Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

S2S IPSec VPN Problems

Hi,

I have a HQ and a remote site and I want to get a site-to-site VPN running between the two. I have the following config on each router. "Show crypto session" says that the VPN is in a UP-IDLE state (and from my somewhat limited understanding of VPNs this means that IKE phase 1 is complete and waiting for phase 2. When running a "debug crypto ipsec" at the remote site I receive "no ip crypto map exists for local address 100.x.x.x" and the VPN remains at UP-IDLE. The ACL on the external interface allows the remote site IP. I have CBAC running on the external interface of both routers and the ACL allows all traffic between the 100.x.x.x and 200.x.x.x addresses. Could anyone help me with the config? I must be doing something wrong somewhere.

Thanks!

Shaun

HQ Router: (Local network 10.2.0.0/16)

crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 5
crypto isakmp key <password> address 100.x.x.x
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set AES_MD5_COMPRESSION esp-aes esp-md5-hmac comp-lzs
!
crypto map S2S_VPN local-address FastEthernet0/0
!
crypto map S2S_VPN 10 ipsec-isakmp
set peer 100.x.x.x
set transform-set AES_MD5_COMPRESSION
set pfs group5
match address TRAFFIC_TO_REMOTE_NETWORK
!
interface FastEthernet0/0
ip address 200.x.x.x 255.255.255.252
ip access-group FIREWALL in
ip nat outside
no ip virtual-reassembly
crypto map S2S_VPN
!
ip access-list extended TRAFFIC_TO_REMOTE_NETWORK
permit ip any 10.1.0.0 0.0.255.255


Remote Router: (Local network 10.1.0.0/16)

crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 5
crypto isakmp key <password> address 200.x.x.x
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set AES_MD5_COMPRESSION esp-aes esp-md5-hmac comp-lzs
!
crypto map S2S_VPN local-address FastEthernet0/0
!
crypto map S2S_VPN 10 ipsec-isakmp
set peer 200.x.x.x
set transform-set AES_MD5_COMPRESSION
set pfs group5
match address TRAFFIC_TO_HQ_NETWORK
!
interface FastEthernet0/0
ip address 100.x.x.x 255.255.255.252
ip access-group FIREWALL in
ip nat outside
  no ip virtual-reassembly
crypto map S2S_VPN
!
ip access-list extended TRAFFIC_TO_HQ_NETWORK
permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255

1 ACCEPTED SOLUTION

Accepted Solutions

Re: S2S IPSec VPN Problems

Hi Shaun,

Some comments....

The QM_IDLE means that phase 1 is established. (sh cry isa sa)

You should see with ''sh cry ips sa'' that there are SAs established for IPsec encrypting/decrypting traffic for phase 2.

The ACLs for VPN (the crypto ACLs) should be a mirror of one another (you have ''any'' on one side and two network statements on the other peer.

You're doing NAT, therefore, there should be a ''bypass NAT rule'' for the VPN traffic (need to remove the IPsec traffic from NAT).

That should be it.

Federico.

2 REPLIES

Re: S2S IPSec VPN Problems

Hi Shaun,

Some comments....

The QM_IDLE means that phase 1 is established. (sh cry isa sa)

You should see with ''sh cry ips sa'' that there are SAs established for IPsec encrypting/decrypting traffic for phase 2.

The ACLs for VPN (the crypto ACLs) should be a mirror of one another (you have ''any'' on one side and two network statements on the other peer.

You're doing NAT, therefore, there should be a ''bypass NAT rule'' for the VPN traffic (need to remove the IPsec traffic from NAT).

That should be it.

Federico.

New Member

Re: S2S IPSec VPN Problems

Perfect. Worked great. Thanks Federico

332
Views
0
Helpful
2
Replies