cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
360
Views
0
Helpful
4
Replies

Lan2Lan problem

tarik.cisco
Level 1
Level 1

Hello everybody!!!

I'm test just now, in a lab enviromment, a simple solution to join 2 networks at diferent location. There are in this lab 2 cisco 1841 with C1841-ADVSECURITYK9-M both. I'm not so good when subject is VPN, I configure the both routers and does not work. Now I don't know how to start a debug to help me.

I did the command "sh crypto session detail" and the session is down.

Someone can help me on this issue.

See the att below.

Thanks.

1 Accepted Solution

Accepted Solutions

michael.leblanc
Level 4
Level 4

Didn't recognize any issues with your configuration.

Have you generated any traffic to bring the tunnel up?

Your crypto ACLs:

Router A:

access-list 150 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

Router B:

access-list 150 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

... define the traffic that is to be forwarded to the crypto engine.

If you don't generate traffic requiring protection, the two tunnel endpoints won't commence negotiation of an ISAKMP SA (used as a secure channel to negotiate IPSec SAs).

Ping a host on the far side network, and see if tunnel negotiation commences.

Noticed an unimplemented NAT ACL. If you later decide to implement NAT, be sure to exempt the traffic requiring crypto protection, from the NAT process.

View solution in original post

4 Replies 4

a.alekseev
Level 7
Level 7

try send traffic from 192.168.0.0/24 to 192.168.1.0/24

sh crypto isakmp sa

sh crypto ipsec sa

michael.leblanc
Level 4
Level 4

Didn't recognize any issues with your configuration.

Have you generated any traffic to bring the tunnel up?

Your crypto ACLs:

Router A:

access-list 150 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

Router B:

access-list 150 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

... define the traffic that is to be forwarded to the crypto engine.

If you don't generate traffic requiring protection, the two tunnel endpoints won't commence negotiation of an ISAKMP SA (used as a secure channel to negotiate IPSec SAs).

Ping a host on the far side network, and see if tunnel negotiation commences.

Noticed an unimplemented NAT ACL. If you later decide to implement NAT, be sure to exempt the traffic requiring crypto protection, from the NAT process.

Damm, I'm so stupid, the session doesn't up because there are no host on LAN ports opn both routers, after connect to LAN the VPN works.

Thanks Very Much for all.

Thanks again for the experts always on line

In future lab scenarios, you could bring up and maintain the tunnel by synchronizing the clock of one router with that of the other using the Network Time Protocol.

i.e.:

- configure a loopback interface as the "NTP source interface" on each device.

- include the traffic between the two loopback interfaces in your crypto acl.

- configure Router-A as the NTP Server with which Router-B is to synchronize its clock.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: