12-23-2011 08:04 AM - edited 02-21-2020 05:47 PM
Hi,
I am new to Cisco routers and I am having problems with setting up my VPN connections. I have 4 vpn's from the SR 520 to Linksys BEFVP41's setup but only the first one will connect and allow traffic to traverse it. I think it has to do with my access list entries but I don't know enough about it to figure it out. I also think I may need to use the ip nat inside source list xxx interface FastEthernet4 overload on my other tunnels but I am not sure. If someone could give me some guidence it would be greatly appreciated. I have included some of my configuration below. Thank you
crypto isakmp policy 1
encr 3des
authentication pre-share
lifetime 28800
!
crypto isakmp policy 2
encr 3des
authentication pre-share
lifetime 3600
crypto isakmp key "KEY" address 1.1.1.1
crypto isakmp key "KEY" address 2.2.2.2
crypto isakmp key "KEY" address 3.3.3.3
crypto isakmp key "KEY" address 4.4.4.4
crypto isakmp keepalive 3600
!
!
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set esp-des-sha esp-des esp-sha-hmac
!
crypto map BT 1 ipsec-isakmp
set peer 1.1.1.1
set transform-set esp-3des-sha
set pfs group1
match address 110
crypto map BT 2 ipsec-isakmp
set peer 2.2.2.2
set transform-set esp-3des-sha
set pfs group1
match address 120
crypto map BT 3 ipsec-isakmp
set peer 3.3.3.3
set transform-set esp-3des-sha
set pfs group1
match address 130
crypto map BT 4 ipsec-isakmp
set peer 4.4.4.4
set transform-set esp-3des-sha
set pfs group1
match address 140
!
!
archive
log config
hidekeys
!
!
!
interface FastEthernet0
switchport access vlan 75
!
interface FastEthernet1
switchport access vlan 75
!
interface FastEthernet2
switchport access vlan 75
!
interface FastEthernet3
switchport access vlan 75
!
interface FastEthernet4
ip address 5.5.5.5 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map BT
!
interface Vlan1
no ip address
shutdown
!
interface Vlan75
ip address 192.168.7.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 5.5.5.5
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.7.2 5060 interface FastEthernet4 5060
ip nat inside source static tcp 192.168.7.2 1720 interface FastEthernet4 1720
ip nat inside source list 115 interface FastEthernet4 overload
!
access-list 1 permit 192.168.7.0 0.0.0.255
access-list 110 permit ip 192.168.7.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 115 permit ip 192.168.7.0 0.0.0.255 any
access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 125 deny ip 192.168.7.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 125 permit ip 192.168.7.0 0.0.0.255 any
access-list 130 permit ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 135 deny ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 135 permit ip 192.168.7.0 0.0.0.255 any
access-list 140 permit ip 192.168.7.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 145 deny ip 192.168.7.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 145 permit ip 192.168.7.0 0.0.0.255 any
SR520#
Solved! Go to Solution.
12-27-2011 01:30 AM
Hi Robert
try this:
access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 115 permit ip 192.168.7.0 0.0.0.255 any
and then delete access-lists 125, 135 and 145 since they're not used.
hth
Herbert
12-27-2011 01:30 AM
Hi Robert
try this:
access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 115 permit ip 192.168.7.0 0.0.0.255 any
and then delete access-lists 125, 135 and 145 since they're not used.
hth
Herbert
12-27-2011 06:09 AM
This is what I ended up with but still no luck on the other three VPN's. Thanks
access-list 1 permit 192.168.7.0 0.0.0.255
access-list 110 permit ip 192.168.7.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 110 deny ip 192.168.7.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 115 permit ip 192.168.7.0 0.0.0.255 any
access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 130 permit ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 140 permit ip 192.168.7.0 0.0.0.255 192.168.17.0 0.0.0.255
12-28-2011 12:38 AM
The rest of the config is still the same right? In particular the use of acl 110/120/130/140 in the crypto map, and the use of acl 115 in that NAT rule?
What do "show crypto isakmp sa" and "show crypto ipsec sa" say?
If the tunnels are still not coming up, "debug crypto isakmp" and "debug crypto ipsec" may help. You may need to do the same on the peer(s) (but for specific instructions on Linksys devices I would have to direct you to the forum unless anyone else here can jump in).
BTW I assume these are typos and they are actually correct in your real config:
ip route 0.0.0.0 0.0.0.0 5.5.5.5
=> this is pointing to yourself so should be something like "ip route 0.0.0.0 0.0.0.0 5.5.5.4"
and
access-list 110 deny ip 192.168.7.0 0.0.0.255 192.168.18.0 0.0.0.255
should be
access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.18.0 0.0.0.255
hth
Herbert
12-28-2011 08:30 AM
Herbert,
I deleted all of my Access-list entries thinking that the order they were in might be causing the problem. I also removed the 120,130,140 rules and made them 111,112,113 so the config looks like this:
access-list 110 permit ip 192.168.7.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 111 permit ip 192.168.7.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 112 permit ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 113 permit ip 192.168.7.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 115 permit ip 192.168.7.0 0.0.0.255 any
After changing the access list entries 3 of the tunnels came right up and the fourth was a misconfigured IP address on the other end. Now all 4 are up and going. Thank you very much for taking the time to help with this. Now I will spend some time studying the config so I will understand how it works before I try to configure another one.
Thanks again,
Bob Thornton
12-28-2011 08:33 AM
I am not sure if I need to mark this as answered and if so how do I do that?
12-29-2011 03:02 AM
Hi Robert,
glad to hear you got it working!
Yes please mark this as answered/resolved. I'm not sure how to do that exactly since this option is only visible to the person who posted the question (which I've never done) but I suppose there should be a button or link somewhere on the page that says "Correct Answer" or "Mark as Answered" ?
Well if you don't find it, no worries. In any case best wishes for the New Year!
Herbert
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: