Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configuring Cisco Route 2811 & Cisco VPN 3000 Concentrator

i couldn't establish tunnel between VPN 3000 & cisco 2811 router. here config for 2811. pls suugest wht else to be done..

!

!

!

!

!

!

!

!

!

!

!

!

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address xx.xx.xx.xx

!

!

crypto ipsec transform-set to_vpn esp-3des esp-md5-hmac

!

crypto map to_vpn 10 ipsec-isakmp

set peer xx.xx.xx.xx

set transform-set to_vpn

match address 101

!

!

!

!

!

interface GigabitEthernet0/0

ip address xx.xx.xx.xx 255.255.255.248

ip nat outside

no ip virtual-reassembly

duplex half

speed auto

crypto map to_vpn

!

interface GigabitEthernet0/1

ip address 10.1.1.1 255.255.255.0

ip nat inside

no ip virtual-reassembly

duplex half

speed auto

!

interface GigabitEthernet0/1.1

ip nat inside

ip virtual-reassembly

!

interface GigabitEthernet0/1.10

ip nat inside

ip virtual-reassembly

!

!

!

!

ip http server

no ip http secure-server

ip nat inside source route-map nonat pool mypool overload

!

access-list 101 permit ip 10.78.0.0 0.0.255.255 10.23.0.0 0.0.255.255

access-list 101 permit ip 10.78.0.0 0.0.255.255 10.26.1.0 0.0.0.255

access-list 110 deny ip 10.78.0.0 0.0.255.255 10.23.0.0 0.0.255.255

access-list 110 deny ip 10.78.0.0 0.0.255.255 10.26.1.0 0.0.0.255

access-list 110 permit ip 10.78.0.0 0.0.255.255 any

!

!

!

route-map nonat permit 10

match ip address 110

!

1 REPLY
Bronze

Re: Configuring Cisco Route 2811 & Cisco VPN 3000 Concentrator

Hi,

It seems that your IOS config. is correct, anyway, you need to make sure for the following at you concentrator according to the IOS config:

- Preshared Key

- Authentication: ESP/MD5/HMAC-128

- Enc. 3des

- IKE Proposal: IKE-3DES-MD5

- and the most important thing, that the local network is 10.23.0.0 and 10.23.0.0 0.0.255.255

- and also the remote network must be 10.78.0.0 0.0.255.255

These network list must be identical btw. the IOS and also the concentrator.

If you checked that the mentioned notes were done at the VPN conc. you can see the VPN log file or by issuing debug crypto isakmp and also debug crypto ipsec to exactly determine the problem.

I hope this will help you, and you can paste the IOS debug messages and also your VPN logs in order to help you.

Plz. rate if it does!

Thanks

abd Alqader

339
Views
0
Helpful
1
Replies
CreatePlease to create content