800 Series site to site vpn?

Answered Question
Oct 20th, 2008
User Badges:

Hello, I have a brand new pair of 851w's with ios version 12.4(15)T7. I cannot seem to get a site to site vpn established, I have been able to use these 800 series seccessfully in the past. I have stripped the configs down to the bare essentials and still cannot get established.

When I do a show crypto session it all looks correct but the connection is "down"

I am not 100% sure about my crypto transform

"crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs" I am not sure the 800 series will support the encryption or if I should uses something else.

I have attached the configs.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
bparker277 Tue, 10/21/2008 - 12:28
User Badges:

Hello, thanks for the response.

I added

"route-map nonat permit 10

match ip address Crypto-list"

to each side and that did not seem to help. One thing that is odd, from the bangor side I can ping, and but the crypto session says down. The pings respond very quickly to so it is strange.

singhsaju Wed, 10/22/2008 - 07:09
User Badges:
  • Silver, 250 points or more

Can you post the latest configs from both side?

Also try not using Crypto ACL in the route-map . Make a new ACL for denying Ipsec traffic and permitting rest of the traffic.



bparker277 Wed, 10/22/2008 - 07:55
User Badges:

I added an additional acl (120) and changed the route-map to point to the 120. On the "route-map nonat permit 10" what does the 10 mean?

Also I do not have a loopback interface is that required?

bparker277 Wed, 10/22/2008 - 08:11
User Badges:

I am confused about applying the nat?

I have "ip nat outside" on the FE4

I have "ip nat inside" on VLan1, bvi1

and the "ip nat inside source list 1 interface FE4 overload"


This Discussion