Another site to site VPN problem

Unanswered Question
Sep 10th, 2008
User Badges:

Hi, we are trying to do a site to site VPN from a Cisco 871 and a Cisco 2800 concentrator. The concentrator is running with the same config dozens of site to site VPN's. I think the problem is at the Cisco 871.

The Config in the 871:



---------------------------------------------


Using 1652 out of 131072 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

enable password ********

!

no aaa new-model

!

!

dot11 syslog

ip cef

!

!

!

!

ip name-server 194.224.52.36

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

!

!

!

crypto isakmp key ****** address 213.192.208.***

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 6 ipsec-isakmp

description Numintel

set peer 213.192.208.242

set security-association lifetime seconds 86400

set transform-set ESP-3DES-SHA

match address 100

!

archive

log config

hidekeys

!

!

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

ip address 196.12.229.218 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Vlan1

ip address 192.169.15.100 255.255.255.0

no ip redirects

no ip proxy-arp

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 196.12.229.217

!

!

no ip http server

no ip http secure-server

ip nat inside source list 1 interface FastEthernet4 overload

!

ip access-list extended Numintel

!

access-list 1 permit 192.169.15.0 0.0.0.255

access-list 100 permit ip 192.169.15.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 100 permit ip 192.169.15.0 0.0.0.255 192.168.4.0 0.0.0.255

!

!

!

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

password 2008

login

!

scheduler max-task-time 5000

end



---------------------------------------------


crypto isakmp key ****** address 196.12.229.*****


crypto map SDM_CMAP_1 7 ipsec-isakmp

description ICOMP

set peer 196.12.229.***

set security-association lifetime seconds 86400

set transform-set ESP-3DES-SHA

match address 111



interface GigabitEthernet0/0

description VLAN COLLAB$ETH-LAN$

ip address 192.168.3.11 255.255.255.0

duplex auto

speed auto

crypto map SDM_CMAP_1



access-list 111 permit ip 192.168.3.0 0.0.0.255 192.169.15.0 0.0.0.255

access-list 111 permit ip 192.168.4.0 0.0.0.255 192.169.15.0 0.0.0.255



crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac



The tunnel is up as the "sh krypto isakmp sa" command says at the 2800. But the 872 show no output when exececuting all the sh isakmp or ipsec commands. Is like it's dead.


Thank you very much, this one is driving me nuts.





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
Loading.
Istvan_Rabai Wed, 09/10/2008 - 20:43
User Badges:
  • Gold, 750 points or more

Hi Xavier,


I don't see isakmp policies configured on any of your routers.


Are they just cut from the text file or are they really missing from the configurations?


If they are missing, you should configure isakmp policies on both sides.


Please write if you need help in this.


Cheers:

Istvan

godzilla0 Thu, 09/11/2008 - 02:55
User Badges:

Thanks for answering, yes The policies are on both router, they are identical.

Marwan ALshawi Wed, 09/10/2008 - 21:29
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

u have nating enabled but u didnt configured nat exmption !!


u need to exclude the traffic going from lan to lan from the nating

on the first router


u need:


access-list 101 deny ip 192.169.15.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 101 deny ip 192.169.15.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 101 permit 192.169.15.0 0.0.0.255 any

then:


ip nat inside source list 101 interface FastEthernet4 overload


this is based on what is post

also u need to apply the same idea on the other router but using the following for nating:


access-list 110 deny ip 192.168.3.0 0.0.0.255 192.169.15.0 0.0.0.255

access-list 110 deny ip 192.168.4.0 0.0.0.255 192.169.15.0 0.0.0.255


access-list 110 permit ip 192.168.3.0 0.0.0.255 any

access-list 110 permit ip 192.168.4.0 0.0.0.255 any


check the crypto isakmp policy

the authentication shoud be pre-shae

the has and encryption should be

3des , sha respectivly based on ur trnasform set


good luck


if helpful Rate






godzilla0 Thu, 09/11/2008 - 03:12
User Badges:

I did and it's not working . . .

still getting nothing from the 871.

The 2800 is ok cause it show this :


dst src state conn-id slot status

192.168.3.11 195.53.3.154 QM_IDLE 5457 0 ACTIVE

192.168.3.11 80.34.139.242 QM_IDLE 5290 0 ACTIVE

192.168.3.11 196.12.229.218 QM_IDLE 5473 0 ACTIVE

192.168.3.11 196.12.229.218 QM_IDLE 5467 0 ACTIVE

192.168.3.11 196.12.229.218 QM_IDLE 5466 0 ACTIVE

192.168.3.11 196.12.229.218 QM_IDLE 5465 0 ACTIVE

192.168.3.11 196.12.229.218 QM_IDLE 5464 0 ACTIVE

192.168.3.11 196.12.229.218 QM_IDLE 5463 0 ACTIVE

192.168.3.11 196.12.229.218 QM_IDLE 5462 0 ACTIVE

192.168.3.11 196.12.229.218 QM_IDLE 5461 0 ACTIVE

192.168.3.11 213.27.252.202 QM_IDLE 5143 0 ACTIVE


So it is trying to stablish the connection with the 871.


I will show you where the 871 is placed:


[192.168.15.X LAN]------[871-LAN PORT-192.168.15.100]-----[871-WAN PORT-196.12.229.218]------[WAN-196.12.229.217-INTERNET ROUTER]-----[INET]


Actions

This Discussion