please find the attached file for the routers configuration.
i need to make a vpn tunnel through the internet between 2 routers (R1&R2) in two different sites.
For R1 site
- LAN Network : 192.168.1.0 /24
- users can access the internet properly.
- The Router is configured by ISP engineers to build the internet connection
For R2 site
- LAN Network : 192.168.2.0 /24
-The Router is configured by ISP engineers to build the internet connection.
- users can access the internet properly.
After that when i tried to configure the 2 routers for the vpn , i found that the vpn cannot established.
- i cannot ping any server from site1 to site2
- the output of " sh crypto isakmp sa " on R1 & R2 is :
R1#sh crypto isakmp sa
dst src state conn-id slot status
please i need your help.
waiting your replies.
Could you post file in a more standard format eg. .txt or .doc as i can't read this .rar format.
When you try to initiate the tunnel what IP address are you pinging from and what IP address are you pinging to ?
I can say that I've never seen a config like this. Generally, you want your crypto map installed on the public interface (BVI20 in your case). Theoretically, I guess the private address could be on the same interface as the public, but I'm not sure how well that would work.
Try to move the crypto map to BVI20 and see if it helps.
I've never seen this type of config before where they put the public address as a secondary and then the private address as the primary. This looks odd to me, but I've not been around a lot of ISP configs. :-)
thanks for your mail .
really i tried to do that . i mean i tried to install crypto map on the BVI20 interface but the vpn tunnel couldnot be established.
Could you perhaps draw us a quick topology map so we can understand where the BVI interface fits in.
Also is it correct to assume that L3 connectivity is working fine ie. each router can ping the other router on the public IP address ?
the topology is very simple as following:
Layer2 switch---->R1---->Internet---->R2---->Layer2 switch.
The users who are connected on the switch behind R1 are in the same vlan (vlan1).their default gateway is the router and the same solution in site 2.
Yes , each router can ping the other router on the public ip address.
I have looked at the configs and I believe that there are at least 3 issues in them that impact your attempt to do VPN.
I agree that the BVI is a complication but I believe that it is not really a problem. Since there is only one interface in each config with the bridge-group configured I do wonder why the BVI is there and do not see that it is doing any good in the config. But I do not believe that it is necessarily the problem with VPN.
The first problem is that the crypto map is on the wrong interface (unless the topology of the network is different from what it seems (FastEthernet0/0 inside and serial/BVI outside). The crypto map needs to be on the interface where traffic enters and leaves the router. So John was correct to suggest moving the crypto map.
But that is not the only problem. By default the router defaults to using the address of the outbound interface as the IP address of the IPSec packet. So R1 is expecting to receive a packet from its peer at 64.x.x.177 but receives a packet with source address of 10.177.8.70. This is a problem. Normally you can use the option in the crypto map to specify the address to use.
But that brings us to the third problem. When it generates a packet the router uses its primary address (when there is a secondary address configured). So even if you use the option in the crypto map to specify the address to use, it would use the primary address of FastEthernet0/0 but your peer address is the secondary address. So I do not see a way to get the router, as currently configured, to use the address you really want as the peer address.
If you want the VPN to work I believe that you need to make the 64.x.x.177 be the primary address on its interface, and you need the command in the crypto map to specify the interface address to use.
Thanks for your reply.
i want to understand something in your reply that what do you mean by " Normally you can use the option in the crypto map to specify the address to use " ????
If you can , please send me the configuration that should be applied on the router to understand you more.
Thanks Rick for your help
There is a command like this to specify the local address to be used:
crypto map s-crypto local-address FastEthernet0/0
As I explained in my post the default behavior of the router is to use the address of the outbound interface. You can use this command to specify an address to be used, which is especially useful if the address you want to use is not the address of the outbound interface (and in your config the address you want to use is configured on the inside interface and not the outside interface).