800 Series site to site vpn?

Answered Question
Oct 20th, 2008

Hello, I have a brand new pair of 851w's with ios version 12.4(15)T7. I cannot seem to get a site to site vpn established, I have been able to use these 800 series seccessfully in the past. I have stripped the configs down to the bare essentials and still cannot get established.

When I do a show crypto session it all looks correct but the connection is "down"

I am not 100% sure about my crypto transform

"crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs" I am not sure the 800 series will support the encryption or if I should uses something else.

I have attached the configs.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
bparker277 Tue, 10/21/2008 - 12:28

Hello, thanks for the response.

I added

"route-map nonat permit 10

match ip address Crypto-list"

to each side and that did not seem to help. One thing that is odd, from the bangor side I can ping 192.168.0.1, and 192.168.1.1 but the crypto session says down. The pings respond very quickly to 192.168.0.1 so it is strange.

singhsaju Wed, 10/22/2008 - 07:09

Can you post the latest configs from both side?

Also try not using Crypto ACL in the route-map . Make a new ACL for denying Ipsec traffic and permitting rest of the traffic.

HTH

Saju

bparker277 Wed, 10/22/2008 - 07:55

I added an additional acl (120) and changed the route-map to point to the 120. On the "route-map nonat permit 10" what does the 10 mean?

Also I do not have a loopback interface is that required?

bparker277 Wed, 10/22/2008 - 08:11

I am confused about applying the nat?

I have "ip nat outside" on the FE4

I have "ip nat inside" on VLan1, bvi1

and the "ip nat inside source list 1 interface FE4 overload"

Actions

This Discussion