Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
335
Views
0
Helpful
2
Replies

cannot establish site-to-site tunnel on 2811 running on 4port etherswitch

lctiong
Level 1
Level 1

‎07-16-2006 11:55 PM

hi, i was trying to establish a site-to-site tunnel between 2 2811 with 4 port etherswitch each.

i was able to ping to both end but tunnel sesssion is down. below is the sample configuration.

!

crypto isakmp policy 1

hash md5

authentication pre-share

group2

crypto isakmp key cisco address 58.x.50.122

!

crypto ipsec transform-set cisco esp-des esp-md5-hmac

!

crypto map cisco 10 ipsec-isakmp

set peer 58.x.50.122

set transform-set cisco

match address 120 ddress !

!

interface Tunnel0

bandwidth 1000

ip unnumbered Vlan10

tunnel source Vlan20

tunnel destination 58.x.50.122

!

interface FastEthernet0/1/0

switchport access vlan 10

!

interface FastEthernet0/1/1

switchport access vlan 20

!

interface Vlan10

ip address 10.0.0.10 255.255.255.192

ip pim sparse-dense-mode

!

interface Vlan20

ip address 202.x.x.73 255.255.255.252

ip pim sparse-dense-mode

crypto map cisco

!

access-list 120 permit ip host 58.x.x.122 host 202.126.139.73

access-list 120 permit gre host 58.x.x.122 host 202.126.139.73

!

ip route 0.0.0.0 0.0.0.0 165.22.248.186

ip route 58.185.x.x.255.255.255 FastEthernet0/1/1

2811#sh cryp sess

Interface: Vlan20

Session status: DOWN

Peer: 58.x.50.122 port 500

IPSEC FLOW: permit 47 host 58.x.50.122 host 202.126.139.73

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip host 58.x.50.122 host 202.126.139.73

Active SAs: 0, origin: crypto map

Any advice would be much appreciated.

Labels:
0 Helpful
2 Replies 2

MIKE DOUGLAS
Level 1
Level 1

‎07-17-2006 01:18 PM

It looks like your crypto acl is backwards. The local egress interface is first, destination address is second. Both routers likely have this problem.

access-list 120 permit gre host 202.126.139.73 host 58.185.50.122

0 Helpful

GRAEME DANIELSON
Level 1
Level 1
In response to MIKE DOUGLAS

‎07-18-2006 12:46 AM

Also... be careful using the Vl10 SVI as the ip unnumbered source for the tunnel. You will need at least one switchport in Vl10 always up to keep the SVI interface up; and hence the Tunnel.

Solution is to use a loopback as the ip unnumbered source interface.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents