Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cannot establish ipsec tunnel between two routers

Status
Not open for further replies.

drbk563

IS-IT--Management
Nov 21, 2006
194
US
I having been trying to establish an ipsec tunnel between the two router below but I have been unsuccessful. Below are the configurations for both routers. What am I missing?

Thank you

R1 Config

crypto isakmp policy 5
encr aes
authentication pre-share
group 5
crypto isakmp key grace address 100.100.12.2
!
!
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
!
crypto map MAP1 5 ipsec-isakmp
set peer 100.100.12.2
set transform-set TRANS
match address 101


interface Serial0/0
ip address 100.100.12.1 255.255.255.0
encapsulation frame-relay
clock rate 2000000
crypto map MAP1

router rip
version 2
network 2.0.0.0
network 100.0.0.0
no auto-summary

interface Loopback0
ip address 1.1.1.1 255.255.255.0

R2 Config


crypto isakmp policy 5
encr aes
authentication pre-share
group 5
crypto isakmp key grace address 100.100.12.1
!
!
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
!
crypto map MAP1 5 ipsec-isakmp
set peer 100.100.12.1
set transform-set TRANS
match address 101


interface Serial0/0
ip address 100.100.12.2 255.255.255.0
encapsulation frame-relay
clock rate 2000000
crypto map MAP1

interface Loopback0
ip address 2.2.2.2 255.255.255.0

router rip
version 2
network 2.0.0.0
network 100.0.0.0
no auto-summary
 
What is being matched with ACL 101? You didn't include that part of your config.

CCNP, CCDP
 
Sorry about. Below is what is being match on ACL 101.

R1 -

access-list 101 permit tcp 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 eq 1944

R2 -

access-list 101 permit tcp 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255 eq 1944
 
you are defining your 'interesting' traffic from 1.1.1.0/24 to 2.2.2.0/24 on port TCP 1944.

so how are you tripping the crypto map to start?

assuming you are sending something from 1.1.1.1 to 2.2.2.2 that uses port 1944 and it still no proper connection , please post a

sh crypto ipsec sa

also what kind of messages are you getting when you do :

debug crypto iaskmp and debug crypto ipsec



We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.
 
Thank you all for your help but I figured it out.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top