replacing 857 with 887 and Site to Site VPN not working.

Chris Fella · ‎02-18-2014

Hello all,

I am replacing an 857w with a 887va and i'm having trouble with the site to site vpn. I have attached the 2 config then 887 one is also show below.

I know the config is correct at the other end (Cisco ASA) as the vpn comes up with the 857w.

Thanks for any help.

!
! Last configuration change at 19:35:24 UTC Mon Feb 17 2014
! NVRAM config last updated at 19:35:47 UTC Mon Feb 17 2014
! NVRAM config last updated at 19:35:47 UTC Mon Feb 17 2014
version 15.1
service config
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
no process cpu extended history
no process cpu autoprofile hog
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
ip dhcp excluded-address 192.168.155.101 192.168.155.254
!
ip dhcp pool LANPool
import all
network 192.168.155.0 255.255.255.0
dns-server 196.3.132.153 208.67.222.222
default-router 192.168.155.254
lease 0 5
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group pppoe
!
license udi pid CISCO887VA-SEC-K9 sn
!
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
crypto isakmp key PASSWORD address 111.111.111.111
!
!
crypto ipsec transform-set AESset esp-aes 256 esp-sha-hmac
!
crypto map SDM_MAP 1 ipsec-isakmp
set peer 111.111.111.111
set transform-set AESset
match address 133
!
!
!
!
bba-group pppoe global
!
!
interface Ethernet0
no ip address
no fair-queue
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 0/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface Vlan1
ip address 192.168.155.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
ip address negotiated
shutdown
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname username
ppp chap password 0 password
ppp pap sent-username username password 0 password
crypto map SDM_MAP
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source static tcp 192.168.155.155 80 interface Dialer1 80
ip nat inside source static tcp 192.168.155.155 554 interface Dialer1 554
ip nat inside source static tcp 192.168.155.155 9950 interface Dialer1 9950
ip nat inside source static tcp 192.168.155.155 9951 interface Dialer1 9951
ip nat inside source static udp 192.168.155.155 9950 interface Dialer1 9950
ip nat inside source static udp 192.168.155.155 9951 interface Dialer1 9951
ip nat inside source static udp 192.168.155.155 554 interface Dialer1 554
ip nat inside source static tcp 192.168.155.155 9952 interface Dialer1 9952
ip nat inside source static tcp 192.168.155.155 9953 interface Dialer1 9953
ip nat inside source static tcp 192.168.155.155 9954 interface Dialer1 9954
ip nat inside source static tcp 192.168.155.155 9955 interface Dialer1 9955
ip nat inside source static udp 192.168.155.155 9952 interface Dialer1 9952
ip nat inside source static udp 192.168.155.155 9953 interface Dialer1 9953
ip nat inside source static udp 192.168.155.155 9954 interface Dialer1 9954
ip nat inside source static udp 192.168.155.155 9955 interface Dialer1 9955
ip nat inside source static tcp 192.168.155.170 80 interface Dialer1 8080
ip nat inside source route-map INTOOUT interface Dialer1 overload
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 192.168.155.0 0.0.0.255
access-list 101 permit ip 192.168.155.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.155.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 103 deny   ip host 192.168.155.250 any
access-list 103 deny   ip 192.168.155.0 0.0.0.255 192.168.85.0 0.0.0.255
access-list 103 permit ip 192.168.155.0 0.0.0.255 any
access-list 133 permit ip 192.168.155.0 0.0.0.255 192.168.85.0 0.0.0.255
access-list 199 deny   ip host 192.168.155.250 10.0.0.0 0.0.0.255
access-list 199 permit ip host 192.168.155.250 any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
route-map INTOOUT permit 10
match ip address 101
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
route-map NoNat permit 10
match ip address 199
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password casino
login
transport input all
!
end

Richard Burts · ‎02-20-2014

I have looked through the configs and what I notice is this

from the 887 config

crypto isakmp key PASSWORD address 111.111.111.111

from the 857 config

crypto isakmp key password address 111.111.111.111

since isakmp keys are case sensitive the mismatch of lowercase and uppercase is significant.

HTH

Rick

HTH

Rick

Chris Fella · ‎02-20-2014

Hi Rick,

Thanks for the message but I have replaced the ip addresses and passwords with sample ones for the cisco forum for obvious reasons.

regards

Chris