Problem with crypto not working

Unanswered Question
Feb 21st, 2007

Hi

I cannot get the VPN connection up from one of my remote sites to my CO. Below an extract from the config. What am I doing wrong?

Using 877W Router.

!

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

crypto isakmp key adsldynvpn address <VPN ROUTER1> no-xauth

crypto isakmp key adsldynvpn address <VPN ROUTER2> no-xauth

!

!

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel toVPN ROUTER1

set peer VPN ROUTER1

set transform-set ESP-3DES-MD5

match address 100

crypto map SDM_CMAP_1 2 ipsec-isakmp

description Tunnel toVPN ROUTER2

set peer VPN ROUTER2

set transform-set ESP-3DES-MD5

match address 103

!

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 172.18.47.0 0.0.0.255 172.18.16.0 0.0.1.255 -> My internal servers SITE A

access-list 100 remark IPSec Rule

access-list 100 permit ip 172.18.47.0 0.0.0.255 <PUBLIC ADDRESSES> 0.0.0.127 -> My public servers

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 remark IPSec Rule

access-list 103 remark SDM_ACL Category=4

access-list 103 remark IPSec Rule

access-list 103 permit ip 172.18.47.0 0.0.0.255 172.18.18.0 0.0.1.255 -> My internal servers SITE B

access-list 103 remark SDM_ACL Category=4

access-list 103 remark IPSec Rule

!

crypto map SDM_CMAP_1 -> assgined to dialer interface.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bradlesliect Wed, 02/21/2007 - 02:04

each time i try and reconfigure this i get

" % NOTE: This new crypto map will remain disabled until a peer

and a valid access list have been configured."

bradlesliect Wed, 02/21/2007 - 05:07

Thanks Leo

I'm still stuck.

You have an example of what a VPN config should look like for a 877 Router?

Danilo Dy Wed, 02/21/2007 - 06:31

Office Network = 172.16.0.0/12

Remote Network = 10.0.0.0/8

Office WAN Interface IP Address = a.b.c.2, Gateway = a.b.c.1

Remote WAN Interface IP Address = w.x.y.2, Gateway = w.x.y.1

1. Office

!

ip subnet-zero

!

crypto isakmp policy 3

authentication pre-share

!

crypto isakmp key trinity address w.x.y.2 no-xauth

!

crypto ipsec transform-set NEO esp-des esp-sha-hmac

!

crypto map TheMatrix 1 ipsec-isakmp

set peer w.x.y.2

set transform-set NEO

set pfs group1

match address 101

!

interface wan_interface_facing_internet

ip address a.b.c.2 255.255.255.252

crypto map TheMatrix

!

ip classless

ip route 0.0.0.0 0.0.0.0 a.b.c.1

!

access-list 101 permit ip 172.16.0.0 0.240.255.255 10.0.0.0 0.255.255.255

2. Remote

!

ip zubnet-zero

!

crypto isakmp policy 3

authentication pre-share

!

crypto isakmp key trinity address a.b.c.2 no-xauth

!

crypto ipsec transform-set NEO esp-des esp-sha-hmac

!

crypto map TheMatrix 1 ipsec-isakmp

set peer a.b.c.2

set transform-set NEO

set pfs group1

match address 101

!

interface wan_interface_facing_internet

ip address w.x.y.2 255.255.255.252

crypto map TheMatrix

!

ip classless

ip route 0.0.0.0 0.0.0.0 w.x.y.1

!

access-list 101 permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.240.255.255

Actions

This Discussion