[c-nsp] Having trouble bringing up a IPSEC tunnel, pointers?

Wed May 30 19:39:36 EDT 2007

Please post a full sanitized config. You may have ACLs blocking 
IPSEC/ISAKMP traffic in or out.

Chris Serafin
chris at chrisserafin.com

comcast mail wrote:
> Hi, I'm trying to configure a vpn from a 2610XM to a 7206VXR NPE400 and not having much luck (or debug output).
>
> Router A (2610) has 1 FAST E and one Serial
>
> fast E 0/0 has an IP of 10.200.100.1/24
> Serial 0/1.1 has a frame connected IP of 172.16.100.2 and a DLCI of 16
>
> the 7206 has a fast E 1/0 with an IP of 10.200.200.1/24
> and another fast E of 10.100.0.146 
>
> On the 2600 side, I have the following crypto commandes
>
> crypto isakmp policy 10
> encr aes 256
> group 2
> hash sha
> crypto isakmp key 6 testkey address 10.100.0.146  (far end peer on 7206)
> crypto ipsec transform vpntransform esp-aes 256 esp-sha
>
> crypto map vpn 10 ipsec-isa
> set peer 10.100.0.146
> set transform vpntransform
> match address 100
>
> and the ACL
> access-list 100 permit ip 10.200.100.0 0.0.0.255 10.200.200.0 0.0.0.255
>
>
> For completeness, the serial
> serial 0/1.1 point
> ip 172.16.100.2 255.255.255.252
> frame interface-dlci 16
> crypto map vpn
>
> On the 7206 VXR I have
>
> crypto isakmp policy 10
> encr aes 256
> hash sha
> group 2
> crypto isakmp key 6 testkey address 172.16.100.2 (2600 serial address for peer)
> crypto ipsec transform vpntransform esp-aes 256 esp-sha
>
> crypto map vpn 10 ipsec-isa
> set peer 172.16.100.2
> set transform vpntransform
> match address 100
>
> and the acl
> access-list 100 permit ip 10.200.200.0 0.0.0.255 10.200.100.0 0.0.0.255 
>
>
> on the fast E 0/1
> ip addr 10.100.0.146
> crypto map vpn
>
> When I complete the configuration if I try to use an extended ping and originate traffic from the fast E on the 2600 it simply times out when reaching the 7206 and the reverse path also has the same results.  When I enable debugging
> debug crypto isakmp
> debug crypto ipsec
> debug crypto engine
>
> I don't get any debug output other than when I apply the maps to the interfaces
> when I apply map vpn to serial 0/0.1 for example on the 2600 I get a
> callback no matching SA found for 0.0.0.0/0.0.0.0
>
> I tried to match the config to the lan to lan IPSEC config example that Cisco provides but no luck, what am I missing?  Also, I'm running c2600-ik9s-mz.123-14.T7 and c7200-ik9s-mz.12-14.T7 on each unit respectively.  One last datapoint, I have connectivity that's verified between 172.16.100.2 and 10.100.0.146 I can ping and telnet from one to the other and I tested that the path is simetrical between both routers.  Any help would be appreciated.
>
> Thank you!
> Scott
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
>   