Simple Site to Site 2811 VPN config

Answered Question
Mar 11th, 2008

Maybe I should be calling support..but I dont' think this is a level 1 deal.

Basically this is a cut and paste from 2 lab 2811's with advanced ip. I don't beleive I have a tunnel established here. Can anyone see anything inherently wrong. This is pretty much a cut and paste deal. I've done some troubleshooting but I don't think any packets at all have passed over the tunnel that claims to be up. Just to be given a hint on direction here will be fine. These are back to back 2811's that can ping each other's serial interfaces.

CHESTER_STANDBY#

Building configuration...

crypto pki trustpoint TP-self-signed-3378xxxxxx

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3378xxxxxx

revocation-check none

rsakeypair TP-self-signed-3378xxxxxx

!

!

crypto pki certificate chain TP-self-signed-3378xxxxxx

certificate self-signed 01

{truncated}

CA5EE254 C2A3CEA1 B0274F8D 3F919734 D7AB09D3 D18146A7 9DD4A0CF F9AE4F88

C5A33DAE 741AE002 3D9EB4E7 B7611C8C 4260DF4A C54F47C0 A78E

quit

!

controller T1 0/0/0

framing esf

clock source internal

linecode b8zs

channel-group 0 timeslots 1-24

!

!

crypto isakmp policy 1

authentication pre-share

crypto isakmp key [email protected] address 10.250.99.2

!

!

crypto ipsec transform-set AMSCAN ah-sha-hmac esp-des esp-sha-hmac

mode transport

!

crypto map RockStar local-address Serial0/0/0:0

crypto map RockStar 1 ipsec-isakmp

set peer 10.250.99.2

match address 101

!

interface Tunnel1

bandwidth 1544

ip address 10.250.100.1 255.255.255.0

tunnel source 10.250.99.1

tunnel destination 10.250.99.2

crypto map RockStar

!

interface FastEthernet0/0

description ip vpn lan

ip address 10.120.250.101 255.255.0.0

duplex auto

speed auto

!

!

interface Serial0/0/0:0

ip address 10.250.99.1 255.255.255.0

crypto map RockStar

!

ip classless

ip route 10.10.0.0 255.255.0.0 Tunnel1

!

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

access-list 101 permit gre host 10.250.99.1 host 10.250.99.2

end

ELMSFORD VPN

ELMSFORD_VPN#sh run

Building configuration...

{truncated}

!

crypto pki trustpoint TP-self-signed-36393xxxxx

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-363xxxxx

revocation-check none

rsakeypair TP-self-signed-3639xxxxx

!

!

crypto pki certificate chain TP-self-signed-36393xxxxxx

certificate self-signed 01

6D201AA9 BE741CAD 0A57F073 D5239E4F F820EAB8 C3633F93 EC8DD543 84B95CE9

5790CCB6 E4CED486 EF489A5F E6A59A1F 8FB13666 20EE9B

quit

!

!

controller T1 0/0/0

framing esf

linecode b8zs

channel-group 0 timeslots 1-24

!

controller T1 0/1/0

framing esf

linecode b8zs

channel-group 0 timeslots 1-24

!

!

crypto isakmp policy 1

authentication pre-share

lifetime 84600

crypto isakmp key [email protected] address 10.250.99.1

!

crypto ipsec transform-set AMSCAN ah-sha-hmac esp-des esp-sha-hmac

mode transport

!

crypto map RockStar local-address Serial0/0/0:0

crypto map RockStar 1 ipsec-isakmp

set peer 10.250.99.1

set transform-set AMSCAN

match address 101

!

!

!

!

interface Tunnel0

bandwidth 1544

ip address 10.250.100.2 255.255.255.0

tunnel source 10.250.99.2

tunnel destination 10.250.99.1

crypto map RockStar

!

interface FastEthernet0/0

description vpn lan int

ip address 10.10.250.101 255.255.0.0

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/0/0:0

ip address 10.250.99.2 255.255.255.0

crypto map RockStar

!

ip classless

ip route 10.120.0.0 255.255.0.0 Tunnel0

!

ip http timeout-policy idle 60 life 86400 requests 10000

!

access-list 101 permit gre host 10.250.99.2 host 10.250.99.1

!

!

end

I have this problem too.
0 votes
Correct Answer by sundar.palaniappan about 8 years 9 months ago

On the CHESTER_STANDBY can you assign the transform set to the crypto map that's missing.

crypto map RockStar 1 ipsec-isakmp

set transform-set AMSCAN

HTH

Sundar

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
sundar.palaniappan Tue, 03/11/2008 - 12:13

On the CHESTER_STANDBY can you assign the transform set to the crypto map that's missing.

crypto map RockStar 1 ipsec-isakmp

set transform-set AMSCAN

HTH

Sundar

tteslicko Tue, 03/11/2008 - 13:48

i have done that thanks. I had the tunnel up briefly but I got lost in the weeds and rebooted...and it's gone. Thanks for your help...tomorrow's another day i guess and at least i'm not a contractor out in the feild with it....

tteslicko Wed, 03/12/2008 - 05:43

Yes a tunnel has been succesfully negotiated. I am not sure why this is but maybe it's supposed to work this way....but when I try pinging the remote ethernet interface...it can't succesfully process the reply that it gets saying that it's not an ip sec packet.

Maybe that's correct????

Actions

This Discussion