cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
900
Views
10
Helpful
13
Replies

Site-2-Site VPn problem

kiranoddiraju
Level 1
Level 1

Guys,

 

I am new in the IP VPN's world. I am trying to setup a site-2-site vpn between 2 Cisco 1841 routers. I have SDSL link on both ends and I am able to ping outside IP both sides ok but having problems setting up vpn. The VPN tunnel is not coming UP and show crypto isakmp sa doesnt show me anything. I have enabled debugging on isakmp and ipsec but no trace showing. Attached is my router config, I have similar config on the other end.

 

Please help!

 

Cheers,

K

 

 

 

1 Accepted Solution

Accepted Solutions

This ping will never work, the ping you are doing right now will be sourced from the dialer interface, go ahead and do

ping 192.168.1.1 source 192.168.0.254

View solution in original post

13 Replies 13

Ivan Martinon
Level 7
Level 7

You are missing your transform set from this configuration:

crypto ipsec transform-set SMC esp-3des esp-md5-hmac

!

crypto map mymap 170 ipsec-isakmp

set peer aa.aa.aa.aa

match address 102

Go ahead and get into crypto map mode and add the proper line:

crypto map mymap 170 ipsec-isakmp

set peer aa.aa.aa.aa

match address 102

set transform-set SMC

Make sure your other side has this setup too.

thanks imartino, will do that on Monday and update...

cheers,

K

hi imartino,

I have included that line into the crypto map but the tunnel is still not established. is there anything else I need to look at?

Can you post your updated config?

Thanks imartino...config attached

 

 

 

Do you have the config of the other side of this vpn tunnel?

Yes I do...

 

 

 

Ok this is your problem:

Router ZENSDSL-KH:

You need to change the ACL 102 to match your actual network settings, you currently have on both routers this kind of acl

permit ip 192.168.0.0 0.0.0.255 any

permit ip 192.168.1.0 0.0.0.255 any

This is wrong, vpn traffic ACL needs to be defined in a very specific way, so you will need to change this to be like this:

access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

Then on this same router, you are using the ip address 88.96.145.110 to be the source of the tunnel but that ip address is not assigned to the Dialer interface which is the interface which is used to leave this router. If you will need to use that ip addresss as the vpn tunnel source.

So, to do all of what I comment you go ahead and copy paste this:

interface Dialer0

no crypto map mymap

exit

no ip access-list ext 102

ip access-list ext 102

permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

exit

crypto map mymap local-address FastEthernet0/0

interface Dialer0

crypto map mymap

exit

Router SMC-SDSL

You need to change the ACL 102 to match your actual network settings, you currently have on both routers this kind of acl

permit ip 192.168.0.0 0.0.0.255 any

permit ip 192.168.1.0 0.0.0.255 any

This is wrong, vpn traffic ACL needs to be defined in a very specific way, so you will need to change this to be like this:

access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

Then on this same router, you are using the ip address 88.96.145.118 to be the source of the tunnel but that ip address is not assigned to the Dialer interface which is the interface which is used to leave this router. If you will need to use that ip addresss as the vpn tunnel source.

So, to do all of what I comment you go ahead and copy paste this:

interface Dialer0

no crypto map mymap

exit

no ip access-list ext 102

ip access-list ext 102

permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

exit

crypto map mymap local-address FastEthernet0/0

interface Dialer0

crypto map mymap

exit

See what is the result after this.

I copied and pasted the above config but the tunnel is still not established...

:(

Go ahead and send me the updated configs, and turn on debug crypto isakmp and debub crypto ipsec. Also how are you testing? VPN tunnels will not come by themselves, you need to initiate traffic over the tunnel.

updated configs attached...

 

I am trying to ping the LAN address on each site...

 

SMC-SDSL#debug crypto ipsec

Crypto IPSEC debugging is on

SMC-SDSL#debug crypto is

SMC-SDSL#debug crypto isakmp

Crypto ISAKMP debugging is on

SMC-SDSL#ping 192.168.1.1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

SMC-SDSL#ter mon

SMC-SDSL#conf t

Enter configuration commands, one per line. End with CNTL/Z.

SMC-SDSL(config)#log

SMC-SDSL(config)#logg

SMC-SDSL(config)#logging con

SMC-SDSL(config)#logging console

SMC-SDSL(config)#^Z

SMC-SDSL#ter mon

SMC-SDSL#ping 192.168.1.1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

UUUUU

Success rate is 0 percent (0/5)

SMC-SDSL#ping 192.168.1.1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

....

 

 

Thanks a lot for your time and patience

 

 

 

This ping will never work, the ping you are doing right now will be sourced from the dialer interface, go ahead and do

ping 192.168.1.1 source 192.168.0.254

ping 192.168.1.1 source 192.168.0.254

Fantastic....that works imartino

Thank you very much!!!

:)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: