Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Can't establish VPN from remote end.

Hi folks,

I was wondering if you kind people wouldn't mind helping me?

I have a router at a remote site (let's call it site A) which over ADSL connects to our HQ via VPN, site A has an 857 router and the HQ has a 3000 concentrator. We have another couple of sites with different or older routers, 837, 1751 etc. All the sites use the same config, only IP's and key changes.

Only site A however doesn't keep it's VPN up, and the VPN will only establish itself if I create the connection from the HQ (I ping site A IP address from HQ). If I connect to the router over ADSL and I ping tyhe corporate network ensuring that the source address is site A it still doesn't bring the VPN up. Since the config is exactly the same on the 3000 as the other VPN's I assume the problem must lie with the 857 and some config line that's either not there or is incorrect.

I've attached the running config, sh ver and sh diag.

thanks

Dave

7 REPLIES

Re: Can't establish VPN from remote end.

Your config looks right. Can you post "sh crypt session" and sh crypt ipsec sa?

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

Re: Can't establish VPN from remote end.

Attached..

sh crypto eng conn act

sh crypto sess

sh crypto ipsec sa

thanks

Dave

Cisco Employee

Re: Can't establish VPN from remote end.

Hi,

Based on your configuration and show crypto ipsec sa, I believe that the Crypto ACLs are not mirroring on the Router and VPN3000 Headend side.

The 857 Crypto ACL is below:

ip access-list extended NETS

permit ip 10.254.42.0 0.0.0.255 any

permit ip 172.16.15.0 0.0.0.255 any

But the IPSEC SA's are built between 10.254.42.0/24 to 10.0.0.0/8 and 172.16.15.0 to 10.0.0.0/8 . So, this tells me that the VPN3000 is configure for

Local Network List:

10.0.0.0 0.0.0.255

Remote Network List:

10.254.42.0 0.0.0.255

172.16.15.0 0.0.0.255

So, this could very well be the reason that you are only able to bring up the tunnel from the VPN3000 and not the 857.

You have two options:

1. Reconfigure the network list on the VPN3000 to include any source traffic destined to your subnets to be encrypted.

or

2. Change the access-list from any to 10.0.0.0/8 on the router.

Also, I am not sure how you are routing your internet traffic for users behind the 857. If you want to send all the traffic to the VPN3000 including internet, then you have to change the VPN3000 network list to any.

Regards,

Arul

*Pls rate if it helps*

New Member

Re: Can't establish VPN from remote end.

sorry for not replying until now, I was off sick. Thanks for your help, it was the ACL's and once changed rectified the problem.

Dave

New Member

Re: Can't establish VPN from remote end.

Dave,

On your router you have:

permit ip 10.254.42.0 0.0.0.255 any

permit ip 172.16.15.0 0.0.0.255 any

On the concentrator, verify that the tunnel policy allows for:

10.254.42.0/0.0.0.255

172.16.15.0/0.0.0.255

If you still have problems, you can post the relevant portions of the concentrator config also.

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

Re: Can't establish VPN from remote end.

sorry for not replying until now, I was off sick. Thanks for your help, it was the ACL's and once changed rectified the problem.

Dave

275
Views
8
Helpful
7
Replies