Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2609
Views
0
Helpful
3
Replies

Site-Site VPN - 2921 IOS 15 -> 2811 IOS 12.4

pthuland
Level 1
Level 1

‎07-08-2010 12:29 AM

I just got a new 2921 router with ios 15.0. When configuring ipsec I'm able to get the session up and running between the routers.

I'm able to connect to the router from the "home" network using local ip addresses - but not anything behind the local interface on the remote router.

I'm connecting from the 2921 router to the 2811 router.

The configuration on the 2921 router is as follows (modified with regards to ip addresses and key):

crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp key MyKey address 1.1.1.1
!
!
crypto ipsec transform-set mets esp-aes esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map ipsec-vpn 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set mets
set pfs group2
match address 120
reverse-route
!
!
!

access-list 120 permit ip 10.191.255.0 0.0.0.255 10.1.0.0 0.0.255.255

access-list 130 permit ip 10.191.255.0 0.0.0.255 10.1.0.0 0.0.255.255

access-list 130 permit ip 10.191.255.0 0.0.0.255 any
!
!
interface GigabitEthernet0/0
ip address 10.191.255.1 255.255.255.0
ip access-group 130 in
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
ip address dhcp
duplex auto
speed auto
crypto map ipsec-vpn

When doing a "ping" from 10.191.255.2 i get a match in the access-list 130, but not in the access-list 120.

And no result is returned from the "home" network.

I have also replaced the 2921 router with a 3845 running 12.4, and entered the same configuration. This is working as it's supposed to.

Are there any changes regarding configuration of this in ios 15.0 ?

Labels:
0 Helpful
3 Replies 3

budmiller
Level 1
Level 1

‎11-05-2010 06:39 AM

Hello,

Have you found any resolution for this?  I am running into the same issue.  In our case we had to upgrade a 2811 from 12.4 to 15 code to support a new card and we are running into the same issue trying to get an IPSEC tunnel to work between the 2811 running version 15 code and a 2821 running 12.4.  The config was not changed at all and if we backrev the code on the 2811 back to 12.4 the tunnel comes right back up and passes traffic.

I have a TAC case open on it so when I get a resolution I will let you know.

Thanks,

Bud

0 Helpful

pthuland
Level 1
Level 1
In response to budmiller

‎11-12-2010 02:41 AM

No, I have not been able to resolve this. I had to use a 3845 instead of the 2900.

If I configure IPSEC with known ip addresses on both sides (not dhcp on "internet" side,

and not using reverse route) everything is ok.

0 Helpful

budmiller
Level 1
Level 1
In response to pthuland

‎11-29-2010 04:34 PM

Well I've found that if I upgrade the code to the newest version 15.1.3.T that the tunnels work fine on the 2811.  I'm not sure what changed in the releases as I have still not changed the config at all but I have it working now on that version of code.  I'm not sure if that will fix it for the 2921 as well or not.

Thanks

Bud Miller

0 Helpful
Customers Also Viewed These Support Documents