Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problems creating an IPSec tunnel between SA520W and SR520

Good morning I have a problem to create a tunnel between two routers, communication is not established between them, someone could help me to get the settings below and SA520W of SR520.

thanks.

SR520:

Building configuration...

Current configuration : 8629 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SR520

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

enable secret 5 $1$JF9J$7qq8amfNhIs85j.MKsUJ4.

!

no aaa new-model

!

crypto pki trustpoint TP-self-signed-4089235246

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4089235246

revocation-check none

rsakeypair TP-self-signed-4089235246

!

!

crypto pki certificate chain TP-self-signed-4089235246

certificate self-signed 02

  3082023D 308201A6 A0030201 02020102 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 34303839 32333532 3436301E 170D3131 31313033 30313136

  31395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30383932

  33353234 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100C6BB 9B7A45AF 7550E6FD 13F81CC4 E3B01A84 9CD76A7A D37C70DF 1AF525AB

  9EFE301D D82A6924 84039664 70C65A88 879134C8 C9E36445 6F8DD405 9979355F

  FC485B8B 62BABD66 E19FED29 705983E1 329135E6 CC23982F 076DBD91 CFA344D0

  BE357D39 C09BE031 16FBE391 FD33FA50 98478463 CD573799 843C4AB1 2E698A32

  51890203 010001A3 65306330 0F060355 1D130101 FF040530 030101FF 30100603

  551D1104 09300782 05535235 3230301F 0603551D 23041830 1680143D A29C8AF2

  CA2446E2 98C87317 C96DB2CB CB581330 1D060355 1D0E0416 04143DA2 9C8AF2CA

  2446E298 C87317C9 6DB2CBCB 5813300D 06092A86 4886F70D 01010405 00038181

  00B781EE 59C69397 9CAF3CCE BCFB0022 292A5188 C4E02D2B 688BFC67 F65F8970

  57586A72 7DF77164 35C25BAF 899F4BAF F22C6161 D5C1F926 BA60D94F 41DAF8F2

  59F5CDAD AF2339BB 3CDA25E5 5E70526F 9B5F3B83 5F4CF80E B533579F 15DA3923

  F6E4AF60 CFAF6C82 AF29A2A9 FA09B4E8 C4100A30 DC1BA25C BFEBCDB4 8F01C556 8D

      quit

dot11 syslog

ip source-route

!

!

ip dhcp excluded-address 192.168.75.1 192.168.75.10

!

ip dhcp pool inside

   import all

   network 192.168.75.0 255.255.255.0

   default-router 192.168.75.1

   option 150 ip 10.1.1.1

!

!

ip cef

ip port-map user-ezvpn-remote port udp 10000

!

no ipv6 cef

multilink bundle-name authenticated

password encryption aes

!

!

username cisco privilege 15 secret 5 $1$A/tV$3ejNcgbAogFIHczj3Fslv1

!

!

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

crypto isakmp key password address 200.124.240.15x

crypto isakmp keepalive 12

!

!

crypto ipsec transform-set SITE3 esp-3des esp-sha-hmac

!

!

!

crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1

connect auto

group EZVPN_GROUP_1 key ricardo2009

mode network-extension

peer 200.124.246.121

virtual-interface 1

username sr520 password ciscocisco

xauth userid mode local

!

!

crypto map SITE3TUNNEL 2 ipsec-isakmp

set peer 200.124.240.150

set transform-set SITE3

match address 150

!

archive

log config

  hidekeys

!

!

!

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any SDM-Voice-permit

match protocol sip

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_EASY_VPN_REMOTE_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

match protocol user-ezvpn-remote

class-map type inspect match-all SDM_EASY_VPN_REMOTE_PT

match class-map SDM_EASY_VPN_REMOTE_TRAFFIC

match access-group 101

class-map type inspect match-any Easy_VPN_Remote_VT

match access-group 102

class-map type inspect match-any sdm-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any sdm-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-invalid-src

match access-group 100

class-map type inspect match-all dhcp_out_self

match access-group name dhcp-resp-permit

class-map type inspect match-all dhcp_self_out

match access-group name dhcp-req-permit

class-map type inspect match-all sdm-protocol-http

match protocol http

!

!

policy-map type inspect sdm-permit-icmpreply

class type inspect dhcp_self_out

  pass

class type inspect sdm-cls-icmp-access

  inspect

class class-default

  pass

policy-map type inspect sdm-permit_VT

class type inspect Easy_VPN_Remote_VT

  pass

class class-default

  drop

policy-map type inspect sdm-inspect

class type inspect sdm-invalid-src

  drop log

class type inspect sdm-cls-insp-traffic

  inspect

class type inspect sdm-protocol-http

  inspect

class type inspect SDM-Voice-permit

  pass

class class-default

  pass

policy-map type inspect sdm-inspect-voip-in

class type inspect SDM-Voice-permit

  pass

class class-default

  drop

policy-map type inspect sdm-permit

class type inspect SDM_EASY_VPN_REMOTE_PT

  pass

class type inspect dhcp_out_self

  pass

class class-default

  drop

!

zone security out-zone

zone security in-zone

zone security ezvpn-zone

zone-pair security sdm-zp-self-out source self destination out-zone

service-policy type inspect sdm-permit-icmpreply

zone-pair security sdm-zp-out-self source out-zone destination self

service-policy type inspect sdm-permit

zone-pair security sdm-zp-in-out source in-zone destination out-zone

service-policy type inspect sdm-inspect

zone-pair security sdm-zp-out-in source out-zone destination in-zone

service-policy type inspect sdm-inspect-voip-in

zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone

service-policy type inspect sdm-permit_VT

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

service-policy type inspect sdm-permit_VT

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

service-policy type inspect sdm-permit_VT

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit_VT

!

!

!

interface FastEthernet0

switchport access vlan 75

!

interface FastEthernet1

switchport access vlan 75

!

interface FastEthernet2

switchport access vlan 75

!

interface FastEthernet3

switchport access vlan 75

!

interface FastEthernet4

description $FW_OUTSIDE$

ip address dhcp

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

crypto map SITE3TUNNEL

crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1

!

interface Virtual-Template1 type tunnel

no ip address

zone-member security ezvpn-zone

tunnel mode ipsec ipv4

!

interface Vlan1

no ip address

shutdown

!

interface Vlan75

description $FW_INSIDE$

ip address 192.168.75.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1 inside

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 110 interface FastEthernet4 overload

!

ip access-list extended SDM_AH

remark SDM_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark SDM_ACL Category=1

permit esp any any

ip access-list extended dhcp-req-permit

remark SDM_ACL Category=1

permit udp any eq bootpc any eq bootps

ip access-list extended dhcp-resp-permit

remark SDM_ACL Category=1

permit udp any eq bootps any eq bootpc

!

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.75.0 0.0.0.255

access-list 100 remark SDM_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark SDM_ACL Category=128

access-list 101 permit ip host 200.124.246.121 any

access-list 102 remark SDM_ACL Category=1

access-list 102 permit ip any any

access-list 110 remark SDM_ACL

access-list 110 deny   ip 192.168.75.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 110 deny   ip 192.168.75.0 0.0.0.255 10.1.10.0 0.0.0.255

access-list 110 permit ip 192.168.75.0 0.0.0.255 any

access-list 150 permit ip 192.168.75.0 0.0.0.255 192.168.20.0 0.0.0.255

!

!

!

!

!

control-plane

!

banner login ^CCSR520 Base Config - MFG 1.0 ^C

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

end

SA520W:

1.jpg

2.jpg

3.jpg

358
Views
0
Helpful
0
Replies
CreatePlease login to create content