Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec question

hi all,

two of our routers were configured with the following config:

Site A:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key des address xxx.xxx.xxx.xxx    <---- WAN IP of the other site

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to xxx.xxx.xxx.xxx

set peer xxx.xxx.xxx.xxx  <---- WAN IP of the other site

set transform-set ESP-3DES-SHA

match address 104

access-list 104 permit ip 172.16.11.0 0.0.0.255 192.168.0.0 0.0.0.255

Site B:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key des address xxx.xxx.xxx.xxx   <---WAN IP of the other site

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to xxx.xxx.xxx.xxx

set peer xxx.xxx.xxx.xxx    <-----  WAN IP of the other site

set transform-set ESP-3DES-SHA

match address 101

access-list 101 permit ip 192.168.0.0 0.0.0.255 172.16.11.0 0.0.0.255

Could somone just confirm is this config should work like configured above. the tunnel just doesnt come up. Just want to make sure that the config is alright, so i know i have to look somewhere else for the problem.

Also when i run the VPN troubleshooting tool from the SDM i get the following message:

"A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not fragment' packets."

Any help is appreciated!!! Thanks

4 REPLIES

Re: IPSec question

hi,

you forgot to apply your crypto map under your WAN interface.

interface x

crypto map SDM_CMAP_1

New Member

IPSec question

hi john,

sorry, didnt show that i actually did apply the crypto maps to the WAN interfaces. that should be alright.

thanks anyway for trying to help!

New Member

Re: IPSec question

Hi config seems to be fine. What type of wan interface you have, if its adsl you may have to setup mtu 1412 on dialer. Verify your wan reachabilty Also please paste

Sh crypto isakmp sa
Sh crypto ipsec sa
Thanks
Shanil

Sent from Cisco Technical Support iPhone App

New Member

IPSec question

hi shanil,

thanks for your reply. the wan interface is the FE4  interface as in front of the cisco is another router which takes care of  dialing in. so the standard mtu for ethernet should be alright.

if the config seems alright, i guess the problem must be with the other router in front of the cisco.

what i will do is to connect the two cisco routers back to back and try to establish the vpn tunnel just via ethernet first.

if that works, i know the cisco routers are alright and the problem must be somewhere else.

268
Views
0
Helpful
4
Replies
CreatePlease to create content