Site-2-Site VPn problem

Answered Question
Feb 6th, 2009

Guys,


I am new in the IP VPN's world. I am trying to setup a site-2-site vpn between 2 Cisco 1841 routers. I have SDSL link on both ends and I am able to ping outside IP both sides ok but having problems setting up vpn. The VPN tunnel is not coming UP and show crypto isakmp sa doesnt show me anything. I have enabled debugging on isakmp and ipsec but no trace showing. Attached is my router config, I have similar config on the other end.


Please help!


Cheers,

K



Attachment: 
Correct Answer by Ivan Martinon about 8 years 2 weeks ago

This ping will never work, the ping you are doing right now will be sourced from the dialer interface, go ahead and do


ping 192.168.1.1 source 192.168.0.254

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Ivan Martinon Fri, 02/06/2009 - 10:54

You are missing your transform set from this configuration:


crypto ipsec transform-set SMC esp-3des esp-md5-hmac

!

crypto map mymap 170 ipsec-isakmp

set peer aa.aa.aa.aa

match address 102



Go ahead and get into crypto map mode and add the proper line:



crypto map mymap 170 ipsec-isakmp

set peer aa.aa.aa.aa

match address 102

set transform-set SMC


Make sure your other side has this setup too.

kiranoddiraju Tue, 02/10/2009 - 06:08

hi imartino,


I have included that line into the crypto map but the tunnel is still not established. is there anything else I need to look at?

Ivan Martinon Tue, 02/10/2009 - 09:36

Ok this is your problem:


Router ZENSDSL-KH:


You need to change the ACL 102 to match your actual network settings, you currently have on both routers this kind of acl


permit ip 192.168.0.0 0.0.0.255 any

permit ip 192.168.1.0 0.0.0.255 any


This is wrong, vpn traffic ACL needs to be defined in a very specific way, so you will need to change this to be like this:


access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255



Then on this same router, you are using the ip address 88.96.145.110 to be the source of the tunnel but that ip address is not assigned to the Dialer interface which is the interface which is used to leave this router. If you will need to use that ip addresss as the vpn tunnel source.


So, to do all of what I comment you go ahead and copy paste this:


interface Dialer0

no crypto map mymap

exit


no ip access-list ext 102

ip access-list ext 102

permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

exit


crypto map mymap local-address FastEthernet0/0



interface Dialer0

crypto map mymap

exit



Router SMC-SDSL


You need to change the ACL 102 to match your actual network settings, you currently have on both routers this kind of acl


permit ip 192.168.0.0 0.0.0.255 any

permit ip 192.168.1.0 0.0.0.255 any


This is wrong, vpn traffic ACL needs to be defined in a very specific way, so you will need to change this to be like this:


access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255


Then on this same router, you are using the ip address 88.96.145.118 to be the source of the tunnel but that ip address is not assigned to the Dialer interface which is the interface which is used to leave this router. If you will need to use that ip addresss as the vpn tunnel source.


So, to do all of what I comment you go ahead and copy paste this:


interface Dialer0

no crypto map mymap

exit


no ip access-list ext 102

ip access-list ext 102

permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

exit


crypto map mymap local-address FastEthernet0/0



interface Dialer0

crypto map mymap

exit



See what is the result after this.

kiranoddiraju Tue, 02/10/2009 - 10:42

I copied and pasted the above config but the tunnel is still not established...


:(

Ivan Martinon Tue, 02/10/2009 - 10:43

Go ahead and send me the updated configs, and turn on debug crypto isakmp and debub crypto ipsec. Also how are you testing? VPN tunnels will not come by themselves, you need to initiate traffic over the tunnel.

kiranoddiraju Tue, 02/10/2009 - 10:55

updated configs attached...


I am trying to ping the LAN address on each site...


SMC-SDSL#debug crypto ipsec

Crypto IPSEC debugging is on

SMC-SDSL#debug crypto is

SMC-SDSL#debug crypto isakmp

Crypto ISAKMP debugging is on

SMC-SDSL#ping 192.168.1.1


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

SMC-SDSL#ter mon

SMC-SDSL#conf t

Enter configuration commands, one per line. End with CNTL/Z.

SMC-SDSL(config)#log

SMC-SDSL(config)#logg

SMC-SDSL(config)#logging con

SMC-SDSL(config)#logging console

SMC-SDSL(config)#^Z

SMC-SDSL#ter mon

SMC-SDSL#ping 192.168.1.1


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

UUUUU

Success rate is 0 percent (0/5)

SMC-SDSL#ping 192.168.1.1


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

....



Thanks a lot for your time and patience



Attachment: 
Correct Answer
Ivan Martinon Tue, 02/10/2009 - 10:59

This ping will never work, the ping you are doing right now will be sourced from the dialer interface, go ahead and do


ping 192.168.1.1 source 192.168.0.254

kiranoddiraju Wed, 02/11/2009 - 07:07

ping 192.168.1.1 source 192.168.0.254


Fantastic....that works imartino


Thank you very much!!!


:)

Actions

This Discussion