Site-to-Site VPN.(ADSL)

Answered Question
Mar 6th, 2007
User Badges:

Dears;

I have 2800, connected to the Internet using DSL.

i am trying to create VPN Tunnel (site-to-site) but failed.


I don't know if the problem is on the ADSL.



Correct Answer by kaachary about 10 years 3 weeks ago

Hi,


Interestingly, I can see the tunnel up and passing traffic in the new show outputs, I am not sure why this is not working for you.


Try this on Router (10.40.x.x)


ping 172.18.1.254 source 10.40.0.1


Does this ping work ?


What ip address you are trying to ping across the tunnel and from what ip address ?


-Kanishka


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
kaachary Tue, 03/06/2007 - 02:16
User Badges:
  • Cisco Employee,

Hi,


Its hard to comment where the problem lies, when we have the config from just one end. Is it possible for you to paste the config for the other end as well, so that we can review them both.


-Kanishka

w_basheer Tue, 03/06/2007 - 02:31
User Badges:

Dear;

the attached is other end

-my LAN is 172.18.1.0/24 other is 10.40.0.0/16

-my peer is 89.148.43.29 other is 213.42.65.202

------------------------------------------

ITS-BAH-OFFICE#sh cry isa sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

213.42.65.202 89.148.43.29 QM_IDLE 4001 0 ACTIVE


IPv6 Crypto ISAKMP SA

-------------------------------------------



Attachment: 
kaachary Tue, 03/06/2007 - 02:47
User Badges:
  • Cisco Employee,

Hi,


It seems like the tunnel is up :


213.42.65.202 89.148.43.29 QM_IDLE 4001 0 ACTIVE



Are you not able to pass traffic ?


Try to send some traffic from the hosts and then capture the output for "sh cry ipsec sa" . Paste it here.


-Kanishka



kaachary Tue, 03/06/2007 - 09:41
User Badges:
  • Cisco Employee,

Hi,


If you see the output for "sh cry ipsec sa"


local ident (addr/mask/prot/port): (172.18.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.40.0.0/255.255.0.0/0/0)

current_peer 213.42.65.202 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 1557, #pkts encrypt: 1557, #pkts digest: 1557

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0


You will see, that this side is enrypting the packets but they are not getting back from the other router.

This proves that the problem is definitely on this Router's side. Could you please post the full config of this router(which has inside subnet of 10.40.x.x) and possibly the output of "sh cry ipsec sa" from it as well.


-Kanishka

w_basheer Tue, 03/06/2007 - 09:54
User Badges:

I really appreciate your help.

The attached is

- show run

- show cry isa sa

- show cry ips sa


for both my and second peers in addition to drawing.


thanks a lot



Correct Answer
kaachary Tue, 03/06/2007 - 10:07
User Badges:
  • Cisco Employee,

Hi,


Interestingly, I can see the tunnel up and passing traffic in the new show outputs, I am not sure why this is not working for you.


Try this on Router (10.40.x.x)


ping 172.18.1.254 source 10.40.0.1


Does this ping work ?


What ip address you are trying to ping across the tunnel and from what ip address ?


-Kanishka


w_basheer Tue, 03/06/2007 - 10:46
User Badges:

:S :S :S

Actually i keep pinging... it's replied

i did not do any changes.


Thanks a lot Mr. Kanishka


Tomorrow i will re-establish the tunnel and test applications.


Thanks a lot.

Actions

This Discussion