Site to Site Tunnel Not Working

Unanswered Question
Oct 27th, 2009

Hi, I have configured Site - Site VPN.

but still not able to see, why tunnel is not eastabhlished

AAA-ZZZ

access-list VPN_AAA_ZZZ permit ip 10.20.0.0 255.255.0.0 10.1.0.0 255.255.0.0

crypto isakmp key Sabrina address 27.5.9.118 netmask 255.255.255.255

crypto map VPN_map 10 match address VPN_AAA_ZZZ

crypto map VPN_map 10 set peer 27.5.9.118

crypto map VPN_map 10 set transform-set ESP-3DES-SHA

crypto map VPN_map interface outside

access-list No_nat permit ip 10.20.0.0 255.255.0.0 10.1.0.0 255.255.0.0

access-list VPN_AAA_ZZZ permit ip 10.20.0.0 255.255.0.0 10.1.0.0 255.255.0.0

nat (inside) 0 access-list No_nat

ZZZ-AAA

access-list VPN_ZZZ_AAA permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0

crypto isakmp key Sabrina address 23.20.28.125 netmask 255.255.255.255

crypto map VPN 60 ipsec-isakmp

crypto map VPN 60 match address VPN_ZZZ_AAA

crypto map VPN 60 set peer 23.20.28.125

crypto map VPN 60 set transform-set ESP-3DES-SHA

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pushpendray Tue, 10/27/2009 - 11:50

forgot to add this in

ZZZ_AAA

access-list No_nat permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0

and

added

sysopt connection permit-ipsec

also at both end.

I dont know where m i lacking?

mike_guy29 Tue, 10/27/2009 - 17:06

Hi,

Could be a few reasons why it is failing. Firstly what devices are you using for the VPN endpoints? I have not seen any ISAKMP policies configured here either. These are required to match for the first part of the VPN establishment.

What do the outputs of "show crypto isakmp sa" and "show crypto ipsec sa" show you?

Are you able to post the configs for both side of the tunnel (minus any sensitive information of course)

Regards

Mike

Actions

This Discussion