02-11-2010 04:46 PM - edited 02-21-2020 04:29 PM
Hi guys,
Just need assistance troubleshooting a connection between one site to another, the only problem is that I have no idea what the peer device is.
I have set Phase 1( ISAKMP) and Phase 2(IPsec) and when I typed "sh cryp isakmp sa" there is no output.
The device we manage is a Cisco 1811.
This is my P1 and P2 config..
crypto map SITE2SITE 2 ipsec-isakmp
set peer x.x.x.x
set security-association lifetime kilobytes 1382400
set security-association lifetime seconds 28800
set transform-set 3DES-SHA-HMAC
set pfs group2
match address 131
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp key xxxx address x.x.x.x no-xauth
!
int fa0.1
crypto map SITE2SITE
!
crypto ipsec transform-set 3DES-SHA-HMAC esp-3des esp-sha-hmac
!
access-list 131 remark ## SITE TO SITE VPN ##
access-list 131 permit ip 192.168.200.0 0.0.0.255 192.168.2.0 0.0.0.255
Attached of the screenshot of "sh crypto isakmp sa" and "sh crypto engi connec active"
Really needed this done ASAP, any input would be appreciated!
Thanks
02-11-2010 05:00 PM
Hi,
Turn on debug crypto isakmp and then generate some traffic to the peer. The debug output should give an idea as to why the sa is not up.
Thanks
John
02-11-2010 05:18 PM
Hi John,
Thanks for the prompt response.
I turned on "debug crypto isakmp" and "terminal monitor". I did a ping from SiteA to SiteB private IP address.
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
U.U.U
There is no debug output..
02-11-2010 05:21 PM
Shouldn't one of the side (192.168.2.0 /24) be "access-list 131 permit ip 192.168.2.0 0.0.0.255 192.168.200.0 0.0.0.255"?
02-11-2010 05:23 PM
The other peer device is not a Cisco device (not entirely sure, not enough details from the peer network admin)
02-11-2010 05:52 PM
Hi
make sure when doing a ping that your source ip is on the 192.168.200.0 network. Use an extended ping and specify sources as a 192.168.200.0 interfece.
Thanks
02-11-2010 07:01 PM
Hi John,
I did that as well, same response Unreachables "u.u.u".
02-11-2010 07:30 PM
Hi,
Since you have NAT on that router, have you excluded vpn traffic from nat. what is your nat 0 command? Post scrubbed config.
Thanks
John
02-14-2010 12:24 PM
Hi John,
Isn't that a PIX command? I'm currently using an IOS Cisco 1811 - or am I missing something?
02-14-2010 01:24 PM
Just an additional follow up;
route-map VPNNONAT permit 10
match ip address 130
ip nat inside source route-map VPNNONAT interface FastEthernet0.1 overload
ip route 192.168.2.0 255.255.255.0 x.x.x.x
And re-enabled "crypto map SITE2SITE" on the outside interface.
Also take note that the external interface has secondary IP addresses.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide