Announcement

Collapse
No announcement yet.

IPSEC problem

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • IPSEC problem

    Hello,
    I configured Ip sec on two routers in different locations. Both routers are Cisco 877w. One of the router is at my home used as a wifi. It assigns DHCP ip's to my machine. After configuring ipsec , when I do "show crypto isakmp sa " command, it shows nothing

    #show crypto isakmp sa
    IPV4 Crypto ISAKMP SA
    dst src state

    IPv6 Crypto ISAKMP SA


    ==== Below is my router config. Can anyone please help why it's not working. Thanks in advance
    #sh run
    Building configuration...


    Current configuration : 5762 bytes
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname xxxxxxxx
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 warnings
    enable password xxxxxx
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    !
    !


    !
    aaa session-id common
    !
    !
    dot11 syslog
    !
    dot11 ssid MusTang2
    vlan 10
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 0 xxxxxxxxx
    !
    ip cef
    ip dhcp relay information trust-all
    no ip dhcp use vrf connected
    ip dhcp excluded-address 172.16.111.1
    ip dhcp excluded-address 5.5.5.1 5.5.5.20
    ip dhcp excluded-address 192.168.1.1
    !
    ip dhcp pool ccp-pool
    import all
    network 172.16.111.0 255.255.255.0
    dns-server 8.8.8.8
    default-router 172.16.111.1
    lease 0 2
    !
    ip dhcp pool MusTang2
    import all
    network 5.5.5.0 255.255.255.0
    default-router 5.5.5.1
    dns-server 8.8.8.8
    !
    !
    no ip domain lookup
    ip domain name yourdomain.com
    !
    !
    !
    username steve privilege 15 password 0 xxxxxxxxx
    !
    !
    crypto isakmp policy 1
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key xxxxxx address xxxxxxx
    !
    !
    crypto ipsec transform-set Router-IPSEC esp-3des esp-md5-hmac
    !
    crypto map SDM_CMAP_1 1 ipsec-isakmp
    description ipsec tunnel to dc
    set peer xxxxxxxxx
    set transform-set Router-IPSEC
    match address 122
    !
    archive
    log config
    hidekeys
    !
    !
    !
    bridge irb
    !
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    ip dhcp relay information trusted
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    ip dhcp relay information trusted
    duplex full
    speed 100
    !
    interface FastEthernet4
    ip address dhcp client-id FastEthernet4
    ip directed-broadcast
    ip flow ingress
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map SDM_CMAP_1
    !
    interface Dot11Radio0
    no ip address
    no ip route-cache cef
    !
    encryption vlan 10 mode ciphers tkip
    !
    ssid MusTang2
    !
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root access-point
    !
    interface Dot11Radio0.1
    encapsulation dot1Q 10 native
    no cdp enable
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
    ip address 172.16.111.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    bridge-group 1
    !
    interface Vlan10
    description WIRELESS VLAN
    no ip address
    ip virtual-reassembly
    bridge-group 1
    bridge-group 1 spanning-disabled
    !
    interface BVI1
    ip address 5.5.5.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    !
    ip forward-protocol nd
    ip route 1.1.1.0 255.255.255.0 xxxxxxxxxx
    !
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source list 1 interface FastEthernet4 overload
    ip nat inside source list 17 interface FastEthernet4 overload
    ip nat inside source list 100 interface FastEthernet4 overload
    !
    access-list 1 permit 5.5.5.0 0.0.0.255
    access-list 17 permit 172.16.111.0 0.0.0.255
    access-list 100 remark -=Nonat for ipsec=- traffic
    access-list 100 deny ip 5.5.5.0 0.0.0.255 1.1.1.0 0.0.0.255
    access-list 100 permit ip 5.5.5.0 0.0.0.255 any
    access-list 122 remark SDM_ACL Category=4
    access-list 122 remark IPSec Rule
    access-list 122 permit ip 5.5.5.0 0.0.0.255 1.1.1.0 0.0.0.255
    access-list 160 deny tcp host 10.193.0.1 any
    access-list 160 permit tcp any any
    no cdp run
    !
    !
    !
    control-plane
    !
    bridge 1 protocol ieee
    bridge 1 route ip

  • #2
    Re: IPSEC problem

    Moved to Cisco forum as not appropriate topic for Coffee Lounge
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: IPSEC problem

      Make sure the crypto config is a mirror image on each side. Check your Phase 1 and Phase 2 settings as well. Also consult the cisco documentation as well.
      CCNA, CCNA-Security, CCNP
      CCIE Security (In Progress)

      Comment

      Working...
      X