cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
834
Views
45
Helpful
19
Replies

VPN Not Working

alsayed
Level 1
Level 1

Hello

kindly check attachment

10xs

Ali

19 Replies 19

royalblues
Level 10
Level 10

Are the tunnel destination reachable from both ends? i do not see any routes except for one static route to tunnel

can you post sh ip route

Can you also add the transform set under the crypto profile

crypto ipsec profile VTI

set transform-set ali

HTH

Narayan

Hi Narayan

the tunel interface on both side are Down:

Tunnel0 192.168.3.2 YES manual reset down

sh ip route

Gateway of last resort is not set

C 192.1.1.0/24 is directly connected, Serial1/1

C 192.168.1.0/24 is directly connected, FastEthernet0/0

Router-A#

Hi

new entry:

Tunnel0 192.168.3.1 YES manual up down

ROUTER-B#sh crypto isakmp sa

dst src state conn-id slot status

192.1.1.1 193.1.1.1 MM_NO_STATE 0 0 ACTIVE (deleted)

10xs

Ali,

How are routerA and router B connected?

with the information you provided, routerA does not seem to have a route for the tunnel destination and hence the tunnel is not coming up. The VPN will come up only when your tunnel is up

HTH

Narayan

Ali,

Add static route to the tunnel destination address on both routers. You should be able to ping the GRE tunnel IP address of each other. IPSEC SA should come up after that.

HTH

Sundar

hello sundar!

we have already static route configured;plz check attachment

10xs

Ali

are these routers connected directly?

Hello

yes they are;via serial interface

10xs

Ali,

The static route(s) you have is for the LAN at the far end but you need a static route to get to the tunnel destination address itself. Can you add the following static routes on both routers. This would cause the tunnel int to come up and you should be able to ping the tunnel IP of each other router.

Router-A:

ip route 193.1.1.1 255.255.255.255 (next-hop-address)

Router-B:

ip route 192.1.1.1 255.255.255.255 (next-hop-address)

HTH

Sundar

I just noticed you posted that these are routers are directly connected to each other via serial int. If they are directly connected to each other the serial interface of both routers need to be on the same subnet. Can you reconfigure it that way.

Ali,

The serial interfaces are connected together but yet in o yur configuration they lie in a seperate subnet

on router B configure

interface Serial1/2

ip address 192.1.1.2 255.255.255.0

interface Tunnel0

tunnel source 192.1.1.2

tunnel destination 192.1.1.1

On router A

nterface Tunnel0

tunnel source 192.1.1.1

tunnel destination 192.1.1.2

and also set the transform set under the crypto profile

crypto ipsec profile VTI

set transform-set ali

have a look at this for an example configuration

http://www.cisco.com/en/US/products/ps6635/products_white_paper0900aecd8029d629.shtml

HTH, rate if it does

Narayan

Freinds Narayan;sundar

10xs for all ur replys

realy 10xs

Ali

hello

how can i fix this:

*Mar 1 23:03:17.994: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 192.1.1.1

this generally means the devices are not configured with the same properties.

Make sure the profile parameters are similar in both the peers otherwise negotiations will fail

Narayan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco