Re: Converting crypto map to unnumbered VTI

On Sat, 10 Nov 2007 00:34:44 -0800, Merv wrote:

You may want to compare debug isakmp form working and non-working
setups:

1. post show version and show interface tu 0

--
Router#sho ver
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version
12.4(12), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 17-Nov-06 12:02 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

qsv-cvpnc1 uptime is 3 days, 15 hours, 28 minutes
System returned to ROM by reload at 00:39:57 UTC Thu Nov 8 2007
System image file is "flash:c2800nm-advipservicesk9-mz.124-12.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be
found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@xxxxxxxxxx

Cisco 2811 (revision 53.50) with 249856K/12288K bytes of memory.
Processor board ID FTX1048A3RX
2 FastEthernet interfaces
2 Serial interfaces
2 Virtual Private Network (VPN) Modules
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102
--

Can't do a show int tun0 right now because...

2. return to original config

.. . .I've done just this.

3. capture debug isakmp sa

I did that, but the only error I was seeing was


4.configure IPSEC profile with crypto map

5. capture debug isakmp sa with this setup

6. config new config with VTI setup

7.capture debug isakmp sa with this setup


In main mode, there will be an exchange of 6 IIKE packets.

From the debugs you should see how far you are getting

The VTI tunnel interface will not come up until the SA are built (i.e
it will be in up - down state)

.

Relevant Pages

  • Re: Cisco Switch/Router configuration help.
    ... devices do not support dot1q or ISL, ... and a "show interface" will show the ... I've done some cisco configurations in the past without much issue. ... 32K bytes of flash-simulated non-volatile configuration memory. ...
    (comp.dcom.sys.cisco)
  • Re: Cisco Switch/Router configuration help.
    ... a "show interface" will show the interface in full duplex mode, ... I've done some cisco configurations in the past without much issue. ... I am trying to setup a sample network, ... 32K bytes of flash-simulated non-volatile configuration memory. ...
    (comp.dcom.sys.cisco)
  • [NEWS] Cisco IOS DHCP Blocked Interface DoS
    ... Cisco IOS devices running several branches of Cisco IOS that have Dynamic ... queue becomes blocked when receiving specifically crafted DHCP packets. ... configuration information from the DHCP server via the network. ... On a blocked Ethernet interface, ...
    (Securiteam)
  • Re: Cisco Switch/Router configuration help.
    ... I've done some cisco configurations in the past without much issue. ... On each of the subinterfaces I've added the router ip addresses. ... with the main interface on the router). ... 32K bytes of flash-simulated non-volatile configuration memory. ...
    (comp.dcom.sys.cisco)
  • [NEWS] Cisco IOS Interface Blocked by IPv4 Packets
    ... Cisco routers and switches running Cisco IOSŪ software and configured to ... Multiple IPv4 packets with specific ... protocol fields sent directly to the device may cause the input interface ... device to incorrectly flag the input queue on an interface as full. ...
    (Securiteam)