10-28-2011 12:22 PM - edited 03-04-2019 02:05 PM
I can ping and NAT is working. I've built the phase 1 and 2, the ACL several times using access-list and ip access-list extended and double-checked both routers.
Other than that, "show crypto isakmp sa" just gives:
"IPv4 Crypto ISAKMP SA
dst src state conn-id slot status"
And "sh cry ipsec sa peer [ip]" is also returning nothing.
I'm stumped. Any suggestions?
Here is the new routers vpn config, mirrored/reversed on the other:
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key [key] address [other routers public ip]
crypto ipsec transform-set [name] esp-3des esp-sha-hmac
crypto map [name] 10 ipsec-isakmp
set peer [other routers public ip]
set transform-set [name]
match address [name]
ip access-list extended [name]
permit ip 172.16.31.0 0.0.0.31 192.168.17.0 0.0.0.255
10-28-2011 12:44 PM
can you ping the other router?
Sent from Cisco Technical Support iPhone App
10-28-2011 12:49 PM
Yes. I can ping both routers from each other by their outside interfaces/public IPs. The existing router is a 2811 and houses 2 working VPN tunnels atm, both working fine. It is doing NAT just fine too.
The new router is an 1811 and all is good including NAT (I have a laptop hooked to a switch, then the to the 1811 and it NATs good and pings google.com.
I simply cannot get the VPN tunnel to work at all.
10-28-2011 12:57 PM
Hi,
I don't see the crypto map applied to any interface and do you exempt traffic going through the tunnel from being natted?
Alain.
10-28-2011 01:31 PM
Here are the interfaces on the 1811:
interface FastEthernet0
ip address [public ip] 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map [name]
!
interface FastEthernet1
ip address 172.16.31.5 255.255.255.224
ip nat inside
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
Here are the access lists and NAT:
ip nat inside source list 110 interface FastEthernet0 overload
!
ip access-list extended [name]
permit ip 172.16.31.0 0.0.0.31 192.168.17.0 0.0.0.255
!
access-list 110 deny ip 172.16.31.0 0.0.0.31 192.168.17.0 0.0.0.255
access-list 110 permit ip 172.16.31.0 0.0.0.31 any
10-28-2011 01:39 PM
Update:
Before giving that last reply, I had the deny below the permit in access-list 110. I reversed it, and now I get this with "show crypto isakmp sa":
1811#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
[2811publicip] [1811publicip] QM_IDLE 2001 0 ACTIVE
The 2811 shows the reverse. So good so far, but I'm still not getting a reply with ping from either router or the laptop.
10-28-2011 02:25 PM
Hi,
so phase 1 is ok, that's a great news.
Now what does sh crypto ipsec sa tells?
Can you do a debug crypto ipsec sa while you are doing your ping and tell us what ping you are doing
Alain.
11-03-2011 12:32 PM
Ok, I just now got back on this. I am now able to ping the 2811's inside int from the 1811 via the tunnel. I had to redo access-list 110 and put the deny up above the permits:
access-list 110 deny ip 192.168.17.0 0.0.0.255 172.16.31.0 0.0.0.31
access-list 110 permit ip 192.168.17.0 0.0.0.255 any
access-list 110 permit ip 172.16.8.0 0.0.0.255 any
It was like this:
access-list 110 permit ip 192.168.17.0 0.0.0.255 any
access-list 110 permit ip 172.16.8.0 0.0.0.255 any
access-list 110 deny ip 192.168.17.0 0.0.0.255 172.16.31.0 0.0.0.31
Once I did that, pinging from the laptop to the 2811's inside int (192.168.17.22) started working, and the 2 routers could ping each other's inside int.
The problem now is that I cannot ping any other IP on the 192.168.17.0/24 network from anything on the 172.16.31.0/31 network. BUT the opposite way, I can ping the laptop, the router and the switch from the 192.168.17.0/24 side.
I'm sure this is an access-list, but I cannot figure it out.
Any thoughts?
11-03-2011 01:21 PM
Hi,
what does sh crypto ipsec sa tells?
What is working and not working?
what is debug crypto ipsec is telling?
Alain
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: