There seems to be an SA but pings fail...
r2#sh cry isa sa
dst src state conn-id slot
136.3.234.254 136.3.234.2 QM_IDLE 1 0
r2#ping 150.1.1.1 source l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 150.1.2.2
U.U.U
Success rate is 0 percent (0/5)
It looks like outbound packets are in fact being encrypted.
r2#sh cry ipsec sa
interface: Ethernet0/0
Crypto map tag: vpn, local addr. 136.3.234.2
protected vrf:
local ident (addr/mask/prot/port): (150.1.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (150.1.1.0/255.255.255.0/0/0)
current_peer: 136.3.234.254:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest 5
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5, #recv errors 0
local crypto endpt.: 136.3.234.2, remote crypto endpt.: 136.3.234.254
path mtu 1500, media mtu 1500
current outbound spi: F46E1637
inbound esp sas:
spi: 0x60803BB5(1619016629)
transform: esp-3des esp-md5-hmac ,
R1 does know how to get back to the loopback on r2:
r1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
136.1.0.0/24 is subnetted, 1 subnets
C 136.1.134.0 is directly connected, Ethernet0/0
136.3.0.0/24 is subnetted, 1 subnets
R 136.3.234.0 [120/1] via 136.1.134.3, 00:00:00, Ethernet0/0
[120/1] via 136.1.134.4, 00:00:00, Ethernet0/0
150.1.0.0/24 is subnetted, 2 subnets
R 150.1.2.0 [120/1] via 136.1.134.3, 00:00:00, Ethernet0/0
C 150.1.1.0 is directly connected, Loopback0
r1#
The crypro map looks to be correct:
r3#sh cry map
Redundancy Group: 1
Crypto Map "vpn" 10 ipsec-isakmp
Peer = 136.3.234.2
Extended IP access list r1-to-r2
access-list r1-to-r2 permit ip 150.1.1.0 0.0.0.255 150.1.2.0 0.0.0.255
Current peer: 136.3.234.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
3des-md5,
}
Reverse Route Injection Enabled
Interfaces using crypto map vpn:
Ethernet0/1
The Static route is injected and since we saw it on R1 I know its being redistributed.
r3#sh ip
Nov 3 22:42:30.245: %SYS-5-CONFIG_I: Configured from console by consoleroute
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
136.1.0.0/24 is subnetted, 1 subnets
C 136.1.134.0 is directly connected, Ethernet0/0
136.3.0.0/24 is subnetted, 1 subnets
C 136.3.234.0 is directly connected, Ethernet0/1
150.1.0.0/24 is subnetted, 1 subnets
S 150.1.2.0 [1/0] via 136.3.234.2
When I fail R3s' interface it takes a minute and gets a new sa but still it fails.
r2#ping 150.1.1.1 source l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 150.1.2.2
.U.U.
Success rate is 0 percent (0/5)
r2#sh cry isa sa
dst src state conn-id slot
136.3.234.254 136.3.234.2 QM_IDLE 2 0
136.3.234.254 136.3.234.2 MM_NO_STATE 1 0 (deleted)
r2#
What am I missing here?
My configs can be found here on my blog.
Thanks.