Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

tunnel is not establishing

Can anyone help me? I have Cisco 1712 with IPsec configured on it.Remote side is Cisco3725.I have no control or access to remote side 3745.The problem is that though all config is OK (at least i assume so)the IPsec tunnel is not establishing.

router#sh cry se

Crypto session current status

Interface: Dialer1

Session status: UP-IDLE

Peer: x.x.x.x/500

IKE SA: local x.x.x.x/500 remote x.x.x.x/500 Active

IKE SA: local x.x.x.x/500 remote x.x.x.x/500 Inactive

IPSEC FLOW: permit ip 172.25.210.0/255.255.255.0 192.168.1.0/255.255.255.0

Active SAs: 0, origin: crypto map

Debug IPsec o/p shows that IKE phase is completed:-

*Mar 12 02:11:07.687: ISAKMP:(0:3:HW:2):Old State = IKE_P1_COMPLETE New State =

Also I got following message.I couldn't understand the following message in debug ipsec o/p.Anyone is having any idea on this?

*Mar 12 02:11:07.507: ISAKMP:(0:3:HW:2): vendor ID is DPD

*Mar 12 02:11:07.507: ISAKMP:(0:3:HW:2): processing vendor id payload

*Mar 12 02:11:07.507: ISAKMP:(0:3:HW:2): speaking to another IOS box!

Thanks in advance

2 REPLIES

Re: tunnel is not establishing

Hello Arun,

can you post the full config of your 'router', the one you do have control over, or, if possible, the configuration of the other VPN router as well ?

Regards,

GNT

Community Member

Re: tunnel is not establishing

Hi GNT,

Here is config for both locations.I have only limited config(only Ipsec related) for B loaction where I have no control but for A location router I have full access

********************************************

A location :- (I have access to this router)

!

!

ip dhcp excluded-address 10.15.60.1 10.15.60.99

ip dhcp excluded-address 10.15.60.201 10.15.60.254

ip dhcp excluded-address 172.25.210.1

!

ip dhcp pool for_LAN

network 10.15.60.0 255.255.255.0

default-router 10.15.60.1

dns-server ----

ip dhcp pool for_172

network 172.25.210.0 255.255.255.0

default-router 172.25.210.1

dns-server-----

vpdn enable

!

vpdn-group pppoe

request-dialin

protocol pppoe

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key 12345 address y.y.y.5

!

crypto ipsec security-association lifetime seconds 900

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description IPSEC SECURE TUNNEL

set peer y.y.y.5

set transform-set ESP-3DES-SHA

match address for_VPN!

!

interface FastEthernet0

description Connected to Netopia Modem

ip address 172.16.1.254 255.255.255.0

no ip route-cache cef

no ip route-cache

no ip mroute-cache

duplex auto

speed auto

pppoe enable

pppoe-client dial-pool-number 1

no cdp enable

!

interface FastEthernet1

no ip address

no keepalive

no cdp enable

!

interface FastEthernet2

no ip address

no cdp enable

!

interface FastEthernet3

no ip address

no cdp enable

!

interface FastEthernet4

switchport access vlan 10

no ip address

no cdp enable

!

interface Vlan10

description Connected to F4 for VPN

ip address 172.25.210.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan1

description Client's LAN -- (This IP range is not included in vPN)

ip address 10.15.60.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1340

!

interface Async1

no ip address

!

interface Dialer1 --- (x.x.x.x is static public IP of dialer)

ip address negotiated

ip mtu 1452

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

no cdp enable

ppp pap sent-username .... password .....

crypto map SDM_CMAP_1

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat inside source list for_nat interface Dialer1 overload

!

Vpn access-list

permit ip 172.25.210.0 0.0.0.255 199.85.106.0 0.0.0.255

Natting access-list

deny ip 172.25.210.0 0.0.0.255 199.85.106.0 0.0.0.255

permit ip 10.15.60.0 0.0.0.255 any

permit ip 172.25.210.0 0.0.0.255 any

*********************************************

B location:- ( I don;t have control on this router)

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key 12345 address x.x.x.x

!

crypto ipsec security-association lifetime seconds 900

!

crypto ipsec transform-set VPN esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 20 ipsec-isakmp

set peer x.x.x.x

set transform-set VPN

match address 120

!

interface FastEthernet0/0 ****** (Inside network)*******

ip address 199.85.106.131 255.255.255.128

!

interface FastEthernet0/1 *******(Outside network)*****

ip address y.y.y.5 255.255.255.0

crypto map SDM_CMAP_1

!

ip default-gateway y.y.y.1

ip route 172.25.210.0 255.255.255.0 y.y.y.1!

access-list 120 remark IPSec Rule

access-list 120 permit ip 199.85.x.x.0.0.255 172.25.210.0 0.0.0.255

access-list 120 deny ip any any log

no ip route 172.25.210.0 255.255.255.0 x.x.x.x

ip route 172.25.210.0 255.255.255.0 y.y.y.1

231
Views
0
Helpful
2
Replies
CreatePlease to create content