Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
841
Views
0
Helpful
9
Replies

800 Series site to site vpn?

Go to solution
bparker277
Level 1
Level 1

‎10-20-2008 01:04 PM - edited ‎02-21-2020 03:59 PM

Hello, I have a brand new pair of 851w's with ios version 12.4(15)T7. I cannot seem to get a site to site vpn established, I have been able to use these 800 series seccessfully in the past. I have stripped the configs down to the bare essentials and still cannot get established.

When I do a show crypto session it all looks correct but the connection is "down"

I am not 100% sure about my crypto transform

"crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs" I am not sure the 800 series will support the encryption or if I should uses something else.

I have attached the configs.

Labels:
Preview file
3 KB
Preview file
3 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrew.prince
Level 10
Level 10
In response to bparker277

‎10-22-2008 08:16 AM

You need to change the config from :-

ip nat inside source list 1 interface FE4 overload

to

ip nat inside source route-map nonat interface FastEthernet4 overload

HTH>

View solution in original post

0 Helpful
9 Replies 9

Go to solution
andrew.prince
Level 10
Level 10

‎10-21-2008 01:43 AM

You are missing your no-nat, Currently both routers are natting the traffic, so it will not match your crypto access-list.

define your no-nat.

HTH>

0 Helpful

Go to solution
bparker277
Level 1
Level 1
In response to andrew.prince

‎10-21-2008 12:28 PM

Hello, thanks for the response.

I added

"route-map nonat permit 10

match ip address Crypto-list"

to each side and that did not seem to help. One thing that is odd, from the bangor side I can ping 192.168.0.1, and 192.168.1.1 but the crypto session says down. The pings respond very quickly to 192.168.0.1 so it is strange.

0 Helpful

Go to solution
singhsaju
Level 4
Level 4
In response to bparker277

‎10-22-2008 07:09 AM

Can you post the latest configs from both side?

Also try not using Crypto ACL in the route-map . Make a new ACL for denying Ipsec traffic and permitting rest of the traffic.

HTH

Saju

0 Helpful

Go to solution
bparker277
Level 1
Level 1
In response to bparker277

‎10-22-2008 07:55 AM

I added an additional acl (120) and changed the route-map to point to the 120. On the "route-map nonat permit 10" what does the 10 mean?

Also I do not have a loopback interface is that required?

Preview file
6 KB
0 Helpful

Go to solution
andrew.prince
Level 10
Level 10
In response to bparker277

‎10-22-2008 08:00 AM

OK firstly - your config is not complete, you have not applied it to the nat statement for the FastEtherent - it will not work until you apply it.

The "permit 10" - is just a sequence number, you can have multiple matches in a route-map.

Loopback is not required.

HTH>

0 Helpful

Go to solution
bparker277
Level 1
Level 1
In response to andrew.prince

‎10-22-2008 08:11 AM

I am confused about applying the nat?

I have "ip nat outside" on the FE4

I have "ip nat inside" on VLan1, bvi1

and the "ip nat inside source list 1 interface FE4 overload"

0 Helpful

Go to solution
andrew.prince
Level 10
Level 10
In response to bparker277

‎10-22-2008 08:16 AM

You need to change the config from :-

ip nat inside source list 1 interface FE4 overload

to

ip nat inside source route-map nonat interface FastEthernet4 overload

HTH>

0 Helpful

Go to solution
bparker277
Level 1
Level 1
In response to andrew.prince

‎10-22-2008 09:59 AM

yes that fixed it. I was also able to add in my config for a laptop to router vpn using the cisco client.

Thanks for all the help.

0 Helpful

Go to solution
andrew.prince
Level 10
Level 10
In response to bparker277

‎10-22-2008 10:55 AM

np - glad to help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents