[c-nsp] Having trouble bringing up a IPSEC tunnel, pointers?

comcast mail gsgranados at comcast.net
Wed May 30 16:06:15 EDT 2007 

Hi, I'm trying to configure a vpn from a 2610XM to a 7206VXR NPE400 and not having much luck (or debug output).

Router A (2610) has 1 FAST E and one Serial

fast E 0/0 has an IP of 10.200.100.1/24
Serial 0/1.1 has a frame connected IP of 172.16.100.2 and a DLCI of 16

the 7206 has a fast E 1/0 with an IP of 10.200.200.1/24
and another fast E of 10.100.0.146 

On the 2600 side, I have the following crypto commandes

crypto isakmp policy 10
encr aes 256
group 2
hash sha
crypto isakmp key 6 testkey address 10.100.0.146  (far end peer on 7206)
crypto ipsec transform vpntransform esp-aes 256 esp-sha

crypto map vpn 10 ipsec-isa
set peer 10.100.0.146
set transform vpntransform
match address 100

and the ACL
access-list 100 permit ip 10.200.100.0 0.0.0.255 10.200.200.0 0.0.0.255


For completeness, the serial
serial 0/1.1 point
ip 172.16.100.2 255.255.255.252
frame interface-dlci 16
crypto map vpn

On the 7206 VXR I have

crypto isakmp policy 10
encr aes 256
hash sha
group 2
crypto isakmp key 6 testkey address 172.16.100.2 (2600 serial address for peer)
crypto ipsec transform vpntransform esp-aes 256 esp-sha

crypto map vpn 10 ipsec-isa
set peer 172.16.100.2
set transform vpntransform
match address 100

and the acl
access-list 100 permit ip 10.200.200.0 0.0.0.255 10.200.100.0 0.0.0.255 


on the fast E 0/1
ip addr 10.100.0.146
crypto map vpn

When I complete the configuration if I try to use an extended ping and originate traffic from the fast E on the 2600 it simply times out when reaching the 7206 and the reverse path also has the same results.  When I enable debugging
debug crypto isakmp
debug crypto ipsec
debug crypto engine

I don't get any debug output other than when I apply the maps to the interfaces
when I apply map vpn to serial 0/0.1 for example on the 2600 I get a
callback no matching SA found for 0.0.0.0/0.0.0.0

I tried to match the config to the lan to lan IPSEC config example that Cisco provides but no luck, what am I missing?  Also, I'm running c2600-ik9s-mz.123-14.T7 and c7200-ik9s-mz.12-14.T7 on each unit respectively.  One last datapoint, I have connectivity that's verified between 172.16.100.2 and 10.100.0.146 I can ping and telnet from one to the other and I tested that the path is simetrical between both routers.  Any help would be appreciated.

Thank you!
Scott

More information about the cisco-nsp mailing list