From: Guyler, Rik (rguyler@shp-dayton.org)
Date: Thu Mar 02 2006 - 12:18:00 GMT-3
I don't use DMVPN so if this issue is specific to DMVPN or the necessary
code levels then I digress.
In more general VPN thinking, if ISAKMP comes up (QM_IDLE) but IPSEC does
not, there are usually two key things that cause this: ACL's or NAT. Have
you run any debugs to see if you get any error messages? Are you able to
see encaps or decaps in the IPSEC SA's if they exist on the spoke yet? I
have been bitten a few times by not having the same prefix length on my
"match address" ACL's on both sides. For example, one side's match ACL uses
six separate host-host (/32) entries but the other sumarizes them into a
single /29. This has kept IPSEC from coming up for me several times.
I don't know if this helps at all but it's what I can contribute... ;-)
Rik
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Venkatesh Palani
Sent: Thursday, March 02, 2006 1:55 AM
To: ccielab@groupstudy.com
Subject: CISCO 3845 and IPSEC
Hi all,
I have issues is getting the IPSEC work on a cisco 3845, I am uisng a DMVPN
architecture and this is gpoing to be spoke router. There are lready few
other spokes which are 2850 series.
the problem is as follows, The isakmp can be establised but not the IPSEC. I
am not sure if there is any thing extra I have to do to kick start the
encrytion on these device. Also for some reason I dont see the "
crypto pki certificate chain TP-self-signed" when I do a sh run though I am
running a ADV secuirty S/W but I see this in other 2850 devices running
advancedsecuirty IOS.
Any help will be great,
Thank you,
venkatesh
This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:37 GMT-3