You still need to route the packets. Without a route, the packet won't
attempt to exit your ethernet interface, and won't get caught by your
cryto map.
On 25/10/2010 17:44, Andrew junie wrote:
> Ryan, Why we need deault route because the peer is directly connected and
> its reachable...
>
> Even I add the default route....seems same situation... I can able to reach
> the loopback due to the default route...but isnt my goal
>
> Rack1R2#sh crypto isakmp sa
> IPv4 Crypto ISAKMP SA
> dst src state conn-id slot status
>
> IPv6 Crypto ISAKMP SA
>
> Rack1R2#
>
>
> On Mon, Oct 25, 2010 at 8:31 PM, Ryan DeBerry<rdeberry_at_gmail.com> wrote:
>
>> What does your routing table look like?
>>
>> Add a default route and test again.
>>
>> On Mon, Oct 25, 2010 at 12:19 PM, Andrew junie<andrew.junie_at_gmail.com>wrote:
>>
>>> Hi,
>>>
>>> I am playing in Dynamip for Basic Site to Site IPSec VPN (IOS-IOS) using
>>> narbik Site-to-Site VPN workbook
>>>
>>> I couldn't able to up the IPSec Tunnel, I am not sure what mistake I
>>> did .Here is the config
>>>
>>> Both routers directly connected and the IOS is
>>> c3725-adventerprisek9-mz.124-15.T9.BIN
>>>
>>>
>>> R1
>>> !
>>> !
>>> interface Loopback0
>>> ip address 1.1.1.1 255.255.255.0
>>> !
>>> interface FastEthernet0/1
>>> ip address 10.10.10.1 255.255.255.0
>>> duplex auto
>>> speed auto
>>> crypto map CMAP
>>> !
>>>
>>> crypto isakmp policy 10
>>> encr 3des
>>> hash md5
>>> authentication pre-share
>>> group 2
>>> crypto isakmp key 6 CISCO321 address 10.10.10.2
>>> !
>>> !
>>> crypto ipsec transform-set TSET esp-3des esp-md5-hmac
>>> !
>>> crypto map CMAP 10 ipsec-isakmp
>>> set peer 10.10.10.2
>>> set transform-set TSET
>>> match address 120
>>> !
>>> !
>>> access-list 120 permit ip 1.1.1.0 0.0.0.255 4.4.4.0 0.0.0.255
>>>
>>>
>>>
>>> R2
>>> !
>>> interface Loopback0
>>> ip address 4.4.4.4 255.255.255.0
>>> !
>>> interface FastEthernet0/1
>>> ip address 10.10.10.2 255.255.255.0
>>> duplex auto
>>> speed auto
>>> crypto map CMAP
>>> !
>>> crypto isakmp policy 10
>>> encr 3des
>>> hash md5
>>> authentication pre-share
>>> group 2
>>> crypto isakmp key 6 CISCO321 address 10.10.10.1
>>> !
>>> !
>>> crypto ipsec transform-set TSET esp-3des esp-md5-hmac
>>> !
>>> crypto map CMAP 10 ipsec-isakmp
>>> set peer 10.10.10.1
>>> set transform-set TSET
>>> match address 121
>>> !
>>> access-list 121 permit ip 4.4.4.0 0.0.0.255 1.1.1.0 0.0.0.255
>>>
>>>
>>>
>>> Rack1R2#sh crypto isakmp sa
>>> IPv4 Crypto ISAKMP SA
>>> dst src state conn-id slot status
>>>
>>> IPv6 Crypto ISAKMP SA
>>>
>>> Thats it I got
>>> !
>>>
>>> I enabled Debug on both side .
>>> debug crypto ipsec
>>>
>>> debug crypto isakmp
>>>
>>> got nothing...
>>>
>>> Anyone point me what mistake I done .
>>>
>>> I appreciate your input
>>>
>>> Thanks
>>>
>>> Andrew
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Mon Oct 25 2010 - 18:19:08 ART
This archive was generated by hypermail 2.2.0 : Mon Nov 01 2010 - 06:42:06 ART