Re: IPSec tunnel not coming up

Check you ACL.. Typically the ACLs are the issues, they must be mirrored images of one another, most customers now use the full subnet with ex..(side a) Ip Access-list ext TUN1 permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

(side b)
Ip Access-list ext TUN1 permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

And then control the access via the inbound ACL's.

Regards,
 Joe Sanchez

On Jan 12, 2012, at 7:56 AM, Naufal Jamal <naufalccie_at_yahoo.in> wrote:

> Hi Folks,
>
> Trying to bring up the tunnel between R1 and R3. I am getting the
> below mentioned debug messages on R1. R1 is connected to R3 with f0/0
> interface and is running eBGP between them.
> ISAKMP: callback: no SA found for
> 0.0.0.0/0.0.0.0 [vrf 0]
> SA is still budding
>
> Tunnel is showing to be in UP UP
> and can ping the endpoints but show crypto isakmp sa command gives nothing.
> Could anyone please simulate and help out?
> Below is the config of R1
> -------------------------
>
> crypto isakmp policy 1
> encr 3des
> hash md5
> authentication pre-share
> group 2
> lifetime 500
> crypto isakmp key cisco
> address 206.221.1.2
> !
> crypto ipsec transform-set cisco esp-des
> !
> crypto map
> cisco 10 ipsec-isakmp
> set peer 206.221.1.2
> set transform-set cisco
> match
> address 101
>
> !
>
> interface Tunnel0
> ip address 206.221.1.1 255.255.255.0
> tunnel source FastEthernet0/0
> tunnel destination 206.221.1.2
> crypto map
> cisco
> !
> interface FastEthernet0/0
> ip address 1.1.1.1 255.255.255.0
> duplex
> auto
> speed auto
> !
> ip route 100.100.100.100 255.255.255.255 Tunnel0 (Any
> traffic for this remote end server should go through tunnel interface
> encrypted )
> ip route 206.221.1.2 255.255.255.255 1.1.1.2
> !
> access-list 101
> permit ip any host 100.100.100.100
>
> Below is the config on R3
> ---------------------------
> crypto isakmp policy 1
> encr 3des
> hash md5
> authentication pre-share
> group 2
> lifetime 500
> crypto isakmp key cisco
> address 206.221.1.1
> !
> crypto ipsec transform-set cisco esp-des
> !
> crypto map
> cisco 10 ipsec-isakmp
> set peer 206.221.1.1
> set transform-set cisco
> match
> address 101
> !
> interface Tunnel0
> ip address 206.221.1.2 255.255.255.0
> tunnel
> source FastEthernet0/0
> tunnel destination 206.221.1.1
> crypto map cisco
> !
> interface FastEthernet0/0
> ip address 1.1.1.2 255.255.255.0
> duplex auto
> speed auto
> !
> ip route 206.221.1.1 255.255.255.255 1.1.1.1
>
> !
> access-list 101
> permit ip any host 100.100.100.100
>
>
>
> ===========================
>
> Below are
> some of the outputs from R1
>
> R1#sh crypto ipsec sa
>
> interface: Tunnel0
>
> Crypto map tag: cisco, local addr 1.1.1.1
>
> protected vrf: (none)
> local
> ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
> remote ident
> (addr/mask/prot/port): (100.100.100.100/255.255.255.255/0/0)
> current_peer
> 206.221.1.2 port 500
> PERMIT, flags={origin_is_acl,}
> #pkts encaps: 0,
> #pkts encrypt: 0, #pkts digest: 0
> #pkts decaps: 0, #pkts decrypt: 0, #pkts
> verify: 0
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not
> compressed: 0, #pkts compr. failed: 0
> #pkts not decompressed: 0, #pkts
> decompress failed: 0
> #send errors 0, #recv errors 0
>
> local crypto
> endpt.: 1.1.1.1, remote crypto endpt.: 206.221.1.2
> path mtu 1476, ip mtu
> 1476, ip mtu idb Tunnel0
> current outbound spi: 0x0(0)
>
> inbound esp
> sas:
>
> inbound ah sas:
>
> inbound pcp sas:
>
> outbound esp sas:
> outbound ah sas:
>
> outbound pcp sas:
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Jan 13 2012 - 07:16:28 ART