07-25-2007 01:36 AM - edited 02-21-2020 03:10 PM
Hello,
i just finished configuring a site to site VPN between two routers, but they don't seem to connect. I have tested WAN connectivity, and it works fine,...and the worst part of it, this is not the first time i have set up this type of connection, but i have never had this issue. Debugs dont even seem to work. Please find below copies of my config...
R1
crypto isakmp key 0 uqef23fr923fg address xx.xx.xx.xx
!
crypto ipsec transform-set headoffice esp-des esp-md5-hmac
!
crypto map headoffice 13 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set headoffice
match address 103
!
access-list 103 permit ip 10.1.16.0 0.0.15.255 10.3.16.0 0.0.15.255
R2
crypto isakmp key uqef23fr923fg address
yy.yy.yy.yy
!
crypto ipsec transform-set headoffice esp-des esp-md5-hmac
!
crypto map headoffice 13 ipsec-isakmp
set peer yy.yy.yy.yy
set transform-set headoffice
match address 105
!
access-list 105 permit ip 10.3.16.0 0.0.15.255 10.1.16.0 0.0.15.255
Thank you for your anticipated response.
07-25-2007 04:07 AM
Hi
Did you check using show crypto isakmp sa and show crypto ipsec sa ?
Also is your peers reachable from both the ends ? did u check the connectivity to the peers ?
regds
07-25-2007 04:50 AM
Hi..as you can see, from my previous mail, i stated it there that i had checked WAN connectivity, and it works fine....my configs will give you all the information the show commands would.
07-25-2007 05:10 AM
When you say debug does not work what do you mean? The debug information is the quickest way to resolve these issues.
Is iskamp enabled? Is the crypto-map applied? Are the iskamp parameters matching?
The config extract you attached does not give all the information. Use the show commands to verify your configuration, and then analyze the debug information to determine the cause of the problem.
07-25-2007 10:04 AM
not sure if you left these out of the posting on purpose or not, but the things i don't see in your config are an isakmp policy:
crypto isakmp policy 4
authentication pre-share
and where you applied the crypto map to the interface:
int s0/0
crypto map headoffice
Also, i've never had my crypto map and my transform set use the same name, so i don't know if that would be a problem or not.
good luck!
--j
07-25-2007 11:48 PM
Hi, sori i left those out, but i can assure you everything i av all those configured. My crypto map was applied on the Dialer interface, and yes...it doesnt matter if your transform-set and your cryptos share the same name, as long as there's no mismatch.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide