cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
893
Views
0
Helpful
5
Replies

Problem with crypto not working

bradlesliect
Level 1
Level 1

Hi

I cannot get the VPN connection up from one of my remote sites to my CO. Below an extract from the config. What am I doing wrong?

Using 877W Router.

!

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

crypto isakmp key adsldynvpn address <VPN ROUTER1> no-xauth

crypto isakmp key adsldynvpn address <VPN ROUTER2> no-xauth

!

!

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel toVPN ROUTER1

set peer VPN ROUTER1

set transform-set ESP-3DES-MD5

match address 100

crypto map SDM_CMAP_1 2 ipsec-isakmp

description Tunnel toVPN ROUTER2

set peer VPN ROUTER2

set transform-set ESP-3DES-MD5

match address 103

!

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 172.18.47.0 0.0.0.255 172.18.16.0 0.0.1.255 -> My internal servers SITE A

access-list 100 remark IPSec Rule

access-list 100 permit ip 172.18.47.0 0.0.0.255 <PUBLIC ADDRESSES> 0.0.0.127 -> My public servers

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 remark IPSec Rule

access-list 103 remark SDM_ACL Category=4

access-list 103 remark IPSec Rule

access-list 103 permit ip 172.18.47.0 0.0.0.255 172.18.18.0 0.0.1.255 -> My internal servers SITE B

access-list 103 remark SDM_ACL Category=4

access-list 103 remark IPSec Rule

!

crypto map SDM_CMAP_1 -> assgined to dialer interface.

5 Replies 5

bradlesliect
Level 1
Level 1

each time i try and reconfigure this i get

" % NOTE: This new crypto map will remain disabled until a peer

and a valid access list have been configured."

The message you get is a standard warning and can be ignored when you have done what it says. This appears to be the case here.

Please check the link below to verify the establishment of your ipsec connections:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

Regards,

Leo

Thanks Leo

I'm still stuck.

You have an example of what a VPN config should look like for a 877 Router?

Danilo Dy
VIP Alumni
VIP Alumni

Office Network = 172.16.0.0/12

Remote Network = 10.0.0.0/8

Office WAN Interface IP Address = a.b.c.2, Gateway = a.b.c.1

Remote WAN Interface IP Address = w.x.y.2, Gateway = w.x.y.1

1. Office

!

ip subnet-zero

!

crypto isakmp policy 3

authentication pre-share

!

crypto isakmp key trinity address w.x.y.2 no-xauth

!

crypto ipsec transform-set NEO esp-des esp-sha-hmac

!

crypto map TheMatrix 1 ipsec-isakmp

set peer w.x.y.2

set transform-set NEO

set pfs group1

match address 101

!

interface wan_interface_facing_internet

ip address a.b.c.2 255.255.255.252

crypto map TheMatrix

!

ip classless

ip route 0.0.0.0 0.0.0.0 a.b.c.1

!

access-list 101 permit ip 172.16.0.0 0.240.255.255 10.0.0.0 0.255.255.255

2. Remote

!

ip zubnet-zero

!

crypto isakmp policy 3

authentication pre-share

!

crypto isakmp key trinity address a.b.c.2 no-xauth

!

crypto ipsec transform-set NEO esp-des esp-sha-hmac

!

crypto map TheMatrix 1 ipsec-isakmp

set peer a.b.c.2

set transform-set NEO

set pfs group1

match address 101

!

interface wan_interface_facing_internet

ip address w.x.y.2 255.255.255.252

crypto map TheMatrix

!

ip classless

ip route 0.0.0.0 0.0.0.0 w.x.y.1

!

access-list 101 permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.240.255.255

bporter78
Level 1
Level 1

can you email the configs to me and i'll have a squiz and see if i can see anything obvious - eagleeyes426@yahoo.com

Cheers,

Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco