Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Site to site vpn not working

Hi, i have 2 routers both 1841's and am trying to get a simple static vpn up and running. Now One router is at our main location (ill call it router a) and the remote location (ill call it router b). Both have internet connectivity that works, can ping router a from b and b to a. Now on router b side when i run

show crypto isakmp sa on router b i get the following:

SBOneonta#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

72.43.229.138   66.194.51.66    MM_NO_STATE          0 ACTIVE (deleted)

72.43.229.138   66.194.51.66    MM_NO_STATE          0 ACTIVE (deleted)

72.43.229.138   66.194.51.66    MM_NO_STATE          0 ACTIVE (deleted)

72.43.229.138   66.194.51.66    MM_NO_STATE          0 ACTIVE (deleted)

72.43.229.138   66.194.51.66    MM_NO_STATE          0 ACTIVE (deleted)

72.43.229.138   66.194.51.66    MM_NO_STATE          0 ACTIVE (deleted)

72.43.229.138   66.194.51.66    MM_NO_STATE          0 ACTIVE (deleted)

72.43.229.138   66.194.51.66    MM_NO_STATE          0 ACTIVE (deleted)

72.43.229.138   66.194.51.66    MM_NO_STATE          0 ACTIVE (deleted)

72.43.229.138   66.194.51.66    MM_NO_STATE          0 ACTIVE (deleted)

72.43.229.138   66.194.51.66    MM_NO_STATE          0 ACTIVE (deleted)

72.43.229.138   66.194.51.66    MM_NO_STATE          0 ACTIVE (deleted)

i72.43.229.138 is the router and the other ip is i have no idea! its no where in the config, but that shows me this router is trying to do something. Now on router a when i run the same command i get this:

show crypto isakmp sa

dst             src             state          conn-id slot status

a whole lot of nothing! now i have been working on this for a few days now and i cant understand why i cant get this simple vpn tunnel to work! I have debuging on both routers, router a shows nothing period for vpn traffic, router b shows a connection from the 66.194.51.66 which again i have no idea who or where this ip is and its not in the config any where. Any ideas im stumped!

Everyone's tags (5)
3 REPLIES
Hall of Fame Super Silver

Site to site vpn not working

Nathaniel

Perhaps if you post the configuration of the routers we might be able to better identify what is going on and provide some answers to your issue.

HTH

Rick

New Member

Re: Site to site vpn not working

This is the config for router a

Current configuration : 4347 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

service sequence-numbers

!

hostname springbrook

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 debugging

logging console critical

enable secret 5 ssdfsdfsdfsfasfdfsd

enable password fsfsdfsfs

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

aaa authorization network default local

aaa authorization network VPN-Map-1 local

!

aaa session-id common

clock timezone PCTime -5

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

no ip source-route

ip cef

!

!

!

!

no ip bootp server

ip domain name uhca1.local

ip name-server 24.25.5.60

ip name-server 24.25.5.61

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

!

username fsdfsfsdfs privilege 15 secret 5 sdfsdfsfffs

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key mykeyyp address 72.43.229.138

crypto isakmp keepalive 20 10

!

!

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs

crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs

crypto ipsec transform-set 3des esp-3des esp-md5-hmac

!

crypto map VPN-Map-1 10 ipsec-isakmp

set peer 72.43.229.138

set transform-set AES-SHA-compression

set pfs group2

match address Crypto-list

crypto map VPN-Map-1 20 ipsec-isakmp

set peer 72.43.229.138

set transform-set 3des

match address Crypto-list

!

!

!

interface FastEthernet0/0

description Inside Lan$ES_LAN$

ip address 10.10.8.18 255.255.255.0 secondary

ip address 10.10.9.18 255.255.255.0 secondary

ip address 10.10.0.18 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

speed auto

full-duplex

no mop enabled

!

interface FastEthernet0/1

description TWCFiberLink

ip address 24.97.222.118 255.255.255.252

ip access-group outside in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no mop enabled

crypto map VPN-Map-1

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 24.97.222.117

ip route 10.10.2.0 255.255.255.0 72.43.229.138

!

!

ip http server

ip http access-class 23

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface FastEthernet0/1 overload

ip nat inside source route-map nonat interface FastEthernet0/1 overload

ip nat inside source static 10.10.0.1 24.97.222.224

ip nat inside source static 10.10.0.5 24.97.222.227

ip nat inside source static 10.10.0.22 24.97.222.228

ip nat inside source static 10.10.0.15 24.97.222.230

!

ip access-list extended Crypto-list

permit ip 10.10.0.0 0.0.0.255 10.10.2.0 0.0.0.255

ip access-list extended Internet-inbound-ACL

permit udp host 72.43.229.138 any eq isakmp

permit esp host 72.43.229.138 any

ip access-list extended nonat

deny   ip 10.10.9.0 0.0.0.255 10.10.2.0 0.0.0.255

deny   ip 10.10.8.0 0.0.0.255 10.10.2.0 0.0.0.255

deny   ip 10.10.0.0 0.0.0.255 10.10.2.0 0.0.0.255

permit ip 10.10.9.0 0.0.0.255 any

permit ip 10.10.8.0 0.0.0.255 any

permit ip 10.10.0.0 0.0.0.255 any

!

logging trap debugging

access-list 1 remark INSIDE_IF=FastEthernet0/0

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 10.10.0.0 0.0.0.255

access-list 1 permit 10.10.8.0 0.0.0.255

access-list 1 permit 10.10.9.0 0.0.0.255

snmp-server community public RO

no cdp run

!

route-map nonat permit 1

match ip address nonat

!

!

!

!

control-plane

!

!

banner login ^CCAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

transport output telnet

line aux 0

transport output telnet

line vty 0 4

privilege level 15

password 7 blabalblablab

transport input ssh

line vty 5 15

privilege level 15

password 7bla balblabl

transport input telnet

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

end

and this is router b

Current configuration : 3241 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SBOneonta

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

enable secret 5 $sdfsdfsdfsdfsdfsdfsdfsdfs

enable passwordsdfsdfsdfsdf

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

aaa authorization network default local

aaa authorization network VPN-Map-1 local

!

!

aaa session-id common

dot11 syslog

no ip source-route

!

!

!

!

ip cef

ip domain name uhca1.local

ip name-server 24.92.226.11

ip name-server 24.92.226.12

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

username !root

username sdfsdfsdfsdf privilege 15 secret 5 dsfsadfgsdfsadfsadfsadfsadf

archive

log config

  hidekeys

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key mykeyyp address 24.97.222.118

crypto isakmp keepalive 20 10

!

!

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs

crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs

crypto ipsec transform-set 3des esp-3des esp-md5-hmac

!

crypto map VPN-Map-1 10 ipsec-isakmp

set peer 24.97.222.118

set transform-set AES-SHA-compression

set pfs group2

match address Crypto-list

crypto map VPN-Map-1 20 ipsec-isakmp

set peer 24.97.222.118

set transform-set 3des

match address Crypto-list

!

!

!

ip ssh version 1

!

!

!

interface FastEthernet0/0

description TWC Fiber

ip address 72.43.229.138 255.255.255.248

ip access-group outside in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no mop enabled

crypto map VPN-Map-1

!

interface FastEthernet0/1

ip address 10.10.2.18 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

no mop enabled

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 72.43.229.137

ip route 10.10.0.0 255.255.255.0 24.97.222.118

ip http server

ip http access-class 23

ip http authentication local

no ip http secure-server

!

!

ip nat inside source route-map nonat interface FastEthernet0/0 overload

ip nat inside source static 10.10.2.1 72.43.229.139

ip nat inside source static 10.10.2.2 72.43.229.140

!

ip access-list extended Crypto-list

permit ip 10.10.2.0 0.0.0.255 10.10.0.0 0.0.0.255

ip access-list extended Internet-inbound-ACL

permit udp host 24.97.222.118 any eq isakmp

permit esp host 24.97.222.118 any

ip access-list extended nonat

permit ip 10.10.2.0 0.0.0.255 any

!

access-list 1 permit 10.10.2.0 0.0.0.255

access-list 10 permit 10.10.2.0 0.0.0.255

access-list 102 permit gre any any

access-list 102 deny   ip 10.10.2.0 0.0.0.255 10.10.0.0 0.0.0.255

access-list 102 permit ip 10.10.2.0 0.0.0.255 any

snmp-server community public RO

no cdp run

!

!

!

!

route-map nonat permit 1

match ip address 102 nonat

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

privilege level 15

password

transport input ssh

!

scheduler max-task-time 5000

scheduler allocate 20000 1000

end

New Member

Site to site vpn not working

Im thinking its an issue on router a side as it dosent do anything.

1402
Views
0
Helpful
3
Replies
CreatePlease to create content