Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Cisco IPSEC LAN-LAN tunnel.. I need two IP subnets to be encrypted through

Hi Everyone,

I have a really annoying problem... I have two sites,

Site 1(HQ)= Cisco 2950(data+voice vlan) and a 1701(routes between vlans using fastethernet sub-interfaces. Also for ADSL internet access, VPN)

Site 2(Homeworker)= Cisco 1701 for internet, VPN connected to unmanaged switch-> PC&IP Phone.

We have an IP enabled PABX at our HQ and an IP handset for the above homeworker(site2). I have configured an IPSEC Lan-Lan VPN between the two 1701's and it works perfectly for the data vlan(196.196.1.0/24 to 192.168.93.0/24). But when I try to add the voice subnet to the cryptomap the traffic doesnt get encrypted!!(192.168.92.0/24 to 192.168.93.0/24) Any ideas? Have I missed anything?? if I do a sho crypto ipsec sa, I can see the voice subnet(192.168.92.0/24). But the 1701 routers are not encryping/decrypting anything...

I have removed all security ACL's and IP inspects just in case.. But no joy..

The PABX definatly has the correct D/G as I can ping the internet from it... If I check my hits on my access lists I can see matches for 192.168.92.0/24 to 192.168.93.0/24 on ACL100(NAT) and ACL120(VPN interestig traffic)

I have posted my configs...

I really need to get this sorted asap... :-S

Thanks in advance for any help

Matt

Just did a debug from the HQ router.... definatly a problem somewhere... :(. Just cant see it on my config!!

I pinged from 192.168.92.253(2950 switch) and got this...

I have replaced the public IP's for security perposes as in my configs above(1.1.1.1 ans 2.2.2.2).

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.93.1, timeout is 2 seconds:

Nov 3 09:50:22.442: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 1.1.1.1, remote= 2.2.2.2,

local_proxy= 192.168.92.0/255.255.255.0/0/0 (type=4),

remote_proxy= 192.168.93.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0xAA55B2A(178608938), conn_id= 0, keysize= 0, flags= 0x400A

Nov 3 09:50:22.774: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 2.2.2.2, remote= 1.1.1.1,

local_proxy= 192.168.92.0/255.255.255.0/0/0 (type=4),

remote_proxy= 192.168.93.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

Nov 3 09:50:22.778: IPSEC(validate_transform_proposal): no IPSEC cryptomap exis

ts for local address 1.1.1.1

Nov 3 09:50:22.782: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode faile

d with peer at 2.2.2.2 .....

Success rate is 0 percent (0/5)

221
Views
0
Helpful
0
Replies
CreatePlease to create content