[c-nsp] Having trouble bringing up a IPSEC tunnel, pointers?
comcast mail
gsgranados at comcast.net
Wed May 30 16:06:15 EDT 2007
Hi, I'm trying to configure a vpn from a 2610XM to a 7206VXR NPE400 and not having much luck (or debug output).
Router A (2610) has 1 FAST E and one Serial
fast E 0/0 has an IP of 10.200.100.1/24
Serial 0/1.1 has a frame connected IP of 172.16.100.2 and a DLCI of 16
the 7206 has a fast E 1/0 with an IP of 10.200.200.1/24
and another fast E of 10.100.0.146
On the 2600 side, I have the following crypto commandes
crypto isakmp policy 10
encr aes 256
group 2
hash sha
crypto isakmp key 6 testkey address 10.100.0.146 (far end peer on 7206)
crypto ipsec transform vpntransform esp-aes 256 esp-sha
crypto map vpn 10 ipsec-isa
set peer 10.100.0.146
set transform vpntransform
match address 100
and the ACL
access-list 100 permit ip 10.200.100.0 0.0.0.255 10.200.200.0 0.0.0.255
For completeness, the serial
serial 0/1.1 point
ip 172.16.100.2 255.255.255.252
frame interface-dlci 16
crypto map vpn
On the 7206 VXR I have
crypto isakmp policy 10
encr aes 256
hash sha
group 2
crypto isakmp key 6 testkey address 172.16.100.2 (2600 serial address for peer)
crypto ipsec transform vpntransform esp-aes 256 esp-sha
crypto map vpn 10 ipsec-isa
set peer 172.16.100.2
set transform vpntransform
match address 100
and the acl
access-list 100 permit ip 10.200.200.0 0.0.0.255 10.200.100.0 0.0.0.255
on the fast E 0/1
ip addr 10.100.0.146
crypto map vpn
When I complete the configuration if I try to use an extended ping and originate traffic from the fast E on the 2600 it simply times out when reaching the 7206 and the reverse path also has the same results. When I enable debugging
debug crypto isakmp
debug crypto ipsec
debug crypto engine
I don't get any debug output other than when I apply the maps to the interfaces
when I apply map vpn to serial 0/0.1 for example on the 2600 I get a
callback no matching SA found for 0.0.0.0/0.0.0.0
I tried to match the config to the lan to lan IPSEC config example that Cisco provides but no luck, what am I missing? Also, I'm running c2600-ik9s-mz.123-14.T7 and c7200-ik9s-mz.12-14.T7 on each unit respectively. One last datapoint, I have connectivity that's verified between 172.16.100.2 and 10.100.0.146 I can ping and telnet from one to the other and I tested that the path is simetrical between both routers. Any help would be appreciated.
Thank you!
Scott
More information about the cisco-nsp
mailing list