Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Please, help a noob (857 IPSEC)

I have an 857 Router at both sites,

I cant get the damn VPN to work, i try and debug, but no debug messages even come through, its like the crypto engine doesn't even try to connect?!?

This is my first encounter with cisco and the following has been pieced together off a few white papers.

What have I done wrong?

This is the config in the routers:-

X.X.X.X is the WAN IP address of the remote site.

---------------------------------

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname name

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

no ip dhcp use vrf connected

!

ip dhcp excluded-address 172.16.40.1 172.16.40.20

!

ip dhcp pool CUSTOMER-LAN

network 172.16.40.0 255.255.255.0

default-router 172.16.40.1

dns-server 203.50.2.71 139.130.4.4

!

ip cef

!

ip subnet-zero

ip cef

!

no ip domain lookup

!

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

crypto isakmp key keyname address X.X.X.X

crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac

crypto map aesmap 10 ipsec-isakmp

set peer X.X.X.X

set transform-set aesset

match address acl_vpn

!

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 8/35

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

ip address 172.16.40.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Dialer0

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname xxxx@nnnn

ppp chap password 0 xxxx

crypto map aesmap

!

!

ip nat inside source list acl_nat interface Dialer0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 172.16.20.0 255.255.255.0 Dialer0

no ip http server

no ip http secure-server

!

!

ip access-list extended acl_nat

!

!

deny ip 172.16.40.0 0.0.0.255 172.16.20.0 0.0.0.255

permit ip 172.16.40.0 0.0.0.255 any

!

ip access-list extended acl_vpn

permit ip 172.16.40.0 0.0.0.255 172.16.20.0 0.0.0.255

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

login

!

!

scheduler max-task-time 5000

end

3 REPLIES

Re: Please, help a noob (857 IPSEC)

hi,

What ios version are you running?

Thanks

John

Community Member

Re: Please, help a noob (857 IPSEC)

Site 1:

Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(6)T9, RELEASE SOFTWARE (fc2)

Site 2:

Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(6)T9, RELEASE SOFTWARE (fc2)

Re: Please, help a noob (857 IPSEC)

Hi,

The config you posted show it was created with ios 12.3 Check that some commands haven't been disabled during the save and reboot. Could also be that the routers have a problem with the high encryption you have chosen. Try with 3DES and progressively increase.

thanks

John

110
Views
0
Helpful
3
Replies
CreatePlease to create content