[c-nsp] show crypto session still showing DOWN / no result for show crypto isakmp sa

Nick Cutting ncutting at edgetg.co.uk
Fri Aug 7 10:23:44 EDT 2015


debug crypto isakmp

shut the outside interface - then bring it back up
you should see some clues in here, the router debugs are more meaningful than ASA one's ever were.

also - Try it without NAT first, as this is a LAB

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of thucydide tajouo
Sent: 07 August 2015 15:08
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] show crypto session still showing DOWN / no result for show crypto isakmp sa

Hi every body,i'm trying to configure VPN between two sites of a lab network but it doesn't work,there are two routers (R1 and R2) connected using their respective fa0/0 interfaces,bellow are result of certain show command line:R1#show crypto session Crypto session current statusInterface: FastEthernet0/0 Session status: DOWN
Peer: 192.168.10.2 port 500
  IPSEC FLOW: permit ip 192.168.9.0/255.255.255.0 192.168.11.0/255.255.255.0
        Active SAs: 0, origin: crypto map R1#show crypto isakmp sa dst             src             state          conn-id slot statusR1# R2#show crypto session Crypto session current statusInterface: FastEthernet0/0 Session status: DOWN
Peer: 192.168.10.1 port 500
  IPSEC FLOW: permit ip 192.168.11.0/255.255.255.0 192.168.9.0/255.255.255.0
        Active SAs: 0, origin: crypto map R2#show crypto isakmp sa dst             src             state          conn-id slot statusR2# ////////////////////////  R1 RUNNING CONFIG ////////////// Current configuration : 1615 bytes !
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key test address 192.168.10.2 !
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac !
crypto map CMAP 10 ipsec-isakmp
 set peer 192.168.10.2
 set transform-set TS
 match address vpn-acl
!
!
interface FastEthernet0/0
 ip address 192.168.10.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map CMAP
!
interface FastEthernet0/1
 ip address 192.168.9.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat pool ovrld 192.168.10.1 192.168.10.1 prefix-length 24 ip nat inside source list nat-acl pool ovrld overload !
ip access-list extended nat-acl
 deny   ip 192.168.9.0 0.0.0.255 192.168.11.0 0.0.0.255
 permit ip 192.168.9.0 0.0.0.255 any
ip access-list extended vpn-acl
 permit ip 192.168.9.0 0.0.0.255 192.168.11.0 0.0.0.255 !
no cdp log mismatch duplex
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end////////////////////////  R2 RUNNING CONFIG //////////////Current configuration : 1617 bytes !
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key test address 192.168.10.1 !
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac !
crypto map CMAP 10 ipsec-isakmp
 set peer 192.168.10.1
 set transform-set TS
 match address vpn-acl
!
!
interface FastEthernet0/0
 ip address 192.168.10.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map CMAP
!
interface FastEthernet0/1
 ip address 192.168.11.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat pool ovrld 192.168.10.2 192.168.10.2 prefix-length 24 ip nat inside source list nat-acl pool ovrld overload !
ip access-list extended nat-acl
 deny   ip 192.168.11.0 0.0.0.255 192.168.9.0 0.0.0.255
 permit ip 192.168.11.0 0.0.0.255 any
ip access-list extended vpn-acl
 permit ip 192.168.11.0 0.0.0.255 192.168.9.0 0.0.0.255 !
no cdp log mismatch duplex
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login Thanks for your help, 

Thucydide TAJOUO
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list