Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Lan2Lan problem

Hello everybody!!!

I'm test just now, in a lab enviromment, a simple solution to join 2 networks at diferent location. There are in this lab 2 cisco 1841 with C1841-ADVSECURITYK9-M both. I'm not so good when subject is VPN, I configure the both routers and does not work. Now I don't know how to start a debug to help me.

I did the command "sh crypto session detail" and the session is down.

Someone can help me on this issue.

See the att below.

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Lan2Lan problem

Didn't recognize any issues with your configuration.

Have you generated any traffic to bring the tunnel up?

Your crypto ACLs:

Router A:

access-list 150 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

Router B:

access-list 150 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

... define the traffic that is to be forwarded to the crypto engine.

If you don't generate traffic requiring protection, the two tunnel endpoints won't commence negotiation of an ISAKMP SA (used as a secure channel to negotiate IPSec SAs).

Ping a host on the far side network, and see if tunnel negotiation commences.

Noticed an unimplemented NAT ACL. If you later decide to implement NAT, be sure to exempt the traffic requiring crypto protection, from the NAT process.

4 REPLIES

Re: Lan2Lan problem

try send traffic from 192.168.0.0/24 to 192.168.1.0/24

sh crypto isakmp sa

sh crypto ipsec sa

Re: Lan2Lan problem

Didn't recognize any issues with your configuration.

Have you generated any traffic to bring the tunnel up?

Your crypto ACLs:

Router A:

access-list 150 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

Router B:

access-list 150 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

... define the traffic that is to be forwarded to the crypto engine.

If you don't generate traffic requiring protection, the two tunnel endpoints won't commence negotiation of an ISAKMP SA (used as a secure channel to negotiate IPSec SAs).

Ping a host on the far side network, and see if tunnel negotiation commences.

Noticed an unimplemented NAT ACL. If you later decide to implement NAT, be sure to exempt the traffic requiring crypto protection, from the NAT process.

New Member

Re: Lan2Lan problem

Damm, I'm so stupid, the session doesn't up because there are no host on LAN ports opn both routers, after connect to LAN the VPN works.

Thanks Very Much for all.

Thanks again for the experts always on line

Re: Lan2Lan problem

In future lab scenarios, you could bring up and maintain the tunnel by synchronizing the clock of one router with that of the other using the Network Time Protocol.

i.e.:

- configure a loopback interface as the "NTP source interface" on each device.

- include the traffic between the two loopback interfaces in your crypto acl.

- configure Router-A as the NTP Server with which Router-B is to synchronize its clock.

127
Views
0
Helpful
4
Replies