VPN configuration on cisco 1941

Unanswered Question
Apr 27th, 2010

Hi all,


first time I try to create VPN between two Cisco routers, but unsuccessfully.

I have Cisco1941 and Cisco 2811, configuration on my 1941 router are:



router#sh run
Building configuration...


Current configuration : 5601 bytes
!
! Last configuration change at 17:01:49 PCTime Tue Apr 27 2010 by admin
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
!
aaa new-model
!
!
aaa authentication login exvpnxauth local
aaa authorization network ezvpnnetwork local
!
!
aaa session-id common
!
no ipv6 cef
no ip source-route
ip cef
!
!
no ip bootp server
!
multilink bundle-name authenticated
!
!
redundancy
!
!
ip tcp synwait-time 10
ip ssh version 2
no ip rcmd domain-lookup
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key vpnpassword address 2.3.4.5
!
!
crypto ipsec transform-set STRONG esp-3des esp-sha-hmac
!
crypto map Cisco-vpn 10 ipsec-isakmp
set peer 2.3.4.5
set transform-set STRONG
set pfs group2
match address 122
!
!
interface Loopback0
ip address 20.20.20.20 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
!
!
interface GigabitEthernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 570
ip address 2.2.2.2 255.255.255.248
ip access-group 110 in
ip nat outside
ip virtual-reassembly
no cdp enable
crypto map Cisco-vpn
!
interface GigabitEthernet0/1
description internal-net
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
!
ip forward-protocol nd
!
ip nat inside source static 10.10.10.2 2.2.2.3
ip route 0.0.0.0 0.0.0.0 2.2.2.1
!
logging trap debugging
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 10 permit 10.10.10.2
access-list 10 deny   any
access-list 110 permit tcp any any established
access-list 110 permit icmp any any
access-list 110 permit ip 10.10.10.0 0.0.0.255 any
access-list 110 permit tcp host 2.3.4.5 host 2.2.2.2
access-list 110 permit udp any any
access-list 110 permit gre any any
access-list 122 permit ip 10.10.10.0 0.0.0.255 10.3.0.0 0.0.255.255
!
no cdp run


!
!
!
!
!
control-plane
!
!
!


Whats is wrong in this config?

In logs I can not see any error about VPN.



Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Tue, 04/27/2010 - 12:15

Hi,


The VPN (interesting traffic) should flow between these two networks:

10.10.10.0 0.0.0.255 and 10.3.0.0 0.0.255.255


Try to send traffic between these networks and please post the output of the following two commands:


sh cry isa sa

sh cry ips sa


Federico.

Zigmunds Vitins Tue, 04/27/2010 - 23:54

#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status


IPv6 Crypto ISAKMP SA



#sh cry ips sa


interface: GigabitEthernet0/0.1
    Crypto map tag: vpn-test, local addr 2.2.2.2


   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.3.0.0/255.255.0.0/0/0)
   current_peer 2.3.4.5 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0


     local crypto endpt.: 2.2.2.2, remote crypto endpt.: 2.3.4.5
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none


     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:

Zigmunds Vitins Wed, 04/28/2010 - 00:40

Hi all,


I found my mistake, I forgot to allow esp from peer IP.

Now VPN is up and running


Thanks.

Actions

This Discussion