Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

peer address

Hi,

I am configuring a cisco 1751 ADSL/VPN router to communicate with a VPN 3005 concentrator and having problem pinging each other.

I need to know from the concentrator , what is the peer address to point to, is it the 1751 rouiter ethernet port or serial port.

Should I configure ip route on the router to point the concentrator network. Can you give suggestion why they both cannot ping ?

Thanks

7 REPLIES
Cisco Employee

Re: peer address

The peer address to use is the IP address of the interface that has the crypto map on it, the IP address that is accessible over the Internet.

You'll need a route on both devices pointing to the inside subnet of the other device. If you simply have a default gateway then that should be enough, but if you have another route that would normally point this out some other interface, then yes, add in a specific static route pointing to the remote subnet.

Are you sure your tunnel is coming up properly? If you check on the 3005 under Monitoring - Sessions, do you see the tunnel built there. If not, you need to get the tunnel built properly before you'll be able to ping.

Community Member

Re: peer address

Can you explain the purpose of peer address ? How can I check whether the tunnel is built, any indication ?

Pls advice

Cisco Employee

Re: peer address

Hi,

Just imagine you have a VPN Tunnel in a hub and spoke topology:

Router A --------- Internet | -------- Router B

|

| -------- Router C

In this case, Router A has tunnel both to Router B and Router C. After checking the match address and encrypting the packet, Router A now needs to know which Peer it has to send the encrypted packet and this is where the peer address is used.

You can also refer the below URL for same:

http://www.cisco.com/warp/public/707/ios_hub-spoke.html

The below two commands will tell you if the tunnel is up or not.

Show crypto isakmp sa

Show crypto ipsec sa

You can refer the below URL for same:

http://www.cisco.com/warp/public/471/ipsecrouter_vpn.html

Regards,

Arul

Community Member

Re: peer address

Thanks for your answer. I have another question.

My "crypto ipsec transform-set to_vpn esp-des"

and "crypto map to_vpn 10 ipsec-isakmp" are both using the same "to_vpn",

will it affect the connectivity, should I use different names.

Also for the access-list, what ip should I put , the etherent or serial ip.

Pls advice.

Thanks

Cisco Employee

Re: peer address

Hi,

crypto ipsec transform-set to_vpn esp-des, in this statement "to_vpn" is a name assigned to the transform set.

crypto map to_vpn 10 ipsec-isakmp, in this statement "to_vpn" is a name assigned to the crypto map

Using the same name, should not affect connectivity but it is a good practice to use different names cos when you add more config to the router it might start confusing you.

And also keep in mind, that there can be only "ONE" crypto map applied to the

interface but you can many instances.

The access-list defines which traffic you want to encrypt and send it across the tunnel.

You can also refer the below config as a reference for the above explanation:

crypto ipsec transform-set macset esp-des esp-md5-hmac

crypto ipsec transform-set to_vpn esp-des esp-md5-hmac

crypto ipsec transform-set vpnset esp-des esp-md5-hmac

!

!

crypto map to_vpn 10 ipsec-isakmp

set peer 172.16.172.42

set transform-set macset

match address 100

crypto map to_vpn 20 ipsec-isakmp

set peer 172.16.1.1

set transform-set to_vpn

match address 150

crypto map to_vpn 30 ipsec-isakmp

set peer 172.16.2.2

set transform-set vpnset

match address 160

or I can configure,

crypto ipsec transform-set vpnset esp-des esp-md5-hmac

!

!

crypto map to_vpn 10 ipsec-isakmp

set peer 172.16.172.42

set transform-set vpnset

match address 100

crypto map to_vpn 20 ipsec-isakmp

set peer 172.16.1.1

set transform-set vpnset

match address 150

crypto map to_vpn 30 ipsec-isakmp

set peer 172.16.2.2

set transform-set vpnset

match address 160

Regards,

Arul

Community Member

Re: peer address

I can't ping the private IP on the concentrator. Pls advice

Cisco Employee

Re: peer address

Hi,

Can you be more detail.

Regards,

Arul

372
Views
0
Helpful
7
Replies
CreatePlease to create content