On Mon, 2009-08-10 at 22:20 +0300, Mohammad Khalil wrote: > i configured the below on GNS3 simulator > > Router(config)#crypto isakmp policy 1 > Router(config-isakmp)#authentication pre-share > Router(config)#crypto isakmp key VPNKEY address x.x.x.x > Router(config)#access-list extended LIST > Router(config-list)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 > Router(config)#crypto ipsec transform-set SET > Router(config)#crypto map MAP 10 ipsec-isakmp > Router(config-crypto-map)#set peer x.x.x.x > Router(config-crypto-map)#set transform-set SET > Router(config-crypto-map)#match address LIST > Router(config)#interface f0/0 > Router(config-if)#crypto map MAP > > and im trying to ping 192.168.2.1 source 192.168.1.1 (loopbacks) but > im not able to , and the show crypto isakmp sa produces empty o/p > > am i missing something here ??
That's hard to say without knowing what's in the other end. :-) Or are both ends configured the same? You haven't defined any explicit encryption or hashing in your ISAKMP policy. AFAICT a 7200 running 12.4 defaults to single DES encryption and SHA hashing with a lifetime of 86400 seconds. I don't understand the "crypto ipsec transform-set SET"; wasn't there supposed to be an IPSec transform set after this? Like "esp-aes 128 esp-sha-hmac"? Otherwise, as Michael mentions, debug is a good thing. A "debug crypto isakmp" probably tells relevant things. (Though this seems to be IOS and not PIX.) We have something like this in a working configuration: ip access-list extended SomeCryptoACL permit gre host 10.0.0.2 host 10.0.0.1 ! crypto isakmp policy 15 encr 3des hash md5 authentication pre-share lifetime 43200 ! crypto keyring SomeKeyRing pre-shared-key address 10.0.0.1 key SomeKey ! crypto isakmp profile SomeISAKMPProfile keyring SomeKeyRing match identity address 10.0.0.1 255.255.255.255 initiate mode aggressive ! crypto ipsec transform-set MD5_3DES esp-3des esp-md5-hmac ! crypto map SomeCryptoMap 5 ipsec-isakmp description Some description set peer 10.0.0.1 set transform-set MD5_3DES set isakmp-profile SomeISAKMPProfile match address SomeCryptoACL ! interface GigabitEthernet0/1 ip address 10.0.0.2 255.255.255.0 crypto map SomeCryptoMap ! This isn't best practise, but it does work. Regards, Peter _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/