Share the complete configuration .... With best regards, Parvees M Davida CCNP ,CISSP,JNCIS-FWV,ITIL V3
On Sat, Oct 27, 2012 at 9:05 PM, waheed Ahmed <[email protected]>wrote: > Now i re-configured crypto map mymap to fastethernet interfaces and i > removed the routing protocols also. but still status is down .... > R1#show crypto session > Crypto session current status > > Interface: FastEthernet1/0 > > Session status: DOWN > Peer: 172.16.1.2 port 500 > IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 10.0.1.0/255.255.255.0 > Active SAs: 0, origin: crypto map > > > R2#show crypto session > Crypto session current status > > Interface: FastEthernet1/0 > Session status: DOWN > Peer: 172.16.1.1 port 500 > IPSEC FLOW: permit ip 10.0.1.0/255.255.255.0 192.168.1.0/255.255.255.0 > > Active SAs: 0, origin: crypto map > > > > > With Regards > Waheed Ahmed > +971-55-7720310 > > ------------------------------ > *From:* Fawad Khan <[email protected]> > *To:* Parvees M <[email protected]> > *Cc:* waheed Ahmed <[email protected]>; ccie_security < > [email protected]> > *Sent:* Saturday, October 27, 2012 8:33 PM > > *Subject:* Re: [OSL | CCIE_Security] IP Sec configuration problem > > > As parveen said apply crypto map on fa 1/0 > You are able to ping because of existing routing between the two routers > On Saturday, October 27, 2012, Parvees M wrote: > > you are applying cryptomap to the wrong interface. > > apply it on fa1/0 > > your vpn related configuration at both ends are based on this interface > > > > > With best regards, > > Parvees M Davida > CCNP ,CISSP,JNCIS-FWV,ITIL V3 > > > > > > > On Sat, Oct 27, 2012 at 7:02 PM, waheed Ahmed <[email protected]>wrote: > > Dear Team > > I have a problem for ipsec VPN configuration. when using show crypto > session it showing session is down at both ends. Routers configuration > is mentioned below:- > > But i can ping both ends of the routers with the ip 192.168.1.1 and > 10.0.1.1. please correct my mistake or guide me further for this .... > > R1#show run > Building configuration... > > Current configuration : 1193 bytes > ! > version 12.4 > service timestamps debug datetime msec > service timestamps log datetime msec > no service password-encryption > ! > hostname R1 > ! > boot-start-marker > boot-end-marker > ! > ! > no aaa new-model > memory-size iomem 5 > ! > ! > ip cef > no ip domain lookup > ip domain name lab.local > ! > ! > > ! > crypto isakmp policy 10 > encr aes > authentication pre-share > group 2 > crypto isakmp key 6 cisco address 172.16.1.2 > ! > ! > crypto ipsec transform-set myset esp-aes esp-sha-hmac > ! > crypto map mymap 10 ipsec-isakmp > set peer 172.16.1.2 > set transform-set myset > match address 101 > > ! > interface FastEthernet0/0 > ip address 192.168.1.1 255.255.255.0 > duplex auto > speed auto > crypto map mymap > ! > interface FastEthernet1/0 > ip address 172.16.1.1 255.255.255.0 > duplex auto > speed auto > ! > router eigrp 10 > network 172.16.0.0 > network 192.168.1.0 > no auto-summary > ! > no ip http server > no ip http secure-server > ! > ! > ! > access-list 101 permit ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255 > ! > ! > ! > control-plane > ! > > ! > line con 0 > exec-timeout 0 0 > privilege level 15 > logging synchronous > line aux 0 > exec-timeout 0 0 > privilege level 15 > logging synchronous > line vty 0 4 > login > ! > ! > end > > R1#show ip interface brief > Interface IP-Address OK? Method > Status Protocol > FastEthernet0/0 192.168.1.1 YES manual > up up > FastEthernet1/0 172.16.1.1 YES manual > up up > > R1#show crypto session > Crypto session current status > > Interface: FastEthernet0/0 > Session status: DOWN > Peer: 172.16.1.2 port 500 > IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 10.0.1.0/255.255.255.0 > Active SAs: 0, origin: crypto map > > ==================================================================== > > R2#sho run > Building configuration... > > Current configuration : 1187 bytes > ! > version 12.4 > service timestamps debug datetime msec > service timestamps log datetime msec > no service password-encryption > ! > hostname R2 > ! > boot-start-marker > boot-end-marker > ! > ! > no aaa new-model > memory-size iomem 5 > ! > ! > ip cef > no ip domain lookup > ip domain name lab.local > ! > > ! > ! > crypto isakmp policy 10 > encr aes > authentication pre-share > group 2 > crypto isakmp key 6 cisco address 172.16.1.1 > ! > ! > crypto ipsec transform-set myset esp-aes esp-sha-hmac > ! > crypto map mymap 10 ipsec-isakmp > set peer 172.16.1.1 > set transform-set myset > match address 101 > ! > ! > ! > ! > interface FastEthernet0/0 > ip address 10.0.1.1 255.255.255.0 > duplex auto > speed auto > crypto map mymap > ! > interface FastEthernet1/0 > ip address 172.16.1.2 255.255.255.0 > duplex auto > speed auto > ! > router eigrp 10 > network 10.0.0.0 > network 172.16.0.0 > no auto-summary > ! > no ip http server > no ip http secure-server > ! > ! > ! > access-list 101 permit ip 10.0.1.0 0.0.0.255 192.168.1.0 0.0.0.255 > ! > ! > ! > control-plane > > ! > ! > line con 0 > exec-timeout 0 0 > privilege level 15 > logging synchronous > line aux 0 > exec-timeout 0 0 > privilege level 15 > logging synchronous > line vty 0 4 > login > ! > ! > end > > > > R2#show ip interface brief > Interface IP-Address OK? Method > Status Protocol > FastEthernet0/0 10.0.1.1 Y > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com <http://www.platinumplacement.com/> > > > > > -- > FNK, CCIE Security#35578 > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
