[c-nsp] show crypto session still showing DOWN / no result for show crypto isakmp sa
thucydide tajouo
tajouo at yahoo.fr
Fri Aug 7 10:08:06 EDT 2015
Hi every body,i'm trying to configure VPN between two sites of a lab network but it doesn't work,there are two routers (R1 and R2) connected using their respective fa0/0 interfaces,bellow are result of certain show command line:R1#show crypto session
Crypto session current statusInterface: FastEthernet0/0
Session status: DOWN
Peer: 192.168.10.2 port 500
IPSEC FLOW: permit ip 192.168.9.0/255.255.255.0 192.168.11.0/255.255.255.0
Active SAs: 0, origin: crypto map
R1#show crypto isakmp sa
dst src state conn-id slot statusR1# R2#show crypto session
Crypto session current statusInterface: FastEthernet0/0
Session status: DOWN
Peer: 192.168.10.1 port 500
IPSEC FLOW: permit ip 192.168.11.0/255.255.255.0 192.168.9.0/255.255.255.0
Active SAs: 0, origin: crypto map
R2#show crypto isakmp sa
dst src state conn-id slot statusR2# //////////////////////// R1 RUNNING CONFIG ////////////// Current configuration : 1615 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key test address 192.168.10.2
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.10.2
set transform-set TS
match address vpn-acl
!
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map CMAP
!
interface FastEthernet0/1
ip address 192.168.9.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat pool ovrld 192.168.10.1 192.168.10.1 prefix-length 24
ip nat inside source list nat-acl pool ovrld overload
!
ip access-list extended nat-acl
deny ip 192.168.9.0 0.0.0.255 192.168.11.0 0.0.0.255
permit ip 192.168.9.0 0.0.0.255 any
ip access-list extended vpn-acl
permit ip 192.168.9.0 0.0.0.255 192.168.11.0 0.0.0.255
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end//////////////////////// R2 RUNNING CONFIG //////////////Current configuration : 1617 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key test address 192.168.10.1
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.10.1
set transform-set TS
match address vpn-acl
!
!
interface FastEthernet0/0
ip address 192.168.10.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map CMAP
!
interface FastEthernet0/1
ip address 192.168.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat pool ovrld 192.168.10.2 192.168.10.2 prefix-length 24
ip nat inside source list nat-acl pool ovrld overload
!
ip access-list extended nat-acl
deny ip 192.168.11.0 0.0.0.255 192.168.9.0 0.0.0.255
permit ip 192.168.11.0 0.0.0.255 any
ip access-list extended vpn-acl
permit ip 192.168.11.0 0.0.0.255 192.168.9.0 0.0.0.255
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login Thanks for your help,
Thucydide TAJOUO
More information about the cisco-nsp
mailing list