11-22-2011 01:45 PM
I have 2 Cisco routers and I am trying to set up a site to site vpn between them. I go through the wizard in CCP but when I go to test the tunnel I get the following reason for failure on both routers:
"There is no response from the peer *peer ip address*"
Here is the running config from both routers
Router A:
Building configuration...
Current configuration : 6807 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router_A
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$SL.z$pj3WaB1WTxiLux46ltlMo/
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone PCTime -7
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-2030943716
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2030943716
revocation-check none
rsakeypair TP-self-signed-2030943716
!
!
crypto pki certificate chain TP-self-signed-2030943716
certificate self-signed 01
30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32303330 39343337 3136301E 170D3032 30333031 30303236
30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30333039
34333731 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B3B3 AEC18433 9EED6DD5 DEB4E878 3D683095 A0930694 2F85C58E 2784CB4A
E65E2B74 5F90EE1C 63FB0FA3 DA8BC41E 3C2674F6 134BD580 46528B30 D159CD1A
BED4059A 9B2C2A3C 8D77BA73 332F3F36 16D00FFE D3133C1E DE3E2A20 B4915EFE
15ACF77A 8C899ED3 3005D8C7 E8D94157 0DD3DA2E 4B2A407E 7B77606A BCC44F64
47610203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603
551D1104 1D301B82 19436869 6E5F4879 64726F2E 796F7572 646F6D61 696E2E63
6F6D301F 0603551D 23041830 16801403 F11E4386 AE903ED8 2C5EABA2 B648B086
E2766530 1D060355 1D0E0416 041403F1 1E4386AE 903ED82C 5EABA2B6 48B086E2
7665300D 06092A86 4886F70D 01010405 00038181 007FFAA2 7ECE2321 87704128
A21B21D1 495B83AC 01FEE096 89DD6C99 8C403F1B B4367484 96F85C0A FAD6C105
41E065C0 0D8262B2 4B73F037 EDDA3CA2 2D6DA102 AADD40E3 3753B7BC 67175199
3B965188 73AC0665 3B8F6642 F4FD1FB0 500710C4 E79571A1 BF273411 0E856164
5B689A49 DC26BCC3 E63EE2C9 D2D3B50A BBFFD3FC 4C
quit
dot11 syslog
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.12.0.1 10.12.0.99
!
ip dhcp pool ccp-pool1
import all
network 10.12.0.0 255.255.255.0
default-router 10.12.0.1
dns-server 207.xxx.xx.xx 205.xxx.xx.xx
!
!
no ip bootp server
ip domain name yourdomain.com
ip name-server 207.xxx.xx.xx
ip name-server 205.xx.xx.xx
!
!
!
username User1 privilege 15 secret 5 $1$MNvU$1yVJSWWZrNNatJM4XJ8Bu/
username User2 privilege 8 secret 5 $1$g2ae$PnY5XOrP1ieVux3oaGrrB1
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key *VPN Key* address *Site to Site Peer*
!
crypto isakmp client configuration group remote
key l3tm31n
pool SDM_POOL_2
max-users 5
crypto isakmp profile ciscocp-ike-profile-1
match identity group remote
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to*Site to Site Peer*
set peer *Site to Site Peer*
set transform-set ESP-3DES-SHA
match address 100
!
crypto ctcp port 10000
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address *Public IP Address*255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Virtual-Template1 type tunnel
ip unnumbered Vlan1
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.12.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 10.12.0.50 10.12.0.80
ip local pool SDM_POOL_2 10.12.1.50 10.12.1.70
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 208.xx.xx.xx
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.12.0.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.12.0.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.12.0.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip 10.12.0.0 0.0.0.255 any
no cdp run
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Here is Router B's config:
Building configuration...
Current configuration : 10799 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router_B
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-175513978
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-175513978
revocation-check none
rsakeypair TP-self-signed-175513978
!
!
crypto pki certificate chain TP-self-signed-175513978
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31373535 31333937 38301E17 0D303230 33303130 30303630
385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3137 35353133
39373830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
8F295803 8FA3ACC4 7AC91D04 519D4F7D A01B8A43 4191BFEF 8D39D4DD 5A6D614B
62097A9B 6FE35501 67E3292A E35D72BD 9A66AFAB B7615219 BF1DB0C0 37E0AF63
66810AB0 FABFD71B CE034C7F 2494C190 694AAE6B 1AAF7056 0D7A38C4 41089CA6
F3572C16 0EA410BA 1E5CA79B C33924C9 AC6B1CAE BC1878A6 E4F683EE 32C66021
02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D
11041B30 19821779 6F75726E 616D652E 796F7572 646F6D61 696E2E63 6F6D301F
0603551D 23041830 168014ED 00B7D151 6107EE30 EF1D8319 41BF9648 73E9ED30
1D060355 1D0E0416 0414ED00 B7D15161 07EE30EF 1D831941 BF964873 E9ED300D
06092A86 4886F70D 01010405 00038181 00800938 862CC8EE FBCFF6E3 492F5F5C
12339F44 2C02BF93 1A1A6794 AE648401 46AD9870 F1FE711D C0ABBCA8 58D58E9D
D81F08B7 BF4C5023 418E0EEC D63DACE0 D5CACB79 0D1C066E 51B2D4F9 FD4EA15C
E8B380B8 82A70AC2 AA25B074 FE7791F6 5D5F570E 167C91EE 518CF511 575B59FD
9EAF2F53 03BB4678 9C92C080 FF0DC9A5 D5
quit
dot11 syslog
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.0.1 10.10.10.199
ip dhcp excluded-address 10.10.10.221 10.10.255.254
ip dhcp excluded-address 10.10.10.1 10.10.10.199
ip dhcp excluded-address 10.10.10.221 10.10.10.254
!
ip dhcp pool sdm-pool2
network 10.10.10.0 255.255.255.0
dns-server 207.xx.xx.xx 205.xx.xx.xx
default-router 10.10.10.1
lease 0 2 1
!
!
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip domain name yourdomain.com
ip name-server 207.229.52.2
ip name-server 205.233.109.40
!
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type regex sdm-regex-nonascii
pattern [^\x00-\x80]
!
!
username User1 privilege 15 secret 5 $1$RFTW$pK.Ex1dceC9K1c3f2JMMz/
username User2 privilege 8 secret 5 $1$1A/4$55wBKNbfEvBdweXMLPQjV/
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key *VPN Key* address *Peer Ip Address*
!
crypto isakmp client configuration group remote
key *key2*
dns 192.168.2.2 192.168.2.6
domain mpe.ca
pool SDM_POOL_1
include-local-lan
max-users 5
netmask 255.255.0.0
crypto isakmp profile sdm-ike-profile-1
match identity group remote
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to*Peer Ip Address*
set peer *Peer Ip Address*
set transform-set ESP-3DES-SHA1
match address 101
!
crypto ctcp port 10000
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$$ES_WAN$$ETH-WAN$
ip address *Public IP Address*255.255.255.0
ip access-group 105 in
ip access-group sdm_fastethernet4_out out
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Virtual-Template1 type tunnel
ip unnumbered Vlan1
ip access-group sdm_virtual-template1_out out
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.10.10.1 255.255.0.0
ip access-group 104 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 10.10.11.0 10.10.11.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 208.xx.xx.xx permanent
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
ip access-list extended sdm_fastethernet4_in
remark SDM_ACL Category=1
remark Deny All
deny ip any any
ip access-list extended sdm_fastethernet4_out
remark CCP_ACL Category=1
permit udp any any eq domain
permit tcp any any eq 443
permit tcp any any eq www
remark PcAnywhere1
permit tcp any any eq 5631
remark PcAnywhere2
permit udp any any eq 5632
permit tcp any eq 10000 any
permit ip any any
ip access-list extended sdm_virtual-template1_out
remark SDM_ACL Category=1
permit ip any any
!
access-list 100 remark CCP_ACL Category=2
access-list 100 remark IPSec Rule
access-list 100 deny ip 10.10.0.0 0.0.255.255 10.12.0.0 0.0.0.255
access-list 100 permit ip 10.10.0.0 0.0.255.255 any
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.10.0.0 0.0.255.255 10.12.0.0 0.0.0.255
access-list 102 remark SDM_ACL Category=128
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 remark SDM_ACL Category=128
access-list 103 permit ip host 255.255.255.255 any
access-list 103 permit ip 127.0.0.0 0.255.255.255 any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 permit udp any host 10.10.10.1 eq non500-isakmp
access-list 104 permit udp any host 10.10.10.1 eq isakmp
access-list 104 permit esp any host 10.10.10.1
access-list 104 permit ahp any host 10.10.10.1
access-list 104 permit icmp any any echo-reply
access-list 104 permit udp any eq bootps any eq bootps
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip 10.10.10.192 0.0.0.31 10.10.0.0 0.0.255.255
access-list 104 deny icmp 10.10.10.192 0.0.0.31 10.10.0.0 0.0.255.255
access-list 104 deny udp 10.10.10.192 0.0.0.31 10.10.0.0 0.0.255.255
access-list 104 deny tcp 10.10.10.192 0.0.0.31 10.10.0.0 0.0.255.255
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 permit tcp any eq 10000 any eq 10000
access-list 104 permit ip any any
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark CCP_ACL Category=1
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.12.0.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 105 permit udp host *Peer Ip Address* host *Public IP Address*eq non500-isakmp
access-list 105 permit udp host *Peer Ip Address* host *Public IP Address*eq isakmp
access-list 105 permit esp host *Peer Ip Address* host *Public IP Address*
access-list 105 permit ahp host *Peer Ip Address* host *Public IP Address*
access-list 105 permit tcp any any eq 10000
access-list 105 deny ip 10.10.0.0 0.0.255.255 any
access-list 105 permit udp any eq bootps any eq bootpc
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any any time-exceeded
access-list 105 permit icmp any any unreachable
access-list 105 deny ip 10.0.0.0 0.255.255.255 any
access-list 105 deny ip 172.16.0.0 0.15.255.255 any
access-list 105 deny ip 192.168.0.0 0.0.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 permit ip 0.0.0.0 255.255.0.0 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip any any log
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
end
Router B uses a lot of ACLs so I think the problem may be in there somewhere. I didn't set up Router B, and I'm not too familiar with ACLs. Any Help is greatly appreciated. Thanks.
11-23-2011 07:50 AM
Actually this is a different site to site issue, then the other one I was having. I solved that one. the subnet of 255.255.0.0 on Vlan1 on router B is correct (as far as I know), because that router have devices attached to it with ip of 10.10.3.3, 10.10.10.2, 10.10.1.1, etc...So, as far as I know, (I didn't set up Router B) the subent of 255.255.0.0 is correct.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: