09-10-2008 08:53 AM - edited 02-21-2020 03:56 PM
Hi, we are trying to do a site to site VPN from a Cisco 871 and a Cisco 2800 concentrator. The concentrator is running with the same config dozens of site to site VPN's. I think the problem is at the Cisco 871.
The Config in the 871:
---------------------------------------------
Using 1652 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable password ********
!
no aaa new-model
!
!
dot11 syslog
ip cef
!
!
!
!
ip name-server 194.224.52.36
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
crypto isakmp key ****** address 213.192.208.***
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 6 ipsec-isakmp
description Numintel
set peer 213.192.208.242
set security-association lifetime seconds 86400
set transform-set ESP-3DES-SHA
match address 100
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 196.12.229.218 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
ip address 192.169.15.100 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 196.12.229.217
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended Numintel
!
access-list 1 permit 192.169.15.0 0.0.0.255
access-list 100 permit ip 192.169.15.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.169.15.0 0.0.0.255 192.168.4.0 0.0.0.255
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password 2008
login
!
scheduler max-task-time 5000
end
---------------------------------------------
crypto isakmp key ****** address 196.12.229.*****
crypto map SDM_CMAP_1 7 ipsec-isakmp
description ICOMP
set peer 196.12.229.***
set security-association lifetime seconds 86400
set transform-set ESP-3DES-SHA
match address 111
interface GigabitEthernet0/0
description VLAN COLLAB$ETH-LAN$
ip address 192.168.3.11 255.255.255.0
duplex auto
speed auto
crypto map SDM_CMAP_1
access-list 111 permit ip 192.168.3.0 0.0.0.255 192.169.15.0 0.0.0.255
access-list 111 permit ip 192.168.4.0 0.0.0.255 192.169.15.0 0.0.0.255
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
The tunnel is up as the "sh krypto isakmp sa" command says at the 2800. But the 872 show no output when exececuting all the sh isakmp or ipsec commands. Is like it's dead.
Thank you very much, this one is driving me nuts.
09-10-2008 08:43 PM
Hi Xavier,
I don't see isakmp policies configured on any of your routers.
Are they just cut from the text file or are they really missing from the configurations?
If they are missing, you should configure isakmp policies on both sides.
Please write if you need help in this.
Cheers:
Istvan
09-11-2008 02:55 AM
Thanks for answering, yes The policies are on both router, they are identical.
09-10-2008 09:29 PM
u have nating enabled but u didnt configured nat exmption !!
u need to exclude the traffic going from lan to lan from the nating
on the first router
u need:
access-list 101 deny ip 192.169.15.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 deny ip 192.169.15.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 permit 192.169.15.0 0.0.0.255 any
then:
ip nat inside source list 101 interface FastEthernet4 overload
this is based on what is post
also u need to apply the same idea on the other router but using the following for nating:
access-list 110 deny ip 192.168.3.0 0.0.0.255 192.169.15.0 0.0.0.255
access-list 110 deny ip 192.168.4.0 0.0.0.255 192.169.15.0 0.0.0.255
access-list 110 permit ip 192.168.3.0 0.0.0.255 any
access-list 110 permit ip 192.168.4.0 0.0.0.255 any
check the crypto isakmp policy
the authentication shoud be pre-shae
the has and encryption should be
3des , sha respectivly based on ur trnasform set
good luck
if helpful Rate
09-11-2008 03:12 AM
I did and it's not working . . .
still getting nothing from the 871.
The 2800 is ok cause it show this :
dst src state conn-id slot status
192.168.3.11 195.53.3.154 QM_IDLE 5457 0 ACTIVE
192.168.3.11 80.34.139.242 QM_IDLE 5290 0 ACTIVE
192.168.3.11 196.12.229.218 QM_IDLE 5473 0 ACTIVE
192.168.3.11 196.12.229.218 QM_IDLE 5467 0 ACTIVE
192.168.3.11 196.12.229.218 QM_IDLE 5466 0 ACTIVE
192.168.3.11 196.12.229.218 QM_IDLE 5465 0 ACTIVE
192.168.3.11 196.12.229.218 QM_IDLE 5464 0 ACTIVE
192.168.3.11 196.12.229.218 QM_IDLE 5463 0 ACTIVE
192.168.3.11 196.12.229.218 QM_IDLE 5462 0 ACTIVE
192.168.3.11 196.12.229.218 QM_IDLE 5461 0 ACTIVE
192.168.3.11 213.27.252.202 QM_IDLE 5143 0 ACTIVE
So it is trying to stablish the connection with the 871.
I will show you where the 871 is placed:
[192.168.15.X LAN]------[871-LAN PORT-192.168.15.100]-----[871-WAN PORT-196.12.229.218]------[WAN-196.12.229.217-INTERNET ROUTER]-----[INET]
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: