800 Series site to site vpn?

Answered Question
Oct 20th, 2008

Hello, I have a brand new pair of 851w's with ios version 12.4(15)T7. I cannot seem to get a site to site vpn established, I have been able to use these 800 series seccessfully in the past. I have stripped the configs down to the bare essentials and still cannot get established.


When I do a show crypto session it all looks correct but the connection is "down"


I am not 100% sure about my crypto transform


"crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs" I am not sure the 800 series will support the encryption or if I should uses something else.


I have attached the configs.





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
bparker277 Tue, 10/21/2008 - 12:28

Hello, thanks for the response.


I added


"route-map nonat permit 10

match ip address Crypto-list"


to each side and that did not seem to help. One thing that is odd, from the bangor side I can ping 192.168.0.1, and 192.168.1.1 but the crypto session says down. The pings respond very quickly to 192.168.0.1 so it is strange.



singhsaju Wed, 10/22/2008 - 07:09

Can you post the latest configs from both side?


Also try not using Crypto ACL in the route-map . Make a new ACL for denying Ipsec traffic and permitting rest of the traffic.


HTH

Saju


bparker277 Wed, 10/22/2008 - 07:55

I added an additional acl (120) and changed the route-map to point to the 120. On the "route-map nonat permit 10" what does the 10 mean?


Also I do not have a loopback interface is that required?



bparker277 Wed, 10/22/2008 - 08:11

I am confused about applying the nat?


I have "ip nat outside" on the FE4

I have "ip nat inside" on VLan1, bvi1


and the "ip nat inside source list 1 interface FE4 overload"



Actions

This Discussion