MainStaySolutions
asked on
Cisco 1721 router IPSec Issues
I have a Cisco 1721 router, with current IOS c1700-k9o3sy7-mz.122-11.T.
Everything is up and running fine, minus anything IPSec.
When the IPSec is setup it seems to refuse to pass traffic over the tunnel we create. Absolutely no debugging information is show as well with the debug turned on. Even after trying with multiple devices on the other side, still, no luck.
Here is my config (IP and names modified) and what the show crypto ipsec sa produces
Thanks.
Everything is up and running fine, minus anything IPSec.
When the IPSec is setup it seems to refuse to pass traffic over the tunnel we create. Absolutely no debugging information is show as well with the debug turned on. Even after trying with multiple devices on the other side, still, no luck.
Here is my config (IP and names modified) and what the show crypto ipsec sa produces
Thanks.
Current configuration : 1719 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname contoso
!
boot system flash:c1700-bk9no3r2sy7-mz.122-13.T.bin
enable secret
enable password contoso
!
ip subnet-zero
!
!
ip dhcp excluded-address 192.168.50.100 192.168.50.105
!
ip dhcp pool contoso
network 192.168.50.0 255.255.255.0
domain-name contoso.com
default-router 192.168.50.1
dns-server 192.168.50.10
lease 7
!
ip audit notify log
ip audit po max-events 100
!
!
crypto ca trustpoint verisign-ca
enrollment url http://ciscoca-ultra:80
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key contoso address 88.36.55.22
!
!
crypto ipsec transform-set contoso esp-3des esp-md5-hmac
!
crypto map contoso 10 ipsec-isakmp
set peer 88.36.55.22
set transform-set contoso
match address 105
!
!
!
!
interface FastEthernet0
description inside
ip address 192.168.50.1 255.255.255.0
ip nat inside
speed auto
!
interface Serial0
description Gateway
ip address 60.23.54.2 255.255.255.252
ip nat outside
crypto map contoso
!
ip nat inside source route-map contoso interface Serial0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
!
access-list 105 permit ip 192.168.50.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 175 deny ip 192.168.50.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 175 permit ip 192.168.50.0 0.0.0.255 any
!
route-map contoso permit 1
match ip address 175
!
!
line con 0
line aux 0
line vty 0 4
password contoso
login
!
no scheduler allocate
end
contoso#show crypto ipsec sa
interface: Serial0
Crypto map tag: contoso, local addr. 60.23.54.2
local ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer: 88.36.55.22
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 60.23.54.2, remote crypto endpt.: 88.36.55.22
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Can you show the output of a "Show crypto isakmp sa" and "Show ip nat trans"
Is the access-list (105) an exact inverse match of the one listed above?
Do the encryption and hash match?
Do the encryption and hash match?
ASKER
Here is the output of the two commands.
contoso#show crypto isakmp sa
dst src state conn-id slot
contoso#show ip nat trans
contoso#ASKER
You mean for the other side?
The only thing that is slightly different that instead of it being a class C subnet like the router shows it's actually a class B subnet.
All the encryption protocols do match. We even tried instead of 3DES, DES. And still nothing.
The only thing that is slightly different that instead of it being a class C subnet like the router shows it's actually a class B subnet.
All the encryption protocols do match. We even tried instead of 3DES, DES. And still nothing.
The access lists need to be an *exact* inverse match of each other as applied to the crypto peer config.
ASKER
Everything now matches, and still no luck.
term mon
debug crypto isakmp
debug crypto ipsec
sh crypto isakmp sa
-> show SAs between two peers
sh crypto ipsec sa
-> show IPsec SAs built between peers
sh crypto engine connection active
-> show each phase 2 SA built
debug crypto isakmp
debug crypto ipsec
sh crypto isakmp sa
-> show SAs between two peers
sh crypto ipsec sa
-> show IPsec SAs built between peers
sh crypto engine connection active
-> show each phase 2 SA built
ASKER
Okay, after much fighting the tunnel is up, however, I can't ping anything on the other side now.
What did debug and/or the log data indicate?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.