Site-to-site VPN trouble

Unanswered Question
Jun 30th, 2008

Hey!

I'm having some trouble with a site-to-site VPN:

The two external ip addresses, 10.10.10.1 and 10.10.10.2, can ping each other. But I can't seems to get the inside LANs (192.168.1.0 and 192.168.100.0) to find each other thru the tunnel.

Have misconfigured the VPN-tunnel or do I need to add some extra type of routing somewhere.

Also, I there a way to monitor the status of VPN-tunnel? I'm guessing there's tons of error messages somewhere that could be useful.

I've attached the importand parts of my config files

Thanx

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

I think that the first second unit may be the cause of the problem it has two maps attemtping to the same peer, with overlapping maps.

I would remove this section of the config.

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 10.10.10.1

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

access-list outside_1_cryptomap extended permit ip host 192.168.100.0 host 192.168.1.0

As that section is mapped to the host and not the network. Also that mapping is trying to map a host to what is a subnet address for the 255.255.255.0 mask on both of your 192 networks.

That is where I would start.

I hope that helps.

Rich

a.alekseev Tue, 07/01/2008 - 11:12

looks good...

try

conf t

logg mo 7

exit

debug crypto isakmp 10

debug crypto ipsec 10

purohit_810 Tue, 07/01/2008 - 18:16

Hi,

You can go for VPN tracker software to monitor VPN tunnels.

Or you can implement SYSLOG server, so it could gives your logs when it connected and disconnected.

Or you Can implement ACS server for AAA.

Can you take your logs,

debug crypto isakmp

debug crypto ipsec

Thanks,

Dharmesh Purohit

Actions

This Discussion