I've been trying for the pas 8 hours to connect a new Cisco 887VA K9 VDSL router to an existing site to site VPN (The original 877 failed).
I simply cannot get the router to connect to the site to site VPN, I tried TFTP'ing the original config from the failed 877 but that didn't work.
Here is the outline of the network where this 887 will reside:
LAN IP address of the Cisco router is 192.168.10.254 LAN IP of the DHCP server on the LAN is 192.168.10.1 Client computers use the LAN with the subnet of 192.168.10.0 / 24 the DHCP server is a DC.
The client computers use an RDP session on the head office network using IP 192.168.1.5, the subnet of the remote network is 192.168.1.0 /24
Here is the config I have written so far on the new 887VA, I have internet access but no IPSEC Site to Site VPN.
=====[ start 887VA config ] ======
887VA#sh run Building configuration...
Current configuration : 2476 bytes ! ! Last configuration change at 18:45:34 UTC Tue Jul 23 2013 ! NVRAM config last updated at 17:50:28 UTC Tue Jul 23 2013 ! NVRAM config last updated at 17:50:28 UTC Tue Jul 23 2013 version 15.1 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname 887VA ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ! memory-size iomem 10 crypto pki token default removal timeout 0 ! ! ip source-route ! ! ! ! ! ip cef no ipv6 cef ! ! multilink bundle-name authenticated license udi pid CISCO887VA-K9 sn XXXXXXXXXX ! ! ! ! ! ! controller VDSL 0 ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key cisco address XX.XXX.XXX.XXX ! ! crypto ipsec transform-set tr-aes-sha esp-aes esp-sha-hmac crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac ! crypto map CMAP 10 ipsec-isakmp set peer XX.XXX.XXX.XXX set transform-set tr-3des-sha match address NAT ! crypto map cmap 10 ipsec-isakmp ! Incomplete set transform-set tr-aes-sha ! ! ! ! ! interface Ethernet0 no ip address shutdown no fair-queue ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat outside ip virtual-reassembly in atm ilmi-keepalive pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet0 no ip address ! interface FastEthernet1 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface Vlan1 description LAN ip address 192.168.10.254 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Dialer0 no ip address ! interface Dialer1 description Interface for ADSL/VDSL mtu 1492 ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip nbar protocol-discovery ip flow ingress ip nat outside ip virtual-reassembly in encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 ppp authentication pap chap ms-chap callin ppp chap hostname email@example.com ppp chap password 0 bt ppp ipcp address accept no cdp enable crypto map CMAP ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ip nat inside source list NAT interface Dialer1 overload ip route 0.0.0.0 0.0.0.0 Dialer1 ! ip access-list extended NAT permit ip 192.168.10.0 0.0.0.255 any ! ! ! ! ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 login transport input all ! end
=====[ end config ] =========
I'm usure as to what transform set I'm using at the peer, the peer is an 877 and I've got the following in the config on that device with relation to transform set:
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...