So your issue is at phase 1. Have you tried pulling off the IPSEC and
ensuring only the GRE is working properly? I see you sourcing the tunnel as
f0/0, but does that route exist over the GRE tunnel? I don't see a route for
the 1.1.1.0/24 over the tunnel; only the public IP space. I know the tunnel
is "up", but that doesn't always mean operational. When I have issues like
this, I start peeling away complexities to and obtain stepping stones to build
upon working technologies.
I see you mention eBGP between the two peers. Is
that where the 1.1.1.0/24 route exists? Is there anything in between these
devices, or is this ethernet to ethernet?
Regards,
Jay McMickle- CCNP, CCSP,
CCDP, MCSE
http://mycciepursuit.wordpress.com/
Support me in the MS150
Challenge!
http://main.nationalmssociety.org/site/TR/Bike/TXHBikeEvents?px=5886043&pg=pe
rsonal&fr_id=17896
________________________________
From: Naufal Jamal
<naufalccie_at_yahoo.in>
To: "ccielab_at_groupstudy.com" <ccielab_at_groupstudy.com>
Sent: Thursday, January 12, 2012 7:56 AM
Subject: IPSec tunnel not coming up
Hi Folks,
Trying to bring up the tunnel between R1 and R3. I am getting the
below mentioned debug messages on R1. R1 is connected to R3 with f0/0
interface and is running eBGP between them.
ISAKMP: callback: no SA found for
0.0.0.0/0.0.0.0 [vrf 0]
SA is still budding
Tunnel is showing to be in UP UP
and can ping the endpoints but show crypto isakmp sa command gives nothing.
Could anyone please simulate and help out?
Below is the config of R1
-------------------------
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 500
crypto isakmp key cisco
address
206.221.1.2
!
crypto ipsec transform-set cisco esp-des
!
crypto map
cisco 10
ipsec-isakmp
set peer 206.221.1.2
set transform-set cisco
match
address 101
!
interface Tunnel0
ip address 206.221.1.1 255.255.255.0
tunnel source
FastEthernet0/0
tunnel destination 206.221.1.2
crypto map
cisco
!
interface
FastEthernet0/0
ip address 1.1.1.1 255.255.255.0
duplex
auto
speed auto
!
ip
route 100.100.100.100 255.255.255.255 Tunnel0 (Any
traffic for this remote end
server should go through tunnel interface
encrypted )
ip route 206.221.1.2
255.255.255.255 1.1.1.2
!
access-list 101
permit ip any host 100.100.100.100
Below is the config on R3
---------------------------
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 500
crypto isakmp
key cisco
address 206.221.1.1
!
crypto ipsec transform-set cisco esp-des
!
crypto map
cisco 10 ipsec-isakmp
set peer 206.221.1.1
set transform-set cisco
match
address 101
!
interface Tunnel0
ip address 206.221.1.2 255.255.255.0
tunnel
source FastEthernet0/0
tunnel destination 206.221.1.1
crypto map cisco
!
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.0
duplex auto
speed
auto
!
ip route 206.221.1.1 255.255.255.255 1.1.1.1
!
access-list 101
permit
ip any host 100.100.100.100
===========================
Below are
some of
the outputs from R1
R1#sh crypto ipsec sa
interface: Tunnel0
Crypto map
tag: cisco, local addr 1.1.1.1
protected vrf: (none)
local
ident
(addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident
(addr/mask/prot/port): (100.100.100.100/255.255.255.255/0/0)
current_peer
206.221.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0,
#pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts
verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not
compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts
decompress failed: 0
#send errors 0, #recv errors 0
local crypto
endpt.: 1.1.1.1, remote crypto endpt.: 206.221.1.2
path mtu 1476, ip mtu
1476, ip mtu idb Tunnel0
current outbound spi: 0x0(0)
inbound esp
sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Blogs and organic groups at
http://www.ccie.net
Received on Thu Jan 12 2012 - 09:27:02 ART
This archive was generated by hypermail 2.2.0 : Thu Feb 02 2012 - 11:52:51 ART