10-20-2008 01:04 PM - edited 02-21-2020 03:59 PM
Hello, I have a brand new pair of 851w's with ios version 12.4(15)T7. I cannot seem to get a site to site vpn established, I have been able to use these 800 series seccessfully in the past. I have stripped the configs down to the bare essentials and still cannot get established.
When I do a show crypto session it all looks correct but the connection is "down"
I am not 100% sure about my crypto transform
"crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs" I am not sure the 800 series will support the encryption or if I should uses something else.
I have attached the configs.
Solved! Go to Solution.
10-22-2008 08:16 AM
You need to change the config from :-
ip nat inside source list 1 interface FE4 overload
to
ip nat inside source route-map nonat interface FastEthernet4 overload
HTH>
10-21-2008 01:43 AM
You are missing your no-nat, Currently both routers are natting the traffic, so it will not match your crypto access-list.
define your no-nat.
HTH>
10-21-2008 12:28 PM
Hello, thanks for the response.
I added
"route-map nonat permit 10
match ip address Crypto-list"
to each side and that did not seem to help. One thing that is odd, from the bangor side I can ping 192.168.0.1, and 192.168.1.1 but the crypto session says down. The pings respond very quickly to 192.168.0.1 so it is strange.
10-22-2008 07:09 AM
Can you post the latest configs from both side?
Also try not using Crypto ACL in the route-map . Make a new ACL for denying Ipsec traffic and permitting rest of the traffic.
HTH
Saju
10-22-2008 07:55 AM
10-22-2008 08:00 AM
OK firstly - your config is not complete, you have not applied it to the nat statement for the FastEtherent - it will not work until you apply it.
The "permit 10" - is just a sequence number, you can have multiple matches in a route-map.
Loopback is not required.
HTH>
10-22-2008 08:11 AM
I am confused about applying the nat?
I have "ip nat outside" on the FE4
I have "ip nat inside" on VLan1, bvi1
and the "ip nat inside source list 1 interface FE4 overload"
10-22-2008 08:16 AM
You need to change the config from :-
ip nat inside source list 1 interface FE4 overload
to
ip nat inside source route-map nonat interface FastEthernet4 overload
HTH>
10-22-2008 09:59 AM
yes that fixed it. I was also able to add in my config for a laptop to router vpn using the cisco client.
Thanks for all the help.
10-22-2008 10:55 AM
np - glad to help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: