Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco 1711 VPN does not ping

Hi,

I have two Cisco 1711 VPN router conected but I cannt ping the networks. Please chech configuration

This is the configuration

        192.168.200.1(F0)  VPN1 (E0) 192.168.1.80 (Given Thru DHCP)    DSL Router (192.168.1.254)      192.168.1.78 (e0 DHCP)  VPN2  192.168.201.1

RouterVPN1#show cryp ses


Crypto session current status

Interface: Ethernet0
Session status: UP-ACTIVE
Peer: 192.168.1.78 port 500
  IKE SA: local 192.168.1.80/500 remote 192.168.1.78/500 Active
  IPSEC FLOW: permit ip 192.168.200.0/255.255.255.0 192.168.201.0/255.255.255.0

        Active SAs: 2, origin: crypto map

RouterVPN1#show cry ipsec sa

interface: Ethernet0

    Crypto map tag: VPN1-VPN2, local addr 192.168.1.80

  protected vrf: (none)
  local  ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
  remote ident (addr/mask/prot/port): (192.168.201.0/255.255.255.0/0/0)
  current_peer 192.168.1.78 port 500
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
    #pkts decaps: 293, #pkts decrypt: 293, #pkts verify: 293
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

    local crypto endpt.: 192.168.1.80, remote crypto endpt.: 192.168.1.78
    path mtu 1500, ip mtu 1500
    current outbound spi: 0xEE28CAE1(3995650785)

    inbound esp sas:
      spi: 0xF2A9C43C(4071212092)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: C1700_EM:1, crypto map: VPN1-VPN2
        sa timing: remaining key lifetime (k/sec): (4406917/956)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

    inbound ah sas:

    inbound pcp sas:

    outbound esp sas:
      spi: 0xEE28CAE1(3995650785)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: C1700_EM:2, crypto map: VPN1-VPN2
        sa timing: remaining key lifetime (k/sec): (4406949/930)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

    outbound ah sas:

    outbound pcp sas:

RouterVPN1#sh cryp isa sa

dst            src            state          conn-id slot status

192.168.1.80    192.168.1.78    QM_IDLE              1    0 ACTIVE

RouterVPN1#ping 192.168.201.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.201.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

RouterVPN1

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname RouterVPN1

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

!

resource policy

!

memory-size iomem 25

ip subnet-zero

!

no ip dhcp use vrf connected

!

ip dhcp pool DHCP-Server

  network 192.168.200.0 255.255.255.0

  default-router 192.168.200.1

  dns-server 192.168.1.254

!

!

ip cef

no ip ips deny-action ips-interface

!

no ftp-server write-enable

!

!

crypto pki trustpoint TP-self-signed-290673027

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-290673027

revocation-check none

rsakeypair TP-self-signed-290673027

!

!

username kotusha privilege 15 secret 5 $1$B25/$HmHedNOz53MkSJ9BGn6sB0

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key kotusha address 192.168.1.78

no crypto isakmp ccm

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto map VPN1-VPN2 10 ipsec-isakmp

set peer 192.168.1.78

set transform-set myset

match address 101

!

!

!

interface Ethernet0

description wan interface

ip address dhcp

ip nat outside

ip virtual-reassembly

full-duplex

crypto map VPN1-VPN2

!

interface FastEthernet0

description LAN INTERFACE

ip address 192.168.200.1 255.255.255.0

ip nat inside

ip virtual-reassembly

speed auto

!

ip classless

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

!

ip nat inside source route-map SDM_RMAP_1 interface Ethernet0 overload

!

!

access-list 1 remark SDM_ACL Category=16

access-list 1 permit 192.168.200.0 0.0.0.255

access-list 100 remark SDM_ACL Category=2

access-list 100 deny  ip 192.168.200.0 0.0.0.255 192.168.201.0 0.0.0.255

access-list 100 permit ip 192.168.200.0 0.0.0.255 any

access-list 101 permit ip 192.168.200.0 0.0.0.255 192.168.201.0 0.0.0.255

!

route-map SDM_RMAP_1 permit 1

match ip address 100

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

!

end

RouterVPN2

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname RouterVPN2

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

!

resource policy

!

memory-size iomem 25

ip subnet-zero

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.201.1 192.168.201.100

!

ip dhcp pool DHCP-Server

  network 192.168.201.0 255.255.255.0

  default-router 192.168.201.1

  dns-server 192.168.1.254

!

!

ip cef

no ip ips deny-action ips-interface

!

no ftp-server write-enable

!

!

crypto pki trustpoint TP-self-signed-290673027

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-290673027

revocation-check none

rsakeypair TP-self-signed-290673027

!

!

crypto pki certificate chain TP-self-signed-290673027

certificate self-signed 01

  3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32393036 37333032 37301E17 0D303630 31303831 38353133

  335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3239 30363733

  30323730 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

  E4F69864 24FD023B A082A5FE A978ABE8 D40E0E48 F755CD5E BB7ADD80 BBE80FE4

  3C8D6B64 E139574B A939F0AA DC885CD2 82A48ABF 4FF61676 E822B2C2 4CDED52E

  D717222D 65C401E3 FEAE458C B89EB6DB B888482D 5C991498 5ABC0D97 86399373

  347D124D 114F6BE5 CB7B35B8 0509D017 8D189BAB 84E2EC21 21769A29 0C6E28F5

  02030100 01A37830 76300F06 03551D13 0101FF04 05300301 01FF3023 0603551D

  11041C30 1A821872 6F757465 722E6761 74657761 792E3277 6972652E 6E657430

  1F060355 1D230418 30168014 28E48B76 9BF9FA9A 03FC2455 97AACDFE D11F9ED8

  301D0603 551D0E04 16041428 E48B769B F9FA9A03 FC245597 AACDFED1 1F9ED830

  0D06092A 864886F7 0D010104 05000381 81004856 F4C5E398 65541BBA 066690EE

  37670FDB A4156C73 D51E8BD7 DCBBE9BE 67C6D14E 2A66E370 E52AF287 95831D3E

  A1F35D13 8E2599C9 E0C07CC5 0C729D5A 9CBFE256 BABB9227 F964C845 3E5D4E5C

  8F8E33F5 60CB07EE EAE274E9 1AA95890 26D1214C FFDD87B8 EC9E3257 F6D82C88

  FB00A9A0 5A6458B9 F7C6E68E 8C1ACD85 E01F

  quit

username kotusha privilege 15 secret 5 $1$nWaX$kUF8z/zSZJ5b3GfDdWO7u1

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key kotusha address 192.168.1.80

no crypto isakmp ccm

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto map VPN2-VPN1 10 ipsec-isakmp

set peer 192.168.1.80

set transform-set myset

match address 101

!

!

!

interface Ethernet0

description wan interface

ip address dhcp

ip nat outside

ip virtual-reassembly

full-duplex

crypto map VPN2-VPN1

!

interface FastEthernet0

description LAN INTERFACE

ip address 192.168.201.1 255.255.255.0

ip nat inside

ip virtual-reassembly

speed auto

!

ip classless

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

!

ip nat inside source route-map SDM_RMAP_1 interface Ethernet0 overload

!

!

access-list 1 remark SDM_ACL Category=16

access-list 1 permit 192.168.201.0 0.0.0.255

access-list 100 remark SDM_ACL Category=2

access-list 100 deny  ip 192.168.201.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 100 permit ip 192.168.201.0 0.0.0.255 any

access-list 101 permit ip 192.168.201.0 0.0.0.255 192.168.200.0 0.0.0.255

!

route-map SDM_RMAP_1 permit 1

match ip address 100

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

!

end

414
Views
0
Helpful
0
Replies
CreatePlease login to create content