Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IPSec/ISAKMP Branch to branch (w/ NAT)

Hi guys,

Just need assistance troubleshooting a connection between one site to another, the only problem is that I have no idea what the peer device is.

I have set Phase 1( ISAKMP) and Phase 2(IPsec) and when I typed "sh cryp isakmp sa" there is no output.

The device we manage is a Cisco 1811.

This is my P1 and P2 config..

crypto map SITE2SITE 2 ipsec-isakmp
set peer x.x.x.x
set security-association lifetime kilobytes 1382400
set security-association lifetime seconds 28800
set transform-set 3DES-SHA-HMAC
set pfs group2
match address 131

!

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800

!
crypto isakmp key xxxx address x.x.x.x no-xauth
!

int fa0.1

crypto map SITE2SITE
!
crypto ipsec transform-set 3DES-SHA-HMAC esp-3des esp-sha-hmac

!

access-list 131 remark ## SITE TO SITE VPN ##
access-list 131 permit ip 192.168.200.0 0.0.0.255 192.168.2.0 0.0.0.255

Attached of the screenshot of "sh crypto isakmp sa" and "sh crypto engi connec active"

Really needed this done ASAP, any input would be appreciated!

Thanks

9 REPLIES
Silver

Re: IPSec/ISAKMP Branch to branch (w/ NAT)

Hi,

Turn on debug crypto isakmp and then generate some traffic to the peer. The debug output should give an idea as to why the sa is not up.

Thanks

John

New Member

Re: IPSec/ISAKMP Branch to branch (w/ NAT)

Hi John,

Thanks for the prompt response.

I turned on "debug crypto isakmp" and "terminal monitor".  I did a ping from SiteA to SiteB private IP address.

Type escape sequence to abort.                                                 
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:         
U.U.U

There is no debug output..

Hall of Fame Super Gold

Re: IPSec/ISAKMP Branch to branch (w/ NAT)

Shouldn't one of the side (192.168.2.0 /24) be "access-list 131 permit ip 192.168.2.0 0.0.0.255 192.168.200.0 0.0.0.255"?

New Member

Re: IPSec/ISAKMP Branch to branch (w/ NAT)

The other peer device is not a Cisco device (not entirely sure, not enough details from the peer network admin)

Silver

Re: IPSec/ISAKMP Branch to branch (w/ NAT)

Hi

make sure when doing a ping that your source ip is on the 192.168.200.0 network. Use an  extended ping and specify sources as a 192.168.200.0 interfece.


Thanks

New Member

Re: IPSec/ISAKMP Branch to branch (w/ NAT)

Hi John,

I did that as well, same response Unreachables "u.u.u".

Silver

Re: IPSec/ISAKMP Branch to branch (w/ NAT)

Hi,

Since you have NAT on that router, have you excluded vpn traffic from nat. what is your nat 0 command? Post scrubbed config.

Thanks

John

New Member

Re: IPSec/ISAKMP Branch to branch (w/ NAT)

Hi John,

Isn't that a PIX command?  I'm currently using an IOS Cisco 1811 - or am I missing something?

New Member

Re: IPSec/ISAKMP Branch to branch (w/ NAT)

Just an additional follow up;

route-map VPNNONAT permit 10

  match ip address 130

ip nat inside source route-map VPNNONAT interface FastEthernet0.1 overload

ip route 192.168.2.0 255.255.255.0 x.x.x.x

And re-enabled "crypto map SITE2SITE" on the outside interface.

Also take note that the external interface has secondary IP addresses.

263
Views
0
Helpful
9
Replies
CreatePlease to create content