Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
564
Views
0
Helpful
3
Replies

Site-to-Site VPN Tunnel is Not Coming between 2 Routers

Go to solution
haithamnofal
Level 3
Level 3

‎07-29-2008 02:50 PM

Dear All,

I have 2 branch routers being configured for site-to-site VPN, but the tunnel is not coming!

I ran debug and I am attaching herwith the output for your kind review and recommendation. I am also attaching here the configs of the 2 branch routers.

Any idea on why the Site-to-site VPN is not coming up?

Regards,

Haitham

Labels:
Preview file
5 KB
Preview file
4 KB
Preview file
22 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
joe19366
Level 1
Level 1
In response to haithamnofal

‎07-30-2008 07:06 AM

You got it!

Only because you re-used the same crypto map for both the lan to lan and the vpn-client traffic.

this from the DOC CD

no-xauth

(Optional) Use this keyword if router-to-router IP Security (IPSec) is on the same crypto map as a Virtual Private Network (VPN)-client-to-Cisco-IOS IPSec. This keyword prevents the router from prompting the peer for extended authentication (Xauth) information (username and password).

View solution in original post

0 Helpful
3 Replies 3

Go to solution
joe19366
Level 1
Level 1

‎07-29-2008 02:55 PM

on the HQ and the branch please put

crypto isakmp key ****** address X.X.X.X NO-XAUTH

at the end of your crypto isakmp key.

-Joe

0 Helpful

Go to solution
haithamnofal
Level 3
Level 3
In response to joe19366

‎07-29-2008 10:29 PM

Hi Joe,

Yes it worked perfectly...

So, what is the need for NO-XAUTH here, I have configured multiple site-to-site VPNs without using this keyword?!

Is it because I am configuring remote access VPN on the HQ router?

Regards,

Haitham

0 Helpful

Go to solution
joe19366
Level 1
Level 1
In response to haithamnofal

‎07-30-2008 07:06 AM

You got it!

Only because you re-used the same crypto map for both the lan to lan and the vpn-client traffic.

this from the DOC CD

no-xauth

(Optional) Use this keyword if router-to-router IP Security (IPSec) is on the same crypto map as a Virtual Private Network (VPN)-client-to-Cisco-IOS IPSec. This keyword prevents the router from prompting the peer for extended authentication (Xauth) information (username and password).

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents