Anyone knows where went wrong with this site-to-site vpn? Why are the tunnels down?

Anyone knows where went wrong with this site-to-site vpn? Why are the tunnels down?

by Cyrus Lok on Wednesday, March 3, 2010 at 6:29pm

I have applied IKE phase 1 and 2 on both routers hence isakmp and ipsec tunnels should be up on both endpoints. BUT I the tunnels are DOWN, it should be UP-ACTIVE… ISAKMP tunnel should be up, because the status shows DOWN and not DOWN-NEGOTIATING, hence ISAKMP tunnel should have been negotiated.

Here’s my R0 config:
The crypto map has already been applied on interface fa1/1 which is connected to the peer router. Peer router’s interface fa1/0 ip address is 172.16.0.2/30

R0#sh crypto map
Crypto Map “CCNA” 100 ipsec-isakmp
Peer = 172.16.0.2
Extended IP access list PROTECT_TRAFFIC
access-list PROTECT_TRAFFIC permit ip host 10.0.0.2 host 192.168.127.1
Current peer: 172.16.0.2
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
CCNA: { esp-aes esp-sha-hmac } ,
}
Interfaces using crypto map CCNA:
FastEthernet1/1

The session is DOWN, I do not know why….
R0#sh crypto session
Crypto session current status

Interface: FastEthernet1/1
Session status: DOWN
Peer: 172.16.0.2 port 500
IPSEC FLOW: permit ip host 10.0.0.2 host 192.168.127.1
Active SAs: 0, origin: crypto map

R0#sh crypto isakmp key
Keyring Hostname/Address Preshared Key

default 172.16.0.2 [255.255.255.252] cisco

R2’s config:
R2’s crypto map has been applied to interface fa1/0 which is peering to R0’s interface fa1/1

R2#sh crypto map
Crypto Map “CCNA” 100 ipsec-isakmp
Peer = 172.16.0.1
Extended IP access list PROTECT_TRAFFIC
access-list PROTECT_TRAFFIC permit ip host 192.168.127.1 host 10.0.0.2
Current peer: 172.16.0.1
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
CCNA: { esp-aes esp-sha-hmac } ,
}
Interfaces using crypto map CCNA:
FastEthernet1/0

pre-shared key for authentication has also been applied for isakmp, hence there should not be problem in isakmp tunnel:
R2#sh crypto isakmp key
Keyring Hostname/Address Preshared Key

default 172.16.0.1 [255.255.255.252] cisco

Both R0 and R2 have matched isakmp policy, hence isakmp is definitely up:

R0#sh crypto isakmp policy

Global IKE policy
Protection suite of priority 100
encryption algorithm: AES – Advanced Encryption Standard (128 bit keys
).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit

So why is ipsec tunnel down?

Advertisements
This entry was posted in Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s