02-21-2007 01:56 AM - edited 03-03-2019 03:51 PM
Hi
I cannot get the VPN connection up from one of my remote sites to my CO. Below an extract from the config. What am I doing wrong?
Using 877W Router.
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp key adsldynvpn address <VPN ROUTER1> no-xauth
crypto isakmp key adsldynvpn address <VPN ROUTER2> no-xauth
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toVPN ROUTER1
set peer VPN ROUTER1
set transform-set ESP-3DES-MD5
match address 100
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel toVPN ROUTER2
set peer VPN ROUTER2
set transform-set ESP-3DES-MD5
match address 103
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.18.47.0 0.0.0.255 172.18.16.0 0.0.1.255 -> My internal servers SITE A
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.18.47.0 0.0.0.255 <PUBLIC ADDRESSES> 0.0.0.127 -> My public servers
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 remark IPSec Rule
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 172.18.47.0 0.0.0.255 172.18.18.0 0.0.1.255 -> My internal servers SITE B
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
!
crypto map SDM_CMAP_1 -> assgined to dialer interface.
02-21-2007 02:04 AM
each time i try and reconfigure this i get
" % NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured."
02-21-2007 02:37 AM
The message you get is a standard warning and can be ignored when you have done what it says. This appears to be the case here.
Please check the link below to verify the establishment of your ipsec connections:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml
Regards,
Leo
02-21-2007 05:07 AM
Thanks Leo
I'm still stuck.
You have an example of what a VPN config should look like for a 877 Router?
02-21-2007 06:31 AM
Office Network = 172.16.0.0/12
Remote Network = 10.0.0.0/8
Office WAN Interface IP Address = a.b.c.2, Gateway = a.b.c.1
Remote WAN Interface IP Address = w.x.y.2, Gateway = w.x.y.1
1. Office
!
ip subnet-zero
!
crypto isakmp policy 3
authentication pre-share
!
crypto isakmp key trinity address w.x.y.2 no-xauth
!
crypto ipsec transform-set NEO esp-des esp-sha-hmac
!
crypto map TheMatrix 1 ipsec-isakmp
set peer w.x.y.2
set transform-set NEO
set pfs group1
match address 101
!
interface wan_interface_facing_internet
ip address a.b.c.2 255.255.255.252
crypto map TheMatrix
!
ip classless
ip route 0.0.0.0 0.0.0.0 a.b.c.1
!
access-list 101 permit ip 172.16.0.0 0.240.255.255 10.0.0.0 0.255.255.255
2. Remote
!
ip zubnet-zero
!
crypto isakmp policy 3
authentication pre-share
!
crypto isakmp key trinity address a.b.c.2 no-xauth
!
crypto ipsec transform-set NEO esp-des esp-sha-hmac
!
crypto map TheMatrix 1 ipsec-isakmp
set peer a.b.c.2
set transform-set NEO
set pfs group1
match address 101
!
interface wan_interface_facing_internet
ip address w.x.y.2 255.255.255.252
crypto map TheMatrix
!
ip classless
ip route 0.0.0.0 0.0.0.0 w.x.y.1
!
access-list 101 permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.240.255.255
04-06-2007 12:28 PM
can you email the configs to me and i'll have a squiz and see if i can see anything obvious - eagleeyes426@yahoo.com
Cheers,
Peter
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: