Site-to-Site VPN connection issue

Unanswered Question
Jul 25th, 2007
User Badges:


i just finished configuring a site to site VPN between two routers, but they don't seem to connect. I have tested WAN connectivity, and it works fine,...and the worst part of it, this is not the first time i have set up this type of connection, but i have never had this issue. Debugs dont even seem to work. Please find below copies of my config...


crypto isakmp key 0 uqef23fr923fg address xx.xx.xx.xx


crypto ipsec transform-set headoffice esp-des esp-md5-hmac


crypto map headoffice 13 ipsec-isakmp

set peer xx.xx.xx.xx

set transform-set headoffice

match address 103


access-list 103 permit ip


crypto isakmp key uqef23fr923fg address



crypto ipsec transform-set headoffice esp-des esp-md5-hmac


crypto map headoffice 13 ipsec-isakmp

set peer yy.yy.yy.yy

set transform-set headoffice

match address 105


access-list 105 permit ip

Thank you for your anticipated response.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
spremkumar Wed, 07/25/2007 - 04:07
User Badges:
  • Red, 2250 points or more


Did you check using show crypto isakmp sa and show crypto ipsec sa ?

Also is your peers reachable from both the ends ? did u check the connectivity to the peers ?


achalante Wed, 07/25/2007 - 04:50
User Badges: you can see, from my previous mail, i stated it there that i had checked WAN connectivity, and it works configs will give you all the information the show commands would.

mattiaseriksson Wed, 07/25/2007 - 05:10
User Badges:
  • Bronze, 100 points or more

When you say debug does not work what do you mean? The debug information is the quickest way to resolve these issues.

Is iskamp enabled? Is the crypto-map applied? Are the iskamp parameters matching?

The config extract you attached does not give all the information. Use the show commands to verify your configuration, and then analyze the debug information to determine the cause of the problem.

james.lumpkin Wed, 07/25/2007 - 10:04
User Badges:

not sure if you left these out of the posting on purpose or not, but the things i don't see in your config are an isakmp policy:

crypto isakmp policy 4

authentication pre-share

and where you applied the crypto map to the interface:

int s0/0

crypto map headoffice

Also, i've never had my crypto map and my transform set use the same name, so i don't know if that would be a problem or not.

good luck!


achalante Wed, 07/25/2007 - 23:48
User Badges:

Hi, sori i left those out, but i can assure you everything i av all those configured. My crypto map was applied on the Dialer interface, and doesnt matter if your transform-set and your cryptos share the same name, as long as there's no mismatch.


This Discussion