06-30-2008 09:31 AM - edited 03-11-2019 06:07 AM
Hey!
I'm having some trouble with a site-to-site VPN:
The two external ip addresses, 10.10.10.1 and 10.10.10.2, can ping each other. But I can't seems to get the inside LANs (192.168.1.0 and 192.168.100.0) to find each other thru the tunnel.
Have misconfigured the VPN-tunnel or do I need to add some extra type of routing somewhere.
Also, I there a way to monitor the status of VPN-tunnel? I'm guessing there's tons of error messages somewhere that could be useful.
I've attached the importand parts of my config files
Thanx
06-30-2008 11:33 AM
I think that the first second unit may be the cause of the problem it has two maps attemtping to the same peer, with overlapping maps.
I would remove this section of the config.
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 10.10.10.1
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
access-list outside_1_cryptomap extended permit ip host 192.168.100.0 host 192.168.1.0
As that section is mapped to the host and not the network. Also that mapping is trying to map a host to what is a subnet address for the 255.255.255.0 mask on both of your 192 networks.
That is where I would start.
I hope that helps.
Rich
07-01-2008 11:12 AM
looks good...
try
conf t
logg mo 7
exit
debug crypto isakmp 10
debug crypto ipsec 10
07-01-2008 06:16 PM
Hi,
You can go for VPN tracker software to monitor VPN tunnels.
Or you can implement SYSLOG server, so it could gives your logs when it connected and disconnected.
Or you Can implement ACS server for AAA.
Can you take your logs,
debug crypto isakmp
debug crypto ipsec
Thanks,
Dharmesh Purohit
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: