Site-to-Site VPN Cisco 1941 IOS 15.0(1)M1

Answered Question
May 6th, 2010
User Badges:

Hi,


I'm trying to set up a Site-to-Site VPN between a ASA and a 1941 Router. The VPN configuration on the ASA seems to be ok because it works without problems with a 1841 router with IOS 12.4 at the other site.The same VPN configuration on the new 1941 router with IOS 15.0(1)M1 doesn't work. It seems, that the access-list for the crypto-map is the problem. The router never starts the VPN connection. When the  ASA tries to establish the VPN, the debug log of the router shows:

...

*May  5 14:37:52.263: ISAKMP:(1007):Checking IPSec proposal 1
*May  5 14:37:52.263: ISAKMP: transform 1, ESP_3DES
*May  5 14:37:52.263: ISAKMP:   attributes in transform:
*May  5 14:37:52.263: ISAKMP:      SA life type in seconds
*May  5 14:37:52.263: ISAKMP:      SA life duration (basic) of 28800
*May  5 14:37:52.263: ISAKMP:      SA life type in kilobytes
*May  5 14:37:52.263: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
*May  5 14:37:52.263: ISAKMP:      encaps is 1 (Tunnel)
*May  5 14:37:52.263: ISAKMP:      authenticator is HMAC-SHA
*May  5 14:37:52.263: ISAKMP:      group is 2
*May  5 14:37:52.263: ISAKMP:(1007):atts are acceptable.
*May  5 14:37:52.263: ISAKMP:(1007): IPSec policy invalidated proposal with error 32
*May  5 14:37:52.263: ISAKMP:(1007): phase 2 SA policy not acceptable! (local ... remote ...)

...


Any hint?


Regards

Claudia




The configuration of the router:


version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco1941
!
no aaa new-model
!
no ipv6 cef
no ip source-route
ip cef
!
ip domain name xyz.de
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-....
!
crypto pki certificate chain TP-self-signed-....
        quit
license udi pid CISCO1941/K9 sn ....
!
username xyz privilege 15 secret 5 $1$....
!
redundancy
!
crypto logging session
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key ...... address 1.2.3.4
crypto isakmp invalid-spi-recovery
!
crypto ipsec transform-set tsAsa esp-3des esp-sha-hmac
!
crypto map asa 10 ipsec-isakmp
set peer 1.2.3.4
set transform-set tsAsa
set pfs group2
match address 100
!
interface GigabitEthernet0/0
description *** inside ***
ip address 10.100.100.1 255.255.255.0
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
ip address 5.6.7.8 255.255.255.240
ip access-group 111 in
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
crypto map asa
!
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
!
!
ip forward-protocol nd
!
ip route 0.0.0.0 0.0.0.0 1.2.3.5
!
access-list 100 permit ip 10.100.100.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 111 permit esp host 1.2.3.4 host 5.6.7.8
access-list 111 permit udp host 1.2.3.4 host 5.6.7.8 eq isakmp
access-list 111 permit ahp host 1.2.3.4 host 5.6.7.8
access-list 111 deny   ip any any log

....

end

Correct Answer by pepe__n about 6 years 11 months ago

Try to do this :


ip route 10.10.10.0 255.255.255.0 interface Ge0/1

ip route 1.2.3.4 255.255.255.255 default-gateway-in-Ge0/1


The rest of your config seems fine.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
pepe__n Thu, 05/06/2010 - 02:36
User Badges:

Hi,


In this configuration, where is the route to 1.2.3.4 ?


How do you go to this address?. You must have a route to 1.2.3.4 between the interface GEther0/1, that is the interface with the crypto-map applied.

sotradaAG Thu, 05/06/2010 - 03:33
User Badges:

Hi,

the route to the ASA is the default route (sorry, mistake in the masking of the real ip addresses). The router can ping the ASA and the Router can answer to the initiated VPN from the ASA, but cannot finish phase 2.


Regards

Claudia

Correct Answer
pepe__n Thu, 05/06/2010 - 04:57
User Badges:

Try to do this :


ip route 10.10.10.0 255.255.255.0 interface Ge0/1

ip route 1.2.3.4 255.255.255.255 default-gateway-in-Ge0/1


The rest of your config seems fine.

sotradaAG Thu, 05/06/2010 - 05:27
User Badges:

That was the trick, thanks very much!


ip route 10.10.10.0 255.255.255.0 Ge0/1

Actions

This Discussion

Related Content