Re: IPSec tunnel not coming up

Naufal,

Your tunnel probably is not up. Tunnels do not have keepalives on by
default. You could turn them on with the keepalive command, but that does
not work with IPSec. Could be wrong about this but that want is coming to
mind.

I believe your isakmp peer address is wrong. yours is pointing towards the
tunnel when it should be the physical interface

crypto isakmp key cisco address 206.221.1.2
change to
crypto isakmp key cisco address 1.1.1.2

Assuming you are using F0/0

On Thu, Jan 12, 2012 at 6:26 PM, Naufal Jamal <naufalccie_at_yahoo.in> wrote:

> Hi Folks,
>
> Trying to bring up the tunnel between R1 and R3. I am getting the
> below mentioned debug messages on R1. R1 is connected to R3 with f0/0
> interface and is running eBGP between them.
> ISAKMP: callback: no SA found for
> 0.0.0.0/0.0.0.0 [vrf 0]
> SA is still budding
>
> Tunnel is showing to be in UP UP
> and can ping the endpoints but show crypto isakmp sa command gives nothing.
> Could anyone please simulate and help out?
> Below is the config of R1
> -------------------------
>
> crypto isakmp policy 1
> encr 3des
> hash md5
> authentication pre-share
> group 2
> lifetime 500
> crypto isakmp key cisco
> address 206.221.1.2
> !
> crypto ipsec transform-set cisco esp-des
> !
> crypto map
> cisco 10 ipsec-isakmp
> set peer 206.221.1.2
> set transform-set cisco
> match
> address 101
>
> !
>
> interface Tunnel0
> ip address 206.221.1.1 255.255.255.0
> tunnel source FastEthernet0/0
> tunnel destination 206.221.1.2
> crypto map
> cisco
> !
> interface FastEthernet0/0
> ip address 1.1.1.1 255.255.255.0
> duplex
> auto
> speed auto
> !
> ip route 100.100.100.100 255.255.255.255 Tunnel0 (Any
> traffic for this remote end server should go through tunnel interface
> encrypted )
> ip route 206.221.1.2 255.255.255.255 1.1.1.2
> !
> access-list 101
> permit ip any host 100.100.100.100
>
> Below is the config on R3
> ---------------------------
> crypto isakmp policy 1
> encr 3des
> hash md5
> authentication pre-share
> group 2
> lifetime 500
> crypto isakmp key cisco
> address 206.221.1.1
> !
> crypto ipsec transform-set cisco esp-des
> !
> crypto map
> cisco 10 ipsec-isakmp
> set peer 206.221.1.1
> set transform-set cisco
> match
> address 101
> !
> interface Tunnel0
> ip address 206.221.1.2 255.255.255.0
> tunnel
> source FastEthernet0/0
> tunnel destination 206.221.1.1
> crypto map cisco
> !
> interface FastEthernet0/0
> ip address 1.1.1.2 255.255.255.0
> duplex auto
> speed auto
> !
> ip route 206.221.1.1 255.255.255.255 1.1.1.1
>
> !
> access-list 101
> permit ip any host 100.100.100.100
>
>
>
> ===========================
>
> Below are
> some of the outputs from R1
>
> R1#sh crypto ipsec sa
>
> interface: Tunnel0
>
> Crypto map tag: cisco, local addr 1.1.1.1
>
> protected vrf: (none)
> local
> ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
> remote ident
> (addr/mask/prot/port): (100.100.100.100/255.255.255.255/0/0)
> current_peer
> 206.221.1.2 port 500
> PERMIT, flags={origin_is_acl,}
> #pkts encaps: 0,
> #pkts encrypt: 0, #pkts digest: 0
> #pkts decaps: 0, #pkts decrypt: 0, #pkts
> verify: 0
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not
> compressed: 0, #pkts compr. failed: 0
> #pkts not decompressed: 0, #pkts
> decompress failed: 0
> #send errors 0, #recv errors 0
>
> local crypto
> endpt.: 1.1.1.1, remote crypto endpt.: 206.221.1.2
> path mtu 1476, ip mtu
> 1476, ip mtu idb Tunnel0
> current outbound spi: 0x0(0)
>
> inbound esp
> sas:
>
> inbound ah sas:
>
> inbound pcp sas:
>
> outbound esp sas:
> outbound ah sas:
>
> outbound pcp sas:
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Jan 12 2012 - 19:45:17 ART