[c-nsp] 6500 with WS-SVC-IPSEC-1, traffic not reaching module.

Pär Åslund pslund at gmail.com
Tue Dec 15 06:46:24 EST 2009 

Hi,

I have problems with a WS-SVC-IPSEC-1 where I'm trying to setup a
site-to-site tunnel.

Last night, I got the tunnel up. But after applying a acl to the 6500,
the tunnel went down and stayed down. Removing configuration just to
get the tunnel up again and continue trying to get the interesting
traffic through as intended, the tunnel never comes up. The remote
device is a ASA 5505, where I haven't touched anything since this
failure started. From what I can get out of all this, looking at logs
and crypto statistics. The traffic never gets to the module in slot 8.

show crypto sessions - nothing
show crypto isakmp sa - nothing
show crypto ipsec sa - nothing

I can still use packet-tracer on the asa as I could before and the
flow is created, but nothing ends up in the 6500 logs. debug crypto
isakmp and debug crypto ipsec is both enabled without anything being
logged. Any ideas are most welcome. Guess I have missed something
obvious but right now I just can't figure out what it is.

This it the configuration from the 6500.

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key <SECRETKEY> address <peer ip> no-xauth
!
crypto isakmp client configuration group GROUP1
 key <KEY>
 dns 172.16.9.2
 domain i.company.com
 pool vpn
 acl 101
crypto isakmp profile ikepro
   match identity group GROUP1
   client authentication list userlist
   isakmp authorization list grouplist
   client configuration address respond
   client configuration group GROUP1
crypto isakmp profile site-to-site
   keyring default
   match identity address <peer ip> 255.255.255.255
   keepalive 60 retry 5
!
!
crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac
!
crypto ipsec profile ipsecpro
 set transform-set 3dessha
!
!
crypto dynamic-map dynmap 10
 set transform-set 3dessha
 set isakmp-profile ikepro
crypto dynamic-map dynmap 15
 set peer 76.238.146.205
 set transform-set 3dessha
 set isakmp-profile site-to-site
crypto dynamic-map dynmap 20
 set transform-set 3dessha
 set isakmp-profile ikepro
!
!
crypto map vpnmap engine slot 8
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap


and then on VLAN 8 where the traffic is suppose to come in:
interface Vlan8
 ip address <ip> 255.255.255.248
 ip nat outside
 standby 8 ip <standby ip>
 standby 8 priority 115
 standby 8 preempt
 standby 8 name <standby name>
 crypto map vpnmap redundancy <standby name>
end

Best regards,
.pelle

More information about the cisco-nsp mailing list