From: Venkatesh Palani (kvpalani@gmail.com)
Date: Thu Mar 02 2006 - 13:55:55 GMT-3
Hi all,
Thanks for the quick responses,
I resolved the issue by upgrading the IOS to 12.4.3(a) ADVSECUIRTY. I was
using 12.4.1 before. I also noticed there were few bugs in 12.4.1 in DMVPN
IPSEC. The funny thing is I had the Phase 1 up but the phase 2 wont come up
between the hub and spoke initially but on upgarding the IOS it was fixed
without any configuration chnage. Ironically the 12.4.1 works fine on 2850
series but not on 3845. I dint have enough time to play more with this
because of the urgency of the project.
I once again like to thank all you guys for your support.
Thank you,
venkatesh
On 3/2/06, Guyler, Rik <rguyler@shp-dayton.org> wrote:
>
> I don't use DMVPN so if this issue is specific to DMVPN or the necessary
> code levels then I digress.
>
> In more general VPN thinking, if ISAKMP comes up (QM_IDLE) but IPSEC does
> not, there are usually two key things that cause this: ACL's or NAT. Have
> you run any debugs to see if you get any error messages? Are you able to
> see encaps or decaps in the IPSEC SA's if they exist on the spoke yet? I
> have been bitten a few times by not having the same prefix length on my
> "match address" ACL's on both sides. For example, one side's match ACL
> uses
> six separate host-host (/32) entries but the other sumarizes them into a
> single /29. This has kept IPSEC from coming up for me several times.
>
> I don't know if this helps at all but it's what I can contribute... ;-)
>
> Rik
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Venkatesh Palani
> Sent: Thursday, March 02, 2006 1:55 AM
> To: ccielab@groupstudy.com
> Subject: CISCO 3845 and IPSEC
>
> Hi all,
> I have issues is getting the IPSEC work on a cisco 3845, I am uisng a
> DMVPN
> architecture and this is gpoing to be spoke router. There are lready few
> other spokes which are 2850 series.
> the problem is as follows, The isakmp can be establised but not the IPSEC.
> I
> am not sure if there is any thing extra I have to do to kick start the
> encrytion on these device. Also for some reason I dont see the "
> crypto pki certificate chain TP-self-signed" when I do a sh run though I
> am
> running a ADV secuirty S/W but I see this in other 2850 devices running
> advancedsecuirty IOS.
>
> Any help will be great,
>
> Thank you,
> venkatesh
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:37 GMT-3