[c-nsp] 6500 with WS-SVC-IPSEC-1, traffic not reaching module.

Lee ler762 at gmail.com
Tue Dec 15 07:30:11 EST 2009 

Do you have the inside and outside vlan for your ipsec traffic configured
with a crypto connect? eg

interface Vlan7
  description outside:encrypted traffic
  no ip address
  crypto engine subslot 8/0
  crypto connect vlan8
!
interface Vlan8
  description inside:cleartext traffic
  ip address xxx
  crypto map xxx
  crypto engine subslot 8/0

Regards,
Lee


On Tue, Dec 15, 2009 at 6:46 AM, Pär Åslund <pslund at gmail.com> wrote:

> Hi,
>
> I have problems with a WS-SVC-IPSEC-1 where I'm trying to setup a
> site-to-site tunnel.
>
> Last night, I got the tunnel up. But after applying a acl to the 6500,
> the tunnel went down and stayed down. Removing configuration just to
> get the tunnel up again and continue trying to get the interesting
> traffic through as intended, the tunnel never comes up. The remote
> device is a ASA 5505, where I haven't touched anything since this
> failure started. From what I can get out of all this, looking at logs
> and crypto statistics. The traffic never gets to the module in slot 8.
>
> show crypto sessions - nothing
> show crypto isakmp sa - nothing
> show crypto ipsec sa - nothing
>
> I can still use packet-tracer on the asa as I could before and the
> flow is created, but nothing ends up in the 6500 logs. debug crypto
> isakmp and debug crypto ipsec is both enabled without anything being
> logged. Any ideas are most welcome. Guess I have missed something
> obvious but right now I just can't figure out what it is.
>
> This it the configuration from the 6500.
>
> crypto isakmp policy 1
>  encr 3des
>  authentication pre-share
>  group 2
> crypto isakmp key <SECRETKEY> address <peer ip> no-xauth
> !
> crypto isakmp client configuration group GROUP1
>  key <KEY>
>  dns 172.16.9.2
>  domain i.company.com
>  pool vpn
>  acl 101
> crypto isakmp profile ikepro
>   match identity group GROUP1
>   client authentication list userlist
>   isakmp authorization list grouplist
>   client configuration address respond
>   client configuration group GROUP1
> crypto isakmp profile site-to-site
>   keyring default
>   match identity address <peer ip> 255.255.255.255
>   keepalive 60 retry 5
> !
> !
> crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac
> !
> crypto ipsec profile ipsecpro
>  set transform-set 3dessha
> !
> !
> crypto dynamic-map dynmap 10
>  set transform-set 3dessha
>  set isakmp-profile ikepro
> crypto dynamic-map dynmap 15
>  set peer 76.238.146.205
>  set transform-set 3dessha
>  set isakmp-profile site-to-site
> crypto dynamic-map dynmap 20
>  set transform-set 3dessha
>  set isakmp-profile ikepro
> !
> !
> crypto map vpnmap engine slot 8
> crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
>
>
> and then on VLAN 8 where the traffic is suppose to come in:
> interface Vlan8
>  ip address <ip> 255.255.255.248
>  ip nat outside
>  standby 8 ip <standby ip>
>  standby 8 priority 115
>  standby 8 preempt
>  standby 8 name <standby name>
>  crypto map vpnmap redundancy <standby name>
> end
>
> Best regards,
> .pelle
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list