Mark,

Thank you for your response! I have been pulling my hair out with this one. I knew the acl was missing something. One wan is 24.213.143.15 the other is 208.125.212.18 the subnets i can just replace with your example. I look forward to hearing from you!

Here are the corrected ACL's that should get you going. I am naming these examples siteA and siteB to prevent confusion.

SiteA:24.213.143.15

SiteB:208.125.212.18

ip access-list extended SiteA

permit ip 24.213.143.15 0.0.0.0 208.125.212.18 0.0.0.0

ip access-list extended SiteB

permit ip 208.125.212.18 0.0.0.0 24.213.143.15 0.0.0.0

After applying these ACL's to the router make sure that you apply the ACL to crypto map. Let me know if this helps.

Mark

Mr. Yeates,

Thank you again for your help. I was unsuccessful at bringing the tunnel up with this addition. Is there anyway you can walk me through setting the tunnel up at both ends through the SDM? i'd rather dump this and start from scratch. THanks!

I am sorry to hear that it is not working. Here is a template that I wrote a while back that is a fill in the blank template that might help you.

Again, I really appreciate your help!

I am not so familiar with the command line. I have recreated the 2 sides of the tunnel. Tunnel A(.2 network) is where i think the problem is. Tunnel B(.3 network) when using the vpn trouble shooter reports, "The peer 24.213.143.154 is responding but the VPN tunnel in not established. IPSec policies of this router are not matching with the IPSec policies of the peer device." here are the mirrors:

Tunnel A (.2)

The mirror configuration should only be used as a guide when configuring the peer.

The following configuration MUST NOT be directly applied to the peer device.

crypto isakmp policy 1

authentication pre-share

encr 3des

hash sha

group 2

lifetime 86400

exit

crypto isakmp key !password address 24.213.143.151

crypto ipsec transform-set ESP-3DES-SHA esp-sha-hmac esp-3des

mode tunnel

exit

ip access-list extended SDM_2

remark SDM_ACL Category=4

permit ip 172.18.3.0 0.0.0.255 172.18.2.0 0.0.0.255

exit

crypto map SDM_CMAP_1 3 ipsec-isakmp

description Apply the crypto map on the peer router's interface having IP address 208.125.212.181 that connects to this router.

set transform-set ESP-3DES-SHA

set peer 24.213.143.151

match address SDM_2

exit

Tunnel B (.3)

The mirror configuration should only be used as a guide when configuring the peer.

The following configuration MUST NOT be directly applied to the peer device.

crypto isakmp policy 1

authentication pre-share

encr 3des

hash sha

group 2

lifetime 86400

exit

crypto isakmp key !password address 208.125.212.181

crypto ipsec transform-set ESP-3DES-SHA11 esp-sha-hmac esp-3des

mode tunnel

exit

ip access-list extended SDM_2

remark SDM_ACL Category=4

remark IPSec Rule

permit ip 172.18.2.0 0.0.0.255 172.18.3.0 0.0.0.255

exit

crypto map SDM_CMAP_1 3 ipsec-isakmp

description Apply the crypto map on the peer router's interface having IP address 24.213.143.151 that connects to this router.

set transform-set ESP-3DES-SHA11

set peer 208.125.212.181

match address SDM_2

exit

I have other tunnels active on both routers to other sites im not sure if those mirros would be helpful or not.

I also noticed that under the ip access-list in the above, tunnel A states remark ipsec rule as a line and tunnel B does not, just shooting in the dark here.

Not a problem. I am familiar with the CLI and not SDM for VPN so I will do the best I can. The obvious issue is the ACL's are not pointing to each other. The ACL needs to permit the two interfaces (where the arrows are pointing) to talk to each other. The only other thing I would take out is the "tunnel mode" under your crypto ISAKMP policy 1.

(A)<------>(B)

Hope This helps,

mark

Mark,

After looking into the running config, i see other access lists that deny the traffic we are trying to permit. I am curious as to the order these are run and if they have any bearingon our current project (the a to b tunnel). Here is a shot of the ACL's.

Building configuration...

Current configuration : 12308 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Brittonfield

!

boot-start-marker

boot-end-marker

!

logging buffered 52000 debugging

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

!

aaa session-id common

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

!

!

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

no ip dhcp use vrf connected

!

!

no ip ips deny-action ips-interface

ip domain name domain.local

ip name-server 24.x.226.113

ip name-server 24.x.226.123

!

no ftp-server write-enable

!

!

crypto pki trustpoint TP-self-signed-399736215

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-399736215

revocation-check none

rsakeypair TP-self-signed-399736215

!

!

crypto pki certificate chain TP-self-signed-399736215

certificate self-signed 01

30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33393937 33363231 35301E17 0D303731 32303531 34313434

325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3339 39373336

32313530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

AF212155 A68BB61A 7E4F1376 72BB1EF9 CFB38F59 56943CDA BB6762E0 2F5CA1CE

FF3C6795 0B75624E 96B0799C 8B5B8908 351B0EC5 CE6C23B5 F4513DF2 997CCF04

62DA3890 F0C1D585 2D1FCC18 29E22016 5E9AB128 6593515C 1F3B547D BF943482

2D891E47 399B4AC0 FE3AE4C9 0BDDEAB7 00F8B841 F117BEEB 4148AD6B D7434C65

02030100 01A37A30 78300F06 03551D13 0101FF04 05300301 01FF3025 0603551D

11041E30 1C821A42 72697474 6F6E6669 656C642E 636E7964 6961672E 6C6F6361

6C301F06 03551D23 04183016 8014F95A 7CA2031A B9BB3360 54AB107B E8403317

EF1F301D 0603551D 0E041604 14F95A7C A2031AB9 BB336054 AB107BE8 403317EF

1F300D06 092A8648 86F70D01 01040500 03818100 4E9C1CD0 1BDD7430 88ED22B5

B614270B 17397AFF F6F399BA 12D5121B B4F20A0E DD9A9B85 A10768CB 52995D83

58308897 9B7A5E1D 5ADCCF9E 8638A835 56FEA126

quit

username xxx privilege 15 secret xxx

username xxx privilege 15 secret xxx

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key password address 208.125.212.211 no-xauth

crypto isakmp key password address 208.125.212.171

crypto isakmp key password address 208.125.212.181

crypto isakmp xauth timeout 15

!

crypto isakmp client configuration group cadstream_remote

key !scanner%01

dns 10.121.1.114

pool VPN_IPpool

acl 104

!

crypto isakmp client configuration group confirma

key xxx

dns 10.121.1.115

pool VPN_IPpool

acl 104

!

next post...

...continued

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA8 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA9 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA10 esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA3

reverse-route

!

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 1 ipsec-isakmp

description ### Tunnel to South beach ###

set peer 208.125.212.211

set transform-set ESP-3DES-SHA

match address 103

crypto map SDM_CMAP_1 2 ipsec-isakmp

description Tunnel to208.125.212.171

set peer 208.125.212.171

set transform-set ESP-3DES-SHA4

match address 105

crypto map SDM_CMAP_1 3 ipsec-isakmp

description Tunnel to208.125.212.181

set peer 208.125.212.181

set transform-set ESP-3DES-SHA

match address 107

!

!

!

interface FastEthernet0/0

description ### LAN - Brittonfield ###

ip address 172.18.2.1 255.255.255.0

ip access-group 100 in

ip inspect SDM_LOW in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description ### WAN - Runner ###$ETH-WAN$

ip address 24.213.143.151 255.255.255.252

ip access-group 102 in

ip verify unicast reverse-path

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

speed 100

full-duplex

crypto map SDM_CMAP_1

!

interface FastEthernet0/0/0

description ### network - Access Port ###

no ip address

!

interface FastEthernet0/0/1

switchport access vlan 2

no ip address

!

interface FastEthernet0/0/2

switchport access vlan 2

no ip address

!

interface FastEthernet0/0/3

switchport access vlan 2

no ip address

!

interface Vlan1

description ### Interface to Itentive ###$FW_OUTSIDE$

ip address 10.121.16.112 255.255.255.0

ip access-group 101 in

ip verify unicast reverse-path

ip nat inside

ip virtual-reassembly

!

interface Vlan2

ip address 149.98.213.111 255.255.255.0

next post

continued 2....

!

ip local pool VPN_IPpool 172.16.77.197 172.16.77.12

ip classless

ip route 0.0.0.0 0.0.0.0 24.213.143.151 name Default

ip route 10.121.0.0 255.255.0.0 10.121.16.1 name Itentive

ip route 149.98.213.0 255.255.255.0 10.121.16.1 permanent

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload

!

access-list 1 remark For NAT to Internet

access-list 1 remark SDM_ACL Category=16

access-list 1 permit 172.18.2.0 0.0.0.255

access-list 1 permit 10.121.16.0 0.0.0.255

access-list 23 permit 172.18.0.0 0.0.255.255

access-list 100 remark Inbound access list on LAN Interface

access-list 100 remark SDM_ACL Category=17

access-list 100 deny ip 10.121.1.0 0.0.0.255 any

access-list 100 permit icmp any host 172.18.2.1

access-list 100 deny ip 10.0.0.0 0.255.255.255 any

access-list 100 deny ip 192.168.0.0 0.0.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip host 0.0.0.0 any

access-list 100 permit ip any any

access-list 101 remark Inbound access list on Itentive Interface

access-list 101 deny ip 172.18.2.0 0.0.0.255 any

access-list 101 permit icmp any host 10.121.16.2

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 permit ip any any

next post...

continued 3....

access-list 102 remark Inbound access list on Outside interface

access-list 102 remark SDM_ACL Category=17

access-list 102 permit udp host 208.125.212.181 host 24.213.143.151 eq non500-isakmp

access-list 102 permit udp host 208.125.212.181 host 24.213.143.151 eq isakmp

access-list 102 permit esp host 208.125.212.181 host 24.213.143.151

access-list 102 permit ahp host 208.125.212.181 host 24.213.143.151

access-list 102 remark IPSec Rule

access-list 102 permit ip 172.18.4.0 0.0.0.255 172.18.2.0 0.0.0.255

access-list 102 permit udp host 208.125.212.171 host 24.213.143.151 eq non500-isakmp

access-list 102 permit udp host 208.125.212.171 host 24.213.143.151 eq isakmp

access-list 102 permit esp host 208.125.212.171 host 24.213.143.151

access-list 102 permit ahp host 208.125.212.171 host 24.213.143.151

access-list 102 permit ip 172.16.77.91 0.0.0.7 172.18.2.0 0.0.0.255

access-list 102 permit ip 172.16.77.91 0.0.0.7 172.16.77.91 0.0.0.7

access-list 102 permit ip 172.16.77.91 0.0.0.7 149.98.213.0 0.0.0.255

access-list 102 permit ip 172.16.77.91 0.0.0.7 10.121.0.0 0.0.255.255

access-list 102 permit udp host 208.125.212.211 host 24.213.143.151 eq non500-isakmp

access-list 102 permit udp host 208.125.212.211 host 24.213.143.151 eq isakmp

access-list 102 permit esp host 208.125.212.211 host 24.213.143.151

access-list 102 permit ahp host 208.125.212.218 host 24.213.143.151

access-list 102 remark IPSec Rule

access-list 102 permit ip 172.18.1.0 0.0.0.255 172.18.2.0 0.0.0.255

access-list 102 permit udp any host 24.213.143.151 eq non500-isakmp

access-list 102 permit udp any host 24.213.143.151 eq isakmp

access-list 102 permit esp any host 24.213.143.151

access-list 102 permit ahp any host 24.213.143.151

access-list 102 deny ip 10.121.16.0 0.0.0.255 any

access-list 102 deny ip 172.18.2.0 0.0.0.255 any

access-list 102 permit icmp any host 24.213.143.151

access-list 102 deny ip 10.0.0.0 0.255.255.255 any

access-list 102 deny ip 172.16.0.0 0.15.255.255 any

access-list 102 deny ip 192.168.0.0 0.0.255.255 any

access-list 102 deny ip 127.0.0.0 0.255.255.255 any

access-list 102 deny ip host 255.255.255.255 any

access-list 102 deny ip host 0.0.0.0 any

access-list 102 deny ip any any log

access-list 102 permit ip 172.18.3.0 0.0.0.255 172.18.2.0 0.0.0.255

access-list 103 remark SDM_ACL Category=4

access-list 103 remark IPSec Rule

access-list 103 permit ip 172.18.2.0 0.0.0.255 172.18.1.0 0.0.0.255

access-list 104 remark ### Access list for remote VPN users ###

access-list 104 remark SDM_ACL Category=20

access-list 104 permit ip 172.18.2.0 0.0.0.255 172.16.77.91 0.0.0.7

access-list 105 remark SDM_ACL Category=4

access-list 105 remark IPSec Rule

access-list 105 permit ip 172.18.2.0 0.0.0.255 172.18.4.0 0.0.0.255

access-list 107 remark SDM_ACL Category=4

access-list 107 permit ip 172.18.2.0 0.0.0.255 172.18.3.0 0.0.0.255

access-list 110 remark SDM_ACL Category=2

access-list 110 deny ip 172.18.2.0 0.0.0.255 172.18.3.0 0.0.0.255

access-list 110 remark IPSec Rule

access-list 110 deny ip 172.18.2.0 0.0.0.255 172.18.4.0 0.0.0.255

access-list 110 deny ip 172.18.2.0 0.0.0.255 172.16.77.91 0.0.0.7

access-list 110 deny ip 149.98.213.0 0.0.0.255 172.16.77.91 0.0.0.7

access-list 110 deny ip 10.121.0.0 0.0.255.255 172.16.77.91 0.0.0.7

access-list 110 remark IPSec Rule

access-list 110 deny ip 172.18.2.0 0.0.0.255 172.18.1.0 0.0.0.255

access-list 110 permit ip 10.121.16.0 0.0.0.255 any

access-list 110 permit ip 172.18.2.0 0.0.0.255 any

route-map SDM_RMAP_1 permit 1

match ip address 110

!

!

!

control-plane

!

end

hi,

I feel from the above ACL config, the interesting traffic is being blocked from entering the external ( WAN ) interface of the tunnel.

access-list 102 deny ip any any log

access-list 102 permit ip 172.18.3.0 0.0.0.255 172.18.2.0 0.0.0.255

If I am not wrong, 172.18.3.0/ 24 and 172.18.2.0/24 form the interesting traffic for the tunnel and that's being dropped at the WAN interface.

1. Try to move this line above the start of "deny" statements.

2. Fire up the tunnel and look for the error log on the VPN gateway.

From the logs we can understand what actually the problem is.

Hope this helps.

-rk

You seem to be OK with your ACL 102 inbound. Did you try the ACL that I recommended before?

no access-list 103

access-list 103 remark VPN ACL

access-list 103 permit ip host 208.125.212.171 host 24.213.143.151

and on the peer side

no access-list 103

access-list 103 remark VPN ACL

access-list 103 permit ip host 24.213.143.151 host 208.125.212.171

Having the config to look at helps.

Mark