Site To Site VPN not connecting with other site

Unanswered Question
Nov 22nd, 2011

I have 2 Cisco routers and I am trying to set up a site to site vpn between them. I go through the wizard in CCP but when I go to test the tunnel I get the following reason for failure on both routers:

"There is no response from the peer *peer ip address*"

Here is the running config from both routers

Router A:

Building configuration...

Current configuration : 6807 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname Router_A

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

logging console critical

enable secret 5 $1$SL.z$pj3WaB1WTxiLux46ltlMo/

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

aaa session-id common

clock timezone PCTime -7

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-2030943716

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2030943716

revocation-check none

rsakeypair TP-self-signed-2030943716

!

!

crypto pki certificate chain TP-self-signed-2030943716

certificate self-signed 01

30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32303330 39343337 3136301E 170D3032 30333031 30303236

30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30333039

34333731 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100B3B3 AEC18433 9EED6DD5 DEB4E878 3D683095 A0930694 2F85C58E 2784CB4A

E65E2B74 5F90EE1C 63FB0FA3 DA8BC41E 3C2674F6 134BD580 46528B30 D159CD1A

BED4059A 9B2C2A3C 8D77BA73 332F3F36 16D00FFE D3133C1E DE3E2A20 B4915EFE

15ACF77A 8C899ED3 3005D8C7 E8D94157 0DD3DA2E 4B2A407E 7B77606A BCC44F64

47610203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603

551D1104 1D301B82 19436869 6E5F4879 64726F2E 796F7572 646F6D61 696E2E63

6F6D301F 0603551D 23041830 16801403 F11E4386 AE903ED8 2C5EABA2 B648B086

E2766530 1D060355 1D0E0416 041403F1 1E4386AE 903ED82C 5EABA2B6 48B086E2

7665300D 06092A86 4886F70D 01010405 00038181 007FFAA2 7ECE2321 87704128

A21B21D1 495B83AC 01FEE096 89DD6C99 8C403F1B B4367484 96F85C0A FAD6C105

41E065C0 0D8262B2 4B73F037 EDDA3CA2 2D6DA102 AADD40E3 3753B7BC 67175199

3B965188 73AC0665 3B8F6642 F4FD1FB0 500710C4 E79571A1 BF273411 0E856164

5B689A49 DC26BCC3 E63EE2C9 D2D3B50A BBFFD3FC 4C

               quit

dot11 syslog

no ip source-route

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.12.0.1 10.12.0.99

!

ip dhcp pool ccp-pool1

   import all

   network 10.12.0.0 255.255.255.0

   default-router 10.12.0.1

   dns-server 207.xxx.xx.xx 205.xxx.xx.xx

!

!

no ip bootp server

ip domain name yourdomain.com

ip name-server 207.xxx.xx.xx

ip name-server 205.xx.xx.xx

!

!

!

username User1 privilege 15 secret 5 $1$MNvU$1yVJSWWZrNNatJM4XJ8Bu/

username User2 privilege 8 secret 5 $1$g2ae$PnY5XOrP1ieVux3oaGrrB1

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key *VPN Key* address *Site to Site Peer*

!

crypto isakmp client configuration group remote

key l3tm31n

pool SDM_POOL_2

max-users 5

crypto isakmp profile ciscocp-ike-profile-1

   match identity group remote

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA1

set isakmp-profile ciscocp-ike-profile-1

!

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to*Site to Site Peer*

set peer *Site to Site Peer*

set transform-set ESP-3DES-SHA

match address 100

!

crypto ctcp port 10000

archive

log config

hidekeys

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$

ip address *Public IP Address*255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface Virtual-Template1 type tunnel

ip unnumbered Vlan1

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 10.12.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1452

!

ip local pool SDM_POOL_1 10.12.0.50 10.12.0.80

ip local pool SDM_POOL_2 10.12.1.50 10.12.1.70

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 208.xx.xx.xx

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.12.0.0 0.0.0.255

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.12.0.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 101 remark CCP_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny   ip 10.12.0.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 101 permit ip 10.12.0.0 0.0.0.255 any

no cdp run

!

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you

want to use.

-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

no modem enable

transport output telnet

line aux 0

transport output telnet

line vty 0 4

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

Here is Router B's config:

Building configuration...

Current configuration : 10799 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router_B

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

!

!

aaa session-id common

!

crypto pki trustpoint TP-self-signed-175513978

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-175513978

revocation-check none

rsakeypair TP-self-signed-175513978

!

!

crypto pki certificate chain TP-self-signed-175513978

certificate self-signed 01

3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31373535 31333937 38301E17 0D303230 33303130 30303630

385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3137 35353133

39373830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

8F295803 8FA3ACC4 7AC91D04 519D4F7D A01B8A43 4191BFEF 8D39D4DD 5A6D614B

62097A9B 6FE35501 67E3292A E35D72BD 9A66AFAB B7615219 BF1DB0C0 37E0AF63

66810AB0 FABFD71B CE034C7F 2494C190 694AAE6B 1AAF7056 0D7A38C4 41089CA6

F3572C16 0EA410BA 1E5CA79B C33924C9 AC6B1CAE BC1878A6 E4F683EE 32C66021

02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D

11041B30 19821779 6F75726E 616D652E 796F7572 646F6D61 696E2E63 6F6D301F

0603551D 23041830 168014ED 00B7D151 6107EE30 EF1D8319 41BF9648 73E9ED30

1D060355 1D0E0416 0414ED00 B7D15161 07EE30EF 1D831941 BF964873 E9ED300D

06092A86 4886F70D 01010405 00038181 00800938 862CC8EE FBCFF6E3 492F5F5C

12339F44 2C02BF93 1A1A6794 AE648401 46AD9870 F1FE711D C0ABBCA8 58D58E9D

D81F08B7 BF4C5023 418E0EEC D63DACE0 D5CACB79 0D1C066E 51B2D4F9 FD4EA15C

E8B380B8 82A70AC2 AA25B074 FE7791F6 5D5F570E 167C91EE 518CF511 575B59FD

9EAF2F53 03BB4678 9C92C080 FF0DC9A5 D5

               quit

dot11 syslog

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.0.1 10.10.10.199

ip dhcp excluded-address 10.10.10.221 10.10.255.254

ip dhcp excluded-address 10.10.10.1 10.10.10.199

ip dhcp excluded-address 10.10.10.221 10.10.10.254

!

ip dhcp pool sdm-pool2

   network 10.10.10.0 255.255.255.0

   dns-server 207.xx.xx.xx 205.xx.xx.xx

   default-router 10.10.10.1

   lease 0 2 1

!

!

ip cef

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

ip domain name yourdomain.com

ip name-server 207.229.52.2

ip name-server 205.233.109.40

!

parameter-map type protocol-info msn-servers

server name messenger.hotmail.com

server name gateway.messenger.hotmail.com

server name webmessenger.msn.com

parameter-map type protocol-info aol-servers

server name login.oscar.aol.com

server name toc.oscar.aol.com

server name oam-d09a.blue.aol.com

parameter-map type protocol-info yahoo-servers

server name scs.msg.yahoo.com

server name scsa.msg.yahoo.com

server name scsb.msg.yahoo.com

server name scsc.msg.yahoo.com

server name scsd.msg.yahoo.com

server name cs16.msg.dcn.yahoo.com

server name cs19.msg.dcn.yahoo.com

server name cs42.msg.dcn.yahoo.com

server name cs53.msg.dcn.yahoo.com

server name cs54.msg.dcn.yahoo.com

server name ads1.vip.scd.yahoo.com

server name radio1.launch.vip.dal.yahoo.com

server name in1.msg.vip.re2.yahoo.com

server name data1.my.vip.sc5.yahoo.com

server name address1.pim.vip.mud.yahoo.com

server name edit.messenger.yahoo.com

server name messenger.yahoo.com

server name http.pager.yahoo.com

server name privacy.yahoo.com

server name csa.yahoo.com

server name csb.yahoo.com

server name csc.yahoo.com

parameter-map type regex sdm-regex-nonascii

pattern [^\x00-\x80]

!

!

username User1 privilege 15 secret 5 $1$RFTW$pK.Ex1dceC9K1c3f2JMMz/

username User2 privilege 8 secret 5 $1$1A/4$55wBKNbfEvBdweXMLPQjV/

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key *VPN Key* address *Peer Ip Address*

!

crypto isakmp client configuration group remote

key *key2*

dns 192.168.2.2 192.168.2.6

domain mpe.ca

pool SDM_POOL_1

include-local-lan

max-users 5

netmask 255.255.0.0

crypto isakmp profile sdm-ike-profile-1

   match identity group remote

   client authentication list sdm_vpn_xauth_ml_1

   isakmp authorization list sdm_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile sdm-ike-profile-1

!

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to*Peer Ip Address*

set peer *Peer Ip Address*

set transform-set ESP-3DES-SHA1

match address 101

!

crypto ctcp port 10000

archive

log config

hidekeys

!

!

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $FW_OUTSIDE$$ES_WAN$$ETH-WAN$

ip address *Public IP Address*255.255.255.0

ip access-group 105 in

ip access-group sdm_fastethernet4_out out

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface Virtual-Template1 type tunnel

ip unnumbered Vlan1

ip access-group sdm_virtual-template1_out out

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$

ip address 10.10.10.1 255.255.0.0

ip access-group 104 in

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip local pool SDM_POOL_1 10.10.11.0 10.10.11.10

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 208.xx.xx.xx permanent

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

!

ip access-list extended sdm_fastethernet4_in

remark SDM_ACL Category=1

remark Deny All

deny   ip any any

ip access-list extended sdm_fastethernet4_out

remark CCP_ACL Category=1

permit udp any any eq domain

permit tcp any any eq 443

permit tcp any any eq www

remark PcAnywhere1

permit tcp any any eq 5631

remark PcAnywhere2

permit udp any any eq 5632

permit tcp any eq 10000 any

permit ip any any

ip access-list extended sdm_virtual-template1_out

remark SDM_ACL Category=1

permit ip any any

!

access-list 100 remark CCP_ACL Category=2

access-list 100 remark IPSec Rule

access-list 100 deny   ip 10.10.0.0 0.0.255.255 10.12.0.0 0.0.0.255

access-list 100 permit ip 10.10.0.0 0.0.255.255 any

access-list 101 remark CCP_ACL Category=4

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.10.0.0 0.0.255.255 10.12.0.0 0.0.0.255

access-list 102 remark SDM_ACL Category=128

access-list 102 permit ip host 255.255.255.255 any

access-list 102 permit ip 127.0.0.0 0.255.255.255 any

access-list 103 remark SDM_ACL Category=128

access-list 103 permit ip host 255.255.255.255 any

access-list 103 permit ip 127.0.0.0 0.255.255.255 any

access-list 104 remark auto generated by SDM firewall configuration

access-list 104 remark SDM_ACL Category=1

access-list 104 permit udp any host 10.10.10.1 eq non500-isakmp

access-list 104 permit udp any host 10.10.10.1 eq isakmp

access-list 104 permit esp any host 10.10.10.1

access-list 104 permit ahp any host 10.10.10.1

access-list 104 permit icmp any any echo-reply

access-list 104 permit udp any eq bootps any eq bootps

access-list 104 deny   ip host 255.255.255.255 any

access-list 104 deny   ip 10.10.10.192 0.0.0.31 10.10.0.0 0.0.255.255

access-list 104 deny   icmp 10.10.10.192 0.0.0.31 10.10.0.0 0.0.255.255

access-list 104 deny   udp 10.10.10.192 0.0.0.31 10.10.0.0 0.0.255.255

access-list 104 deny   tcp 10.10.10.192 0.0.0.31 10.10.0.0 0.0.255.255

access-list 104 deny   ip 127.0.0.0 0.255.255.255 any

access-list 104 permit tcp any eq 10000 any eq 10000

access-list 104 permit ip any any

access-list 105 remark auto generated by SDM firewall configuration

access-list 105 remark CCP_ACL Category=1

access-list 105 remark IPSec Rule

access-list 105 permit ip 10.12.0.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 105 permit udp host *Peer Ip Address* host *Public IP Address*eq non500-isakmp

access-list 105 permit udp host *Peer Ip Address* host *Public IP Address*eq isakmp

access-list 105 permit esp host *Peer Ip Address* host *Public IP Address*

access-list 105 permit ahp host *Peer Ip Address* host *Public IP Address*

access-list 105 permit tcp any any eq 10000

access-list 105 deny   ip 10.10.0.0 0.0.255.255 any

access-list 105 permit udp any eq bootps any eq bootpc

access-list 105 permit icmp any any echo-reply

access-list 105 permit icmp any any time-exceeded

access-list 105 permit icmp any any unreachable

access-list 105 deny   ip 10.0.0.0 0.255.255.255 any

access-list 105 deny   ip 172.16.0.0 0.15.255.255 any

access-list 105 deny   ip 192.168.0.0 0.0.255.255 any

access-list 105 deny   ip 127.0.0.0 0.255.255.255 any

access-list 105 permit ip 0.0.0.0 255.255.0.0 any

access-list 105 deny   ip host 255.255.255.255 any

access-list 105 deny   ip any any log

no cdp run

route-map SDM_RMAP_1 permit 1

match ip address 100

!

!

control-plane

!

banner login ^C

-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device.

This feature requires the one-time use of the username "cisco"

with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username <myuser>   privilege 15 secret 0 <mypassword>

no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm

-----------------------------------------------------------------------

^C

!

line con 0

no modem enable

line aux 0

line vty 0 4

privilege level 15

transport input telnet ssh

!

scheduler max-task-time 5000

end

Router B uses a lot of ACLs so I think the problem may be in there somewhere. I didn't set up Router B, and I'm not too familiar with ACLs. Any Help is greatly appreciated. Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
jsandau@mpe.ca Wed, 11/23/2011 - 07:50

Actually this is a different site to site issue, then the other one I was having. I solved that one. the subnet of 255.255.0.0 on Vlan1 on router B is correct (as far as I know), because that router have devices attached to it with ip of 10.10.3.3, 10.10.10.2, 10.10.1.1, etc...So, as far as I know, (I didn't set up Router B) the subent of 255.255.0.0 is correct.

Actions

Login or Register to take actions

This Discussion

Posted November 22, 2011 at 1:45 PM
Stats:
Replies:1 Avg. Rating:
Views:414 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard