Site-to-Site VPN connection issue

Unanswered Question
Jul 25th, 2007

Hello,

i just finished configuring a site to site VPN between two routers, but they don't seem to connect. I have tested WAN connectivity, and it works fine,...and the worst part of it, this is not the first time i have set up this type of connection, but i have never had this issue. Debugs dont even seem to work. Please find below copies of my config...

R1

crypto isakmp key 0 uqef23fr923fg address xx.xx.xx.xx

!

crypto ipsec transform-set headoffice esp-des esp-md5-hmac

!

crypto map headoffice 13 ipsec-isakmp

set peer xx.xx.xx.xx

set transform-set headoffice

match address 103

!

access-list 103 permit ip 10.1.16.0 0.0.15.255 10.3.16.0 0.0.15.255

R2

crypto isakmp key uqef23fr923fg address

yy.yy.yy.yy

!

crypto ipsec transform-set headoffice esp-des esp-md5-hmac

!

crypto map headoffice 13 ipsec-isakmp

set peer yy.yy.yy.yy

set transform-set headoffice

match address 105

!

access-list 105 permit ip 10.3.16.0 0.0.15.255 10.1.16.0 0.0.15.255

Thank you for your anticipated response.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
spremkumar Wed, 07/25/2007 - 04:07

Hi

Did you check using show crypto isakmp sa and show crypto ipsec sa ?

Also is your peers reachable from both the ends ? did u check the connectivity to the peers ?

regds

achalante Wed, 07/25/2007 - 04:50

Hi..as you can see, from my previous mail, i stated it there that i had checked WAN connectivity, and it works fine....my configs will give you all the information the show commands would.

mattiaseriksson Wed, 07/25/2007 - 05:10

When you say debug does not work what do you mean? The debug information is the quickest way to resolve these issues.

Is iskamp enabled? Is the crypto-map applied? Are the iskamp parameters matching?

The config extract you attached does not give all the information. Use the show commands to verify your configuration, and then analyze the debug information to determine the cause of the problem.

james.lumpkin Wed, 07/25/2007 - 10:04

not sure if you left these out of the posting on purpose or not, but the things i don't see in your config are an isakmp policy:

crypto isakmp policy 4

authentication pre-share

and where you applied the crypto map to the interface:

int s0/0

crypto map headoffice

Also, i've never had my crypto map and my transform set use the same name, so i don't know if that would be a problem or not.

good luck!

--j

achalante Wed, 07/25/2007 - 23:48

Hi, sori i left those out, but i can assure you everything i av all those configured. My crypto map was applied on the Dialer interface, and yes...it doesnt matter if your transform-set and your cryptos share the same name, as long as there's no mismatch.

Actions

This Discussion