cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
346
Views
0
Helpful
4
Replies

VPN between 2611XM and 1721 problems

mljevakovic
Level 3
Level 3

I have 2611XM on a Central site and 1721 on a Remote site. I tried establish VPN between these sites but I couldn’t do that.

Here are config files:

Current configuration : 2706 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Cisco2611XM CENTRAL

!

enable secret xxxxx

enable password xxxx

!

username xxxx password 0 xxxxxxx

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

!

!

!

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 5

hash md5

authentication pre-share

crypto isakmp key xxxx address REMOTE PUBLIC IP no-xauth

!

crypto isakmp client configuration group xxxxxx

key xxxxx

dns 192.168.1.100

domain cpn.vwg

pool ippool

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto ipsec transform-set myset1 esp-des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 5 ipsec-isakmp

set peer REMOTE PUBLIC IP

set transform-set myset1

match address 115

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

mta receive maximum-recipients 0

!

!

!

!

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

ip nat inside

no ip mroute-cache

speed auto

half-duplex

!

interface FastEthernet0/1

ip address CENTRAL PUBLIC IP 255.255.255.252

ip nat outside

no ip mroute-cache

duplex auto

speed auto

crypto map clientmap

!

ip local pool ippool 10.1.1.100 10.1.1.200

ip nat pool internet CENTRAL PUBLIC IP CENTRAL PUBLIC IP prefix-length 30

ip nat inside source route-map nonat interface FastEthernet0/1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 PROVIDER PUBLIC IP

ip route PRIVATE NETWORK 255.255.192.0 192.168.1.101

ip http server

!

!

ip access-list extended addr-pool

ip access-list extended dns-servers

ip access-list extended idletime

ip access-list extended inacl

ip access-list extended key-exchange

ip access-list extended protocol

ip access-list extended service

ip access-list extended tunnel-password

!

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 115 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

!

route-map nonat permit 10

match ip address 101

!

radius-server authorization permit missing Service-Type

call rsvp-sync

!

!

mgcp profile default

!

!

!

dial-peer cor custom

!

!

line con 0

line aux 0

line vty 0 4

password xxxxxx

!

!

end

------------

Current configuration : 1393 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname 1721 REMOTE

!

logging queue-limit 100

enable password xxxx

!

memory-size iomem 25

ip subnet-zero

!

!

!

ip audit notify log

ip audit po max-events 100

!

!

!

!

crypto isakmp policy 5

hash md5

authentication pre-share

crypto isakmp key xxxxx address CENTRAL PUBLIC IP no-xauth

!

!

crypto ipsec transform-set myset1 esp-des esp-md5-hmac

!

crypto map test 5 ipsec-isakmp

set peer CENTRAL PUBLIC IP

set transform-set myset1

match address 115

!

!

!

!

interface Ethernet0

ip address 192.168.0.1 255.255.255.0

no ip proxy-arp

ip nat inside

half-duplex

!

interface FastEthernet0

ip address REMOTE ADDRESS IP 255.255.255.252

no ip proxy-arp

ip nat outside

speed auto

crypto map test

!

ip nat inside source route-map nonat interface FastEthernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0

ip route PROVIDER PUBLIC NETWORK 255.255.255.252 FastEthernet0

no ip http server

no ip http secure-server

!

!

!

access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 110 permit ip 192.168.0.0 0.0.0.255 any

access-list 115 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

!

route-map nonat permit 10

match ip address 110

!

!

line con 0

line aux 0

line vty 0 4

password 7 xxxxxxx

login

!

no scheduler allocate

end

-----

I cannot ping each other but clients I accept successfully. Are these config correct? PLS HELP

4 Replies 4

artherrera
Level 1
Level 1

Hi,

Your configurations look ok, are you sending an extended ping from the router or a continous ping from a PC behind either router?

Is there a firewall in between this two peers?

Let us know

Arthur

I sent ping from both routers, here are samples.

Cisco2611XM#ping

Protocol [ip]:

Target IP address: 192.168.0.1

Repeat count [5]: 10

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 10, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:

..........

Success rate is 0 percent (0/10)

Cisco2611XM#traceroute 192.168.0.1

Type escape sequence to abort.

Tracing the route to 192.168.0.1

1 PROVIDER PUBLIC IP1 ADDRESS 28 msec 28 msec 28 msec

2 PROVIDER PUBLIC IP2 ADDRESS 28 msec 32 msec 28 msec

3 PROVIDER PUBLIC IP1 ADDRESS 32 msec 24 msec 28 msec

4 PROVIDER PUBLIC IP2 ADDRESS 28 msec 28 msec 28 msec

5 PROVIDER PUBLIC IP1 ADDRESS 33 msec 32 msec 28 msec

....

30. the same as above

This is from Cisco 2611XM CENTRAL OFFICE

Rodoc#ping

Protocol [ip]:

Target IP address: 192.168.1.1

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

cisco1721#traceroute 192.168.1.1

Type escape sequence to abort.

Tracing the route to 192.168.1.1

1 PROVIDER PUBLIC IP1 ADDRESS 0 msec 0 msec 0 msec

2 PROVIDER PUBLIC IP2 ADDRESS 36 msec 808 msec 212 msec

3 PROVIDER PUBLIC IP3 ADDRESS msec 32 msec 60 msec

4 PROVIDER PUBLIC IP4 ADDRESS 112 msec 700 msec 224 msec

5 PROVIDER PUBLIC IP5 ADDRESS 36 msec 100 msec 40 msec

6 * * *

This is from the Cisco 1721.

Provider are different.

I did not make any ping from local PC's on the LAN's, I've just tried from routers.

Hi

the trace is showing a loop from the 2600 to the 1700 router

1 PROVIDER PUBLIC IP1 ADDRESS 28 msec 28 msec 28 msec

2 PROVIDER PUBLIC IP2 ADDRESS 28 msec 32 msec 28 msec

3 PROVIDER PUBLIC IP1 ADDRESS 32 msec 24 msec 28 msec

4 PROVIDER PUBLIC IP2 ADDRESS 28 msec 28 msec 28 msec

5 PROVIDER PUBLIC IP1 ADDRESS 33 msec 32 msec 28 msec

the reason being the IP1 and IP2 back and forth....

Can you ping the outside interfaces at all? public to public?

I can ping from PC's on LAN 192.168.0.0 to PC's on LAN 192.168.1.0 but I cannot ping routers directly. I can ping public interfaces but cannot private interfaces.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: