Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Site to site with dynamic ip problems

Hi, I have two Cisco 881 routers, one with a fixed ip (hub called RTV) and one with a dynamic ip via dhcp (spoke called RTVWeee).

I have configured them according to this guide http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml but am unable to get any connectivity between them.

Any help would be greatly appreciated! What am I missing and what am I doing wrong?

BR,

Chris

Hub reports:

RTV#show crypto ipsec profile

RTV#

RTV#show crypto isakmp sa detail

Codes: C - IKE configuration mode, D - Dead Peer Detection

       K - Keepalives, N - NAT-traversal

       T - cTCP encapsulation, X - IKE Extended Authentication

       psk - Preshared key, rsig - RSA signature

       renc - RSA encryption

IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.

IPv6 Crypto ISAKMP SA

RTV#show ip interface

FastEthernet0 is down, line protocol is down

  Internet protocol processing disabled

FastEthernet1 is down, line protocol is down

  Internet protocol processing disabled

FastEthernet2 is down, line protocol is down

  Internet protocol processing disabled

FastEthernet3 is up, line protocol is up

  Internet protocol processing disabled

FastEthernet4 is up, line protocol is up

  Internet address is 77.77.77.77/29

  Broadcast address is 255.255.255.255

  Address determined by non-volatile memory

  MTU is 1500 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Outgoing access list is not set

  Inbound  access list is not set

  Proxy ARP is disabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are never sent

  ICMP unreachables are never sent

  ICMP mask replies are never sent

  IP fast switching is enabled

  IP fast switching on the same interface is disabled

  IP Flow switching is disabled

  IP CEF switching is enabled

  IP CEF switching turbo vector

  IP multicast fast switching is enabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are Fast, CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Policy routing is disabled

  Network address translation is enabled, interface in domain outside

  BGP Policy Mapping is disabled

  Input features: Stateful Inspection, Ingress-NetFlow, Virtual Fragment Reassembly, IPSec input classification, Virtual Fragment Reassembly After IPSec Decryption, NAT Outside, MCI Check

  Output features: Post-routing NAT Outside, Stateful Inspection, IPSec output classification, Post-Ingress-NetFlow, IPSec: to crypto engine, Post-encryption output features

  WCCP Redirect outbound is disabled

  WCCP Redirect inbound is disabled

  WCCP Redirect exclude is disabled

NVI0 is up, line protocol is up

  Interface is unnumbered. Using address of FastEthernet4 (77.77.77.77)

  Broadcast address is 255.255.255.255

  MTU is 1514 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Outgoing access list is not set

  Inbound  access list is not set

  Proxy ARP is enabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are always sent

  ICMP unreachables are always sent

  ICMP mask replies are never sent

  IP fast switching is disabled

  IP fast switching on the same interface is disabled

  IP Flow switching is disabled

  IP CEF switching is disabled

  IP Null turbo vector

  IP Null turbo vector

  IP multicast fast switching is enabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are Fast, CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Policy routing is disabled

  Network address translation is disabled

  BGP Policy Mapping is disabled

  Input features: MCI Check

  Output features: Post-routing NAT NVI Output, Post-Ingress-NetFlow

  WCCP Redirect outbound is disabled

  WCCP Redirect inbound is disabled

  WCCP Redirect exclude is disabled

Vlan1 is up, line protocol is up

  Internet address is 172.16.0.1/20

  Broadcast address is 255.255.255.255

  Address determined by non-volatile memory

  MTU is 1500 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Outgoing access list is not set

  Inbound  access list is not set

  Proxy ARP is disabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are never sent

  ICMP unreachables are never sent

  ICMP mask replies are never sent

  IP fast switching is enabled

  IP fast switching on the same interface is disabled

  IP Flow switching is disabled

  IP CEF switching is enabled

  IP CEF switching turbo vector

  IP Null turbo vector

  IP multicast fast switching is enabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are Fast, CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Policy routing is disabled

  Network address translation is enabled, interface in domain inside

  BGP Policy Mapping is disabled

  Input features: Stateful Inspection, Ingress-NetFlow, Virtual Fragment Reassembly, Virtual Fragment Reassembly After IPSec Decryption, MCI Check, TCP Adjust MSS

  Output features: NAT Inside, Stateful Inspection, TCP Adjust MSS, Post-Ingress-NetFlow

  WCCP Redirect outbound is disabled

  WCCP Redirect inbound is disabled

  WCCP Redirect exclude is disabled

RTV#

Hub configuration:

RTV#show running-config

Building configuration...

Current configuration : 3392 bytes

!

! Last configuration change at 17:23:29 PCTime Wed Feb 29 2012 by ChrisRTV

!

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname RTV

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

logging console critical

enable secret 5 $1$..8A$xz5K0Y4HxiMGfVLGiHaJc/

!

aaa new-model

!

!

aaa authentication login clientauth local

aaa authorization network groupauthor local

!

!

!

!

!

aaa session-id common

!

!

!

memory-size iomem 10

clock timezone PCTime 1

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

!

crypto pki trustpoint TP-self-signed-4044243786

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4044243786

revocation-check none

rsakeypair TP-self-signed-4044243786

!

!

no ip source-route

!

!

ip dhcp excluded-address 172.16.0.1 172.16.1.99

ip dhcp excluded-address 172.16.1.111 172.16.15.254

!

ip dhcp pool ccp-pool1

   network 172.16.0.0 255.255.240.0

   default-router 172.16.1.1

!

!

ip cef

no ip bootp server

no ip domain lookup

ip domain name chris.no

ip name-server 195.159.0.100

ip name-server 195.159.0.200

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO881-SEC-K9 sn FCZ16039575

!

!

username ChrisRTV privilege 15 secret 5 $1$GHYL$naUrqaHlFGYdccxqajfbr/

!

!

ip tcp synwait-time 10

!

crypto keyring spokes

  pre-shared-key address 0.0.0.0 0.0.0.0 key RTV123

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp profile L2L

   description LAN-to-LAN for spoke router(s) connection

   keyring spokes

   match identity address 0.0.0.0

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

set isakmp-profile L2L

!

!        

crypto map mymap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

!

interface FastEthernet0

!

!

interface FastEthernet1

!

!

interface FastEthernet2

!

!

interface FastEthernet3

!

!

interface FastEthernet4

description $ES_WAN$

ip address 77.77.77.77 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map mymap

!

!

interface Vlan1

description INSIDE

ip address 172.16.0.1 255.255.240.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

!

ip default-gateway 172.16.0.1

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source list 23 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 FastEthernet4

!

ip access-list extended ENCRYPT

permit ip host 172.16.1.1 host 172.16.0.1

!

logging trap debugging

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 23 permit 172.16.0.0 0.0.255.255

no cdp run

!

!

!

!

!

control-plane

!

!

banner exec ^CC

Get out^C

banner login ^CC

Get out

^C

!

line con 0

no modem enable

transport output telnet

line aux 0

transport output telnet

line vty 0 4

access-class 23 in

privilege level 15

transport input ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

Spoke reports:

RTVWeee#show crypto isakmp sa detail

Codes: C - IKE configuration mode, D - Dead Peer Detection

       K - Keepalives, N - NAT-traversal

       T - cTCP encapsulation, X - IKE Extended Authentication

       psk - Preshared key, rsig - RSA signature

       renc - RSA encryption

IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.

IPv6 Crypto ISAKMP SA

RTVWeee#

RTVWeee#show crypto ipsec sa

interface: FastEthernet4

    Crypto map tag: mymap, local addr 192.168.1.194

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (172.16.1.0/255.255.15.0/0/0)

   remote ident (addr/mask/prot/port): (172.16.0.0/255.255.15.0/0/0)

   current_peer 77.77.77.77 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.1.194, remote crypto endpt.: 77.77.77.77

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

RTVWeee#

And spoke configuration:

RTVWeee#show running-config

Building configuration...

Current configuration : 4469 bytes

!

! Last configuration change at 17:58:06 PCTime Wed Feb 29 2012 by ChrisRTV

!

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname RTVWeee

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

enable secret 5 $1$..8A$xz5K0Y4HxiMGfVLGiHaJc/

!

no aaa new-model

!

!

!

memory-size iomem 10

clock timezone PCTime 1

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

!

crypto pki trustpoint TP-self-signed-4044243786

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4044243786

revocation-check none

rsakeypair TP-self-signed-4044243786

!

!

crypto pki certificate chain TP-self-signed-4044243786

certificate self-signed 01

  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 34303434 32343337 3836301E 170D3132 30323238 31363131

  34345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30343432

  34333738 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100C46B E491C359 858C5AD0 13B739CE 7D4ADA1D 1E571FC9 E85F0FA9 95488F97

  CDA6FC02 83485A89 B3CBCA3F 39FEEAD0 BAAD9595 7CB02737 3D7CDE56 8A758593

  EF8401DB A6DFDFC8 17535C67 CB22F529 A5269216 6B93D442 E34AA859 4CCB215A

  6951C4B0 14B28A6A 36B59AEB 3F8E1CC9 CEE923EE 48FFF005 B89DC1A6 7C62BBAA

  9B0B0203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603

  551D1104 18301682 14525456 57656565 2E70726F 74656374 61732E6E 6F301F06

  03551D23 04183016 8014315A E18BC683 9DFF6A6D 61DDEB8B 9D01A4C4 9487301D

  0603551D 0E041604 14315AE1 8BC6839D FF6A6D61 DDEB8B9D 01A4C494 87300D06

  092A8648 86F70D01 01040500 03818100 97460892 949A6F9A 29278C7C A3D7A856

  382C02B6 90BD14AF 5F686327 04C348C9 018C5B79 EF0B0A10 FB6C38EA 41727EC9

  927B3B10 766F5656 E91938EC FC839BBB 335B33D0 86DCB0AE 139F6429 993C9E70

  E842FDD5 B1D3CD3A 55990A46 B42AF93C ABED8C18 8C3DE882 9A5E40FF B1193B7B

  5F5F0DAF BF297304 E87CFD1E 27E9AD05

        quit

no ip source-route

!

!

ip dhcp excluded-address 172.16.0.1 172.16.1.99

ip dhcp excluded-address 172.16.1.111 172.16.15.254

!

ip dhcp pool ccp-pool1

   network 172.16.0.0 255.255.240.0

   default-router 172.16.1.1

!

!

ip cef

no ip bootp server

no ip domain lookup

ip domain name chris.no

ip name-server 195.159.0.100

ip name-server 195.159.0.200

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO881-SEC-K9 sn FCZ1603957K

!

!

username ChrisRTV privilege 15 secret 5 $1$djIv$okpuA.tuNiWgZ/jpqEaFB.

!

!

ip tcp synwait-time 10

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key RTV2012 address 77.77.77.77

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto map mymap 10 ipsec-isakmp

set peer 77.77.77.77

set transform-set myset

match address 100

!

!

!

!

!

interface FastEthernet0

!

!

interface FastEthernet1

!

883
Views
0
Helpful
0
Replies