IPSec tunnel not coming up

Hi Folks,

Trying to bring up the tunnel between R1 and R3. I am getting the
below mentioned debug messages on R1. R1 is connected to R3 with f0/0
interface and is running eBGP between them.
ISAKMP: callback: no SA found for
0.0.0.0/0.0.0.0 [vrf 0]
SA is still budding

Tunnel is showing to be in UP UP
and can ping the endpoints but show crypto isakmp sa command gives nothing.
Could anyone please simulate and help out?
Below is the config of R1
-------------------------

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 500
crypto isakmp key cisco
address 206.221.1.2
!
crypto ipsec transform-set cisco esp-des
!
crypto map
cisco 10 ipsec-isakmp
 set peer 206.221.1.2
 set transform-set cisco
 match
address 101

!

interface Tunnel0
 ip address 206.221.1.1 255.255.255.0
 tunnel source FastEthernet0/0
 tunnel destination 206.221.1.2
 crypto map
cisco
!
interface FastEthernet0/0
 ip address 1.1.1.1 255.255.255.0
 duplex
auto
 speed auto
!
ip route 100.100.100.100 255.255.255.255 Tunnel0 (Any
traffic for this remote end server should go through tunnel interface
encrypted )
ip route 206.221.1.2 255.255.255.255 1.1.1.2
!
access-list 101
permit ip any host 100.100.100.100

Below is the config on R3
---------------------------
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 500
crypto isakmp key cisco
address 206.221.1.1
!
crypto ipsec transform-set cisco esp-des
!
crypto map
cisco 10 ipsec-isakmp
 set peer 206.221.1.1
 set transform-set cisco
 match
address 101
!
interface Tunnel0
 ip address 206.221.1.2 255.255.255.0
 tunnel
source FastEthernet0/0
 tunnel destination 206.221.1.1
 crypto map cisco
!
interface FastEthernet0/0
 ip address 1.1.1.2 255.255.255.0
 duplex auto
 speed auto
!
ip route 206.221.1.1 255.255.255.255 1.1.1.1

!
access-list 101
permit ip any host 100.100.100.100

===========================

Below are
some of the outputs from R1

R1#sh crypto ipsec sa

interface: Tunnel0
   
Crypto map tag: cisco, local addr 1.1.1.1

   protected vrf: (none)
   local
ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident
(addr/mask/prot/port): (100.100.100.100/255.255.255.255/0/0)
   current_peer
206.221.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0,
#pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts
verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not
compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts
decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto
endpt.: 1.1.1.1, remote crypto endpt.: 206.221.1.2
     path mtu 1476, ip mtu
1476, ip mtu idb Tunnel0
     current outbound spi: 0x0(0)

     inbound esp
sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
     outbound ah sas:

     outbound pcp sas:

Blogs and organic groups at http://www.ccie.net
Received on Thu Jan 12 2012 - 19:26:45 ART