
Active SAs: 0, origin: crypto map
With Regards
Waheed Ahmed
+971-55-7720310
________________________________
From: Fawad Khan <[email protected]>
To: Parvees M <[email protected]>
Cc: waheed Ahmed <[email protected]>; ccie_security
<[email protected]>
Sent: Saturday, October 27, 2012 8:33 PM
Subject: Re: [OSL | CCIE_Security] IP Sec configuration problem
As parveen said apply crypto map on fa 1/0
You are able to ping because of existing routing between the two routers
On Saturday, October 27, 2012, Parvees M wrote:
you are applying cryptomap to the wrong interface.
>
>apply it on fa1/0
>
>your vpn related configuration at both ends are based on this interface
>
>
>
>
>
>With best regards,
>
> Parvees M Davida
> CCNP ,CISSP,JNCIS-FWV,ITIL V3
>
>
>
>
>
>
>
>On Sat, Oct 27, 2012 at 7:02 PM, waheed Ahmed <[email protected]> wrote:
>
>Dear Team
>>
>>
>>
>>I have a problem for ipsec VPN configuration. when using show crypto session
>>it showing session is down at both ends. Routers configuration is mentioned
>>below:-
>>
>>
>>
>>But i can ping both ends of the routers with the ip 192.168.1.1 and 10.0.1.1.
>>please correct my mistake or guide me further for this ....
>>
>>
>>
>> R1#show run
>>Building configuration...
>>
>>Current configuration : 1193 bytes
>>!
>>version 12.4
>>service timestamps debug datetime msec
>>service timestamps log datetime msec
>>no service password-encryption
>>!
>>hostname R1
>>!
>>boot-start-marker
>>boot-end-marker
>>!
>>!
>>no aaa new-model
>>memory-size iomem 5
>>!
>>!
>>ip cef
>>no ip domain lookup
>>ip domain name lab.local
>>!
>>!
>>
>>!
>>crypto isakmp policy 10
>> encr aes
>> authentication pre-share
>> group 2
>>crypto isakmp key 6 cisco address 172.16.1.2
>>!
>>!
>>crypto ipsec transform-set myset esp-aes
esp-sha-hmac
>>!
>>crypto map mymap 10 ipsec-isakmp
>> set peer 172.16.1.2
>> set transform-set myset
>> match address 101
>>
>>!
>>interface FastEthernet0/0
>> ip address 192.168.1.1 255.255.255.0
>> duplex auto
>> speed auto
>> crypto map mymap
>>!
>>interface FastEthernet1/0
>> ip address 172.16.1.1 255.255.255.0
>> duplex auto
>> speed auto
>>!
>>router eigrp 10
>> network 172.16.0.0
>> network 192.168.1.0
>> no auto-summary
>>!
>>no ip http server
>>no ip http secure-server
>>!
>>!
>>!
>>access-list 101 permit ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255
>>!
>>!
>>!
>>control-plane
>>!
>>
>>!
>>line con 0
>> exec-timeout 0 0
>> privilege level 15
>> logging synchronous
>>line aux 0
>> exec-timeout 0 0
>> privilege level 15
>> logging synchronous
>>line vty 0
4
>> login
>>!
>>!
>>end
>>
>>R1#show ip interface brief
>>Interface IP-Address OK? Method Status
>>Protocol
>>FastEthernet0/0 192.168.1.1 YES manual up up
>>FastEthernet1/0 172.16.1.1 YES manual up up
>>
>>R1#show crypto session
>>Crypto session current status
>>
>>Interface: FastEthernet0/0
>>Session status: DOWN
>>Peer: 172.16.1.2 port 500
>> IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 10.0.1.0/255.255.255.0
>> Active SAs: 0, origin: crypto map
>>
>> ====================================================================
>>
>>
>>R2#sho run
>>Building configuration...
>>
>>Current configuration : 1187 bytes
>>!
>>version 12.4
>>service timestamps debug datetime msec
>>service timestamps log datetime msec
>>no service password-encryption
>>!
>>hostname R2
>>!
>>boot-start-marker
>>boot-end-marker
>>!
>>!
>>no aaa new-model
>>memory-size iomem 5
>>!
>>!
>>ip cef
>>no ip domain lookup
>>ip domain name lab.local
>>!
>>
>>!
>>!
>>crypto isakmp policy 10
>> encr aes
>> authentication pre-share
>> group 2
>>crypto isakmp key 6 cisco
address 172.16.1.1
>>!
>>!
>>crypto ipsec transform-set myset esp-aes esp-sha-hmac
>>!
>>crypto map mymap 10 ipsec-isakmp
>> set peer 172.16.1.1
>> set transform-set myset
>> match address 101
>>!
>>!
>>!
>>!
>>interface FastEthernet0/0
>> ip address 10.0.1.1 255.255.255.0
>> duplex auto
>> speed auto
>> crypto map mymap
>>!
>>interface FastEthernet1/0
>> ip address 172.16.1.2 255.255.255.0
>> duplex auto
>> speed auto
>>!
>>router eigrp 10
>> network 10.0.0.0
>> network 172.16.0.0
>> no auto-summary
>>!
>>no ip http server
>>no ip http secure-server
>>!
>>!
>>!
>>access-list 101 permit ip 10.0.1.0 0.0.0.255 192.168.1.0 0.0.0.255
>>!
>>!
>>!
>>control-plane
>>
>>!
>>!
>>line con 0
>> exec-timeout 0 0
>> privilege level 15
>> logging synchronous
>>line aux 0
>> exec-timeout 0 0
>> privilege level
15
>> logging synchronous
>>line vty 0 4
>> login
>>!
>>!
>>end
>>
>>
>>
>>R2#show ip interface brief
>>Interface IP-Address OK? Method Status
>>Protocol
>>FastEthernet0/0 10.0.1.1
>>Y_______________________________________________
>>For more information regarding industry leading CCIE Lab training, please
>>visit www.ipexpert.com
>>
>>Are you a CCNP or CCIE and looking for a job? Check out
>>www.PlatinumPlacement.com
>>
>
--
FNK, CCIE Security#35578
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
