05-29-2012 08:56 PM
Hi,
please find attached the debug given by my router. please help me to decipher it, because my tunnel is not comming up and I dont know what it is wrong.
crdlt
05-30-2012 05:50 AM
Please kindly share the config from both ends.
05-30-2012 07:21 AM
Hi Jennifer,
please below the configs from both ends:
site 1
afb>en
Password:
afb#sh run
Building configuration...
Current configuration : 2461 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname afb
!
boot-start-marker
boot-end-marker
!
logging console informational
enable secret 5 $1$hNFM$nwqVpHlH/hy1gGrLW8vyI1
!
username cisco password 7 0822455D0A16
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
ip ips po max-events 100
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 70
encr aes 256
authentication pre-share
group 2
lifetime 86070
crypto isakmp key test1 address 41.204.95.12
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set vpn_yde esp-aes 256 esp-sha-hmac
!
crypto map vpn_paris 70 ipsec-isakmp
description tunnel_to_yaounde
set peer 41.204.95.12
set transform-set vpn_yde
match address 100
!
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
ip address 192.168.48.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
speed auto
!
interface Dialer1
mtu 1492
ip address 80.15.109.174 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp chap hostname fti/3hbfurh
ppp chap password 7 0877584F5D1E1303
ppp multilink
crypto map vpn_paris
!
ip classless
ip route 0.0.0.0 0.0.0.0 193.253.160.3
!
no ip http server
no ip http secure-server
ip nat inside source route-map nat interface Dialer1 overload
!
ip access-list extended IPSEC
permit udp any any eq isakmp
permit ahp any any
permit esp any any
permit udp any any eq non500-isakmp
permit ip any any
!
access-list 100 remark VPN-access
access-list 100 permit ip 192.168.48.0 0.0.0.255 172.21.0.0 0.0.255.255
access-list 102 remark internet-access
access-list 102 deny ip 192.168.48.0 0.0.0.255 172.21.0.0 0.0.255.255
access-list 102 permit ip 192.168.48.0 0.0.0.255 any
!
route-map nat permit 10
match ip address 102
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
login local
line aux 0
line vty 0 4
login local
transport input telnet ssh
!
end
site 2-------------
object-group network remote_network
network-object 192.168.48.0 255.255.255.0
object-group network local_host
network-object host 172.21.254.28
network-object host 172.21.254.31
access-list inside_access_in extended permit ip object-group local_host object-group remote_network
access-list inside_access_in extended permit icmp object-group local_host object-group remote_network
access-list vpn extended permit ip object-group local_host object-group remote_network
access-list vpn extended permit icmp icmp object-group local_host object-group remote_network
nat (inside) 0 172.21.254.28 255.255.255.255
nat (inside) 0 172.21.254.31 255.255.255.255
crypto ipsec transform-set vpn esp-aes-256 esp-sha-hmac
crypto map afriland_map 80 match address vpn
crypto map afriland_map 80 set peer 80.15.109.174 255.255.255.255
crypto map afriland_map 80 set transform-set vpn
crypto map afriland_map 80 set security-association lifetime seconds 3600
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 28800
crypto isakmp policy 70
encr aes 256
authentication pre-share
group 2
lifetime 86070
tunnel-group 80.15.109.174 type ipsec-l2l
tunnel-group 80.15.109.174 ipsec-attributes
pre-shared-key *
Regards
05-30-2012 02:08 PM
The acl on the ASA is incorrect as it needs to mirror image the router, it should just be one line of:
access-list vpn permit ip 172.21.0.0 255.255.0.0 192.168.48.0 255.255.255.0
You would also need to have NAT exemption configured on the ASA as follows:
access-list nonat permit ip 172.21.0.0 255.255.0.0 192.168.48.0 255.255.255.0
nat (inside) 0 access-list nonat
Please clear the tunnel: clear cry ipsec sa
and "clear xlate" to clear the existing translation.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: