02-06-2009 09:08 AM - last edited on 10-12-2023 09:16 AM by kh-apoorva
Guys,
I am new in the IP VPN's world. I am trying to setup a site-2-site vpn between 2 Cisco 1841 routers. I have SDSL link on both ends and I am able to ping outside IP both sides ok but having problems setting up vpn. The VPN tunnel is not coming UP and show crypto isakmp sa doesnt show me anything. I have enabled debugging on isakmp and ipsec but no trace showing. Attached is my router config, I have similar config on the other end.
Please help!
Cheers,
K
Solved! Go to Solution.
02-10-2009 10:59 AM
This ping will never work, the ping you are doing right now will be sourced from the dialer interface, go ahead and do
ping 192.168.1.1 source 192.168.0.254
02-06-2009 10:54 AM
You are missing your transform set from this configuration:
crypto ipsec transform-set SMC esp-3des esp-md5-hmac
!
crypto map mymap 170 ipsec-isakmp
set peer aa.aa.aa.aa
match address 102
Go ahead and get into crypto map mode and add the proper line:
crypto map mymap 170 ipsec-isakmp
set peer aa.aa.aa.aa
match address 102
set transform-set SMC
Make sure your other side has this setup too.
02-06-2009 12:08 PM
thanks imartino, will do that on Monday and update...
cheers,
K
02-10-2009 06:08 AM
hi imartino,
I have included that line into the crypto map but the tunnel is still not established. is there anything else I need to look at?
02-10-2009 07:12 AM
Can you post your updated config?
02-10-2009 07:21 AM - last edited on 10-12-2023 09:17 AM by kh-apoorva
Thanks imartino...config attached
02-10-2009 07:36 AM
Do you have the config of the other side of this vpn tunnel?
02-10-2009 09:18 AM - last edited on 10-12-2023 09:18 AM by kh-apoorva
Yes I do...
02-10-2009 09:36 AM
Ok this is your problem:
Router ZENSDSL-KH:
You need to change the ACL 102 to match your actual network settings, you currently have on both routers this kind of acl
permit ip 192.168.0.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
This is wrong, vpn traffic ACL needs to be defined in a very specific way, so you will need to change this to be like this:
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
Then on this same router, you are using the ip address 88.96.145.110 to be the source of the tunnel but that ip address is not assigned to the Dialer interface which is the interface which is used to leave this router. If you will need to use that ip addresss as the vpn tunnel source.
So, to do all of what I comment you go ahead and copy paste this:
interface Dialer0
no crypto map mymap
exit
no ip access-list ext 102
ip access-list ext 102
permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
exit
crypto map mymap local-address FastEthernet0/0
interface Dialer0
crypto map mymap
exit
Router SMC-SDSL
You need to change the ACL 102 to match your actual network settings, you currently have on both routers this kind of acl
permit ip 192.168.0.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
This is wrong, vpn traffic ACL needs to be defined in a very specific way, so you will need to change this to be like this:
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
Then on this same router, you are using the ip address 88.96.145.118 to be the source of the tunnel but that ip address is not assigned to the Dialer interface which is the interface which is used to leave this router. If you will need to use that ip addresss as the vpn tunnel source.
So, to do all of what I comment you go ahead and copy paste this:
interface Dialer0
no crypto map mymap
exit
no ip access-list ext 102
ip access-list ext 102
permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
exit
crypto map mymap local-address FastEthernet0/0
interface Dialer0
crypto map mymap
exit
See what is the result after this.
02-10-2009 10:42 AM
I copied and pasted the above config but the tunnel is still not established...
:(
02-10-2009 10:43 AM
Go ahead and send me the updated configs, and turn on debug crypto isakmp and debub crypto ipsec. Also how are you testing? VPN tunnels will not come by themselves, you need to initiate traffic over the tunnel.
02-10-2009 10:55 AM - last edited on 10-12-2023 09:20 AM by kh-apoorva
updated configs attached...
I am trying to ping the LAN address on each site...
SMC-SDSL#debug crypto ipsec
Crypto IPSEC debugging is on
SMC-SDSL#debug crypto is
SMC-SDSL#debug crypto isakmp
Crypto ISAKMP debugging is on
SMC-SDSL#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SMC-SDSL#ter mon
SMC-SDSL#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SMC-SDSL(config)#log
SMC-SDSL(config)#logg
SMC-SDSL(config)#logging con
SMC-SDSL(config)#logging console
SMC-SDSL(config)#^Z
SMC-SDSL#ter mon
SMC-SDSL#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
SMC-SDSL#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
....
Thanks a lot for your time and patience
02-10-2009 10:59 AM
This ping will never work, the ping you are doing right now will be sourced from the dialer interface, go ahead and do
ping 192.168.1.1 source 192.168.0.254
02-11-2009 07:07 AM
ping 192.168.1.1 source 192.168.0.254
Fantastic....that works imartino
Thank you very much!!!
:)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: