Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Manual IPSEC over a 831 router

Hi

I've been working to replace our 806 router by a 831. I took the configuration from the 806 without modifying it and copied it in the 831. This router is configured to connect to 3 peers, 2 of which use isakmp, and 1 use manual ipsec, due to the peer being a sonicwall.

The manual IPSEC tunnel seems to be up, data is encrypted, but no reply is received.

If I put back the configuration in the 806, and put it online, all 3 tunnels goes back up and connectivity is reached via all 3 of them.

Here's the config:

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

crypto isakmp key ******* address 2.2.2.2

crypto isakmp key ******* address 1.1.1.1

crypto isakmp identity hostname

crypto isakmp keepalive 10

!

!

crypto ipsec transform-set vpn-des esp-des esp-md5-hmac

crypto ipsec transform-set vpn-3des esp-3des esp-md5-hmac

!

crypto map vpn-client 10 ipsec-isakmp

set peer 2.2.2.2

set transform-set vpn-des

set pfs group2

match address 120

crypto map vpn-client 12 ipsec-isakmp

set peer 1.1.1.1

set transform-set vpn-des

set pfs group2

match address 140

crypto map vpn-client 15 ipsec-manual

set peer 3.3.3.3

set session-key inbound esp 2135 cipher *********** authenticator **********

set session-key outbound esp 2135 cipher *********** authenticator **********

set transform-set vpn-3des

match address 130

!

!

!

!

interface Ethernet1

ip address 4.4.4.4 255.255.255.0

ip nat outside

no ip route-cache

no ip mroute-cache

crypto map vpn-client

!

ip nat inside source route-map nonat interface Ethernet1 overload

ip route 0.0.0.0 0.0.0.0 4.4.4.1

access-list 110 deny ip 10.2.1.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 110 permit ip 10.2.1.0 0.0.0.255 any

access-list 120 permit ip 10.2.1.0 0.0.0.255 10.15.0.0 0.0.255.255

access-list 130 permit ip 10.2.1.0 0.0.0.255 10.120.0.0 0.0.255.255

access-list 140 permit ip 10.2.1.0 0.0.0.255 10.1.1.0 0.0.0.255

!

route-map nonat permit 10

match ip address 110

!

Thanks

Fred

2 REPLIES
Cisco Employee

Re: Manual IPSEC over a 831 router

Are you running the same IOS version on both routers?

When using manual keys the tunnel will appear to be up, since as there's no negotiation that needs to take place the router builds the SAs as soon as you enter the config commands in.

Can you check the SonicWalls logs and see if it's receiving the packets that the router is sending. Did you clear the SAs on the SonicWall after putting the 831 in place? If not, try that.

New Member

Re: Manual IPSEC over a 831 router

Since the 831 is a new router using hardware encryption, there is only 2 versions available for this router. Both uses one of the latest 12.2 ED IOS.

For the sonicwall, I don't have access to this router since it's owned by another company. But I know that they have multiple VPN up in a hub and spoke configuration, having the sonicwall as a HUB.

When I put the 831 in place, I used another configuration that is similar to the other peers. Nothing was reachable. I took this config and put it in the 806, and everything worked. So if I needed to clear the SA on the sonicwall, the 831 would have worked and the 806 may have not.

104
Views
0
Helpful
2
Replies
CreatePlease to create content