Typically, we would apply the static crypto-maps on the interfaces facing each
other. Is there a reason that you applied to F0/0 instead of F1/0? If you
chose to keep F0/0, do they have routing/reachability? I can't tell if you
have dynamic routes in your table, but for kicks, would you mind moving the
crypto map to the F1/0 and see if you don't get QM_IDLE in your "sh cry isa sa"
inbound ESP and outbound ESP within the output of "sh cry ips sa"?
Regards,
Jay McMickle- 3x CCNP (R&S,Security,Design), CCIE #35355 (R&S)
From: Warrick Mitchell <[email protected]>
To: waheed Ahmed <[email protected]>
Cc: ccie_security <[email protected]>
Sent: Saturday, October 27, 2012 3:10 PM
Subject: Re: [OSL | CCIE_Security] IP Sec configuration problem
Hi Waheed,
You need something traffic to flow that matches your ACL entry in the
crypto map mymap policy.
So simplying pinging the other end isn't enough, you need to source
the packets so they match against ACL 101 in your config.
i.e. on R1
ping 10.0.1.1 source Fa0/0
or on R2
ping 192.168.1.1 source Fa0/0
That will then cause your session to come up.
Cheers,
Warrick
On Sun, Oct 28, 2012 at 1:28 AM, waheed Ahmed <[email protected]> wrote:
> Dear Parvees ,
>
> Please check the attached configuration files and topology diagram.
>
>
>
> thanking in advance.....
>
>
> With Regards
> Waheed Ahmed
> +971-55-7720310
>
> ________________________________
> From: Parvees M <[email protected]>
> To: waheed Ahmed <[email protected]>
> Cc: Fawad Khan <[email protected]>; ccie_security
> <[email protected]>
> Sent: Saturday, October 27, 2012 9:17 PM
>
> Subject: Re: [OSL | CCIE_Security] IP Sec configuration problem
>
> Share the complete configuration ....
> With best regards,
>
> Parvees M Davida
> CCNP ,CISSP,JNCIS-FWV,ITIL V3
>
>
>
>
>
>
> On Sat, Oct 27, 2012 at 9:05 PM, waheed Ahmed <[email protected]>
> wrote:
>
> Now i re-configured crypto map mymap to fastethernet interfaces and i
> removed the routing protocols also. but still status is down ....
> R1#show crypto session
> Crypto session current status
>
> Interface: FastEthernet1/0
>
> Session status: DOWN
> Peer: 172.16.1.2 port 500
> IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 10.0.1.0/255.255.255.0
> Active SAs: 0, origin: crypto map
>
>
> R2#show crypto session
> Crypto session current status
>
> Interface: FastEthernet1/0
> Session status: DOWN
> Peer: 172.16.1.1 port 500
> IPSEC FLOW: permit ip 10.0.1.0/255.255.255.0 192.168.1.0/255.255.255.0
>
> Active SAs: 0, origin: crypto map
>
>
>
>
> With Regards
> Waheed Ahmed
> +971-55-7720310
>
> ________________________________
> From: Fawad Khan <[email protected]>
> To: Parvees M <[email protected]>
> Cc: waheed Ahmed <[email protected]>; ccie_security
> <[email protected]>
> Sent: Saturday, October 27, 2012 8:33 PM
>
> Subject: Re: [OSL | CCIE_Security] IP Sec configuration problem
>
>
> As parveen said apply crypto map on fa 1/0
> You are able to ping because of existing routing between the two routers
> On Saturday, October 27, 2012, Parvees M wrote:
>
> you are applying cryptomap to the wrong interface.
>
> apply it on fa1/0
>
> your vpn related configuration at both ends are based on this interface
>
>
>
>
> With best regards,
>
> Parvees M Davida
> CCNP ,CISSP,JNCIS-FWV,ITIL V3
>
>
>
>
>
>
> On Sat, Oct 27, 2012 at 7:02 PM, waheed Ahmed <[email protected]>
> wrote:
>
> Dear Team
>
> I have a problem for ipsec VPN configuration. when using show crypto session
> it showing session is down at both ends. Routers configuration is mentioned
> below:-
>
> But i can ping both ends of the routers with the ip 192.168.1.1 and
> 10.0.1.1. please correct my mistake or guide me further for this ....
>
> R1#show run
> Building configuration...
>
> Current configuration : 1193 bytes
> !
> version 12.4
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname R1
> !
> boot-start-marker
> boot-end-marker
> !
> !
> no aaa new-model
> memory-size iomem 5
> !
> !
> ip cef
> no ip domain lookup
> ip domain name lab.local
> !
> !
>
> !
> crypto isakmp policy 10
> encr aes
> authentication pre-share
> group 2
> crypto isakmp key 6 cisco address 172.16.1.2
> !
> !
> crypto ipsec transform-set myset esp-aes esp-sha-hmac
> !
> crypto map mymap 10 ipsec-isakmp
> set peer 172.16.1.2
> set transform-set myset
> match address 101
>
> !
> interface FastEthernet0/0
> ip address 192.168.1.1 255.255.255.0
> duplex auto
> speed auto
> crypto map mymap
> !
> interface FastEthernet1/0
> ip address 172.16.1.1 255.255.255.0
> duplex auto
> speed auto
> !
> router eigrp 10
> network 172.16.0.0
> network 192.168.1.0
> no auto-summary
> !
> no ip http server
> no ip http secure-server
> !
> !
> !
> access-list 101 permit ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255
> !
> !
> !
> control-plane
> !
>
> !
> line con 0
> exec-timeout 0 0
> privilege level 15
> logging synchronous
> line aux 0
> exec-timeout 0 0
> privilege level 15
> logging synchronous
> line vty 0 4
> login
> !
> !
> end
>
> R1#show ip interface brief
> Interface IP-Address OK? Method Status
> Protocol
> FastEthernet0/0 192.168.1.1 YES manual up
> up
> FastEthernet1/0 172.16.1.1 YES manual up
> up
>
> R1#show crypto session
> Crypto session current status
>
> Interface: FastEthernet0/0
> Session status: DOWN
> Peer: 172.16.1.2 port 500
> IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 10.0.1.0/255.255.255.0
> Active SAs: 0, origin: crypto map
>
> ====================================================================
>
> R2#sho run
> Building configuration...
>
> Current configuration : 1187 bytes
> !
> version 12.4
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname R2
> !
> boot-start-marker
> boot-end-marker
> !
> !
> no aaa new-model
> memory-size iomem 5
> !
> !
> ip cef
> no ip domain lookup
> ip domain name lab.local
> !
>
> !
> !
> crypto isakmp policy 10
> encr aes
> authentication pre-share
> group 2
> crypto isakmp key 6 cisco address 172.16.1.1
> !
> !
> crypto ipsec transform-set myset esp-aes esp-sha-hmac
> !
> crypto map mymap 10 ipsec-isakmp
> set peer 172.16.1.1
> set transform-set myset
> match address 101
> !
> !
> !
> !
> interface FastEthernet0/0
> ip address 10.0.1.1 255.255.255.0
> duplex auto
> speed auto
> crypto map mymap
> !
> interface FastEthernet1/0
> ip address 172.16.1.2 255.255.255.0
> duplex auto
> speed auto
> !
> router eigrp 10
> network 10.0.0.0
> network 172.16.0.0
> no auto-summary
> !
> no ip http server
> no ip http secure-server
> !
> !
> !
> access-list 101 permit ip 10.0.1.0 0.0.0.255 192.168.1.0 0.0.0.255
> !
> !
> !
> control-plane
>
> !
> !
> line con 0
> exec-timeout 0 0
> privilege level 15
> logging synchronous
> line aux 0
> exec-timeout 0 0
> privilege level 15
> logging synchronous
> line vty 0 4
> login
> !
> !
> end
>
>
>
> R2#show ip interface brief
> Interface IP-Address OK? Method Status
> Protocol
> FastEthernet0/0 10.0.1.1 Y
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
> Are you a CCNP or CCIE and looking for a job? Check out
> www.PlatinumPlacement.com
>
>
>
>
> --
> FNK, CCIE Security#35578
>
>
>
>
>
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
> Are you a CCNP or CCIE and looking for a job? Check out
> www.PlatinumPlacement.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
