cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
653
Views
0
Helpful
4
Replies

IPSec question

flokki123
Level 3
Level 3

hi all,

two of our routers were configured with the following config:

Site A:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key des address xxx.xxx.xxx.xxx    <---- WAN IP of the other site

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to xxx.xxx.xxx.xxx

set peer xxx.xxx.xxx.xxx  <---- WAN IP of the other site

set transform-set ESP-3DES-SHA

match address 104

access-list 104 permit ip 172.16.11.0 0.0.0.255 192.168.0.0 0.0.0.255

Site B:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key des address xxx.xxx.xxx.xxx   <---WAN IP of the other site

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to xxx.xxx.xxx.xxx

set peer xxx.xxx.xxx.xxx    <-----  WAN IP of the other site

set transform-set ESP-3DES-SHA

match address 101

access-list 101 permit ip 192.168.0.0 0.0.0.255 172.16.11.0 0.0.0.255

Could somone just confirm is this config should work like configured above. the tunnel just doesnt come up. Just want to make sure that the config is alright, so i know i have to look somewhere else for the problem.

Also when i run the VPN troubleshooting tool from the SDM i get the following message:

"A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not fragment' packets."

Any help is appreciated!!! Thanks

4 Replies 4

johnlloyd_13
Level 9
Level 9

hi,

you forgot to apply your crypto map under your WAN interface.

interface x

crypto map SDM_CMAP_1

hi john,

sorry, didnt show that i actually did apply the crypto maps to the WAN interfaces. that should be alright.

thanks anyway for trying to help!

Hi config seems to be fine. What type of wan interface you have, if its adsl you may have to setup mtu 1412 on dialer. Verify your wan reachabilty Also please paste

Sh crypto isakmp sa
Sh crypto ipsec sa
Thanks
Shanil

Sent from Cisco Technical Support iPhone App

hi shanil,

thanks for your reply. the wan interface is the FE4  interface as in front of the cisco is another router which takes care of  dialing in. so the standard mtu for ethernet should be alright.

if the config seems alright, i guess the problem must be with the other router in front of the cisco.

what i will do is to connect the two cisco routers back to back and try to establish the vpn tunnel just via ethernet first.

if that works, i know the cisco routers are alright and the problem must be somewhere else.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco