Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Router-to-Router VPN IPSec (agressive mode initiator)

Hi!

I have 2 routers doing lan-to-lan VPN one of wich is configured in agressive mode. I can't seem to make it work:)

############# ROUTER A ############

!

hostname RouterA

!

username test1 password system

!

ip name-server x.x.x.x

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

!

crypto isakmp key cisco123 hostname test1

!

crypto isakmp client configuration group vpnipsec

key our_key

dns x.x.x.x y.y.y.y

domain client.com

acl 103

!

crypto ipsec transform-set trans1 esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set trans1

!

crypto map MAPA 10 ipsec-isakmp dynamic dynmap

!

interface Ethernet0

ip address 192.168.1.254 255.255.255.0

ip nat inside

!

interface Ethernet1

ip addres 10.1.1.1 255.255.255.252

ip nat outside

crypto map MAPA

!

ip nat inside source route-map nonat interface Ethernet1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Ethernet1

!

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 103 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 103 deny ip any any

route-map nonat permit 10

match ip address 102

!

######## ROUTER B #############

!

hostname RouterB

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

!

crypto isakmp peer address 10.1.1.1

set aggressive-mode password cisco123

set aggressive-mode client-endpoint fqdn test1

!

crypto ipsec transform-set rtpset esp-3des esp-md5-hmac

!

crypto map MAPA 1 ipsec-isakmp

set peer 10.1.1.1

set transform-set rtpset

match address 100

!

interface Ethernet0

ip address 192.168.2.254 255.255.255.0

ip nat inside

!

interface Ethernet1

ip address 10.1.1.2 255.255.255.252

ip nat outside

crypto map MAPA

!

ip nat inside source route-map nonat interface Ethernet1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Ethernet1

!

access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 102 permit ip 192.168.2.0 0.0.0.255 any

route-map nonat permit 10

match ip address 102

Regards

2 REPLIES
Cisco Employee

Re: Router-to-Router VPN IPSec (agressive mode initiator)

Hmmm, I set this exact config up in the lab here and it works fine. I'm running 12.2(13.4)T, what code are you running? Can you enable "debug cry isa" and "debug cry sa" on RouterA, try and bring up the tunnel from RouterB and send us the output.

New Member

Re: Router-to-Router VPN IPSec (agressive mode initiator)

Ok. I'll do that and send you the output.

regards

133
Views
0
Helpful
2
Replies
CreatePlease to create content