06-18-2008 07:53 AM - edited 03-03-2019 10:24 PM
We are setting up a pt to pt vpn through the cisco cdm. We have tried everything under the sun to get this tunnel to the up status with no luck. The VPN troubleshooting Report passes everything except the tunnel being up. It reports There is no response from the peer VPN device. I have included the mirrors for review. Any help is much appreciated.
Mirror 1:
The mirror configuration should only be used as a guide when configuring the peer.
The following configuration MUST NOT be directly applied to the peer device.
crypto isakmp policy 1
authentication pre-share
encr 3des
hash sha
group 2
lifetime 86400
exit
crypto isakmp key password! address 24.x.x.15
crypto ipsec transform-set ESP-3DES-SHA1 esp-sha-hmac esp-3des
mode tunnel
exit
ip access-list extended SDM_2
remark SDM_ACL Category=4
remark IPSec Rule
permit ip 172.18.3.0 0.0.0.255 172.18.2.0 0.0.0.255
exit
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Apply the crypto map on the peer router's interface having IP address 208.125.212.18 that connects to this router.
set transform-set ESP-3DES-SHA1
set peer 24.213.143.15
match address SDM_2
exit
Mirror 2:
The mirror configuration should only be used as a guide when configuring the peer.
The following configuration MUST NOT be directly applied to the peer device.
crypto isakmp policy 1
authentication pre-share
encr 3des
hash sha
group 2
lifetime 86400
exit
crypto isakmp key password! address 208.125.212.18
crypto ipsec transform-set ESP-3DES-SHA1 esp-sha-hmac esp-3des
mode tunnel
exit
ip access-list extended SDM_2
remark SDM_ACL Category=4
remark IPSec Rule
permit ip 172.18.2.0 0.0.0.255 172.18.3.0 0.0.0.255
exit
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Apply the crypto map on the peer router's interface having IP address 24.213.143.15 that connects to this router.
set transform-set ESP-3DES-SHA1
set peer 208.x.x.18
match address SDM_2
exit
06-25-2008 06:42 AM
Mark,
I added the permit hosts and still no luck.I have another idea that i would like your help with. This is extremely time sensitive and since we can't get the tunnel up i want to try this approach. we have current tunnels like this:
SiteA >> SiteC
SiteB >> SiteC
what would i need to do to pass the traffic from a to b through c?
SiteA: 172.18.2.0
SiteB: 172.18.3.0
SiteC: 172.18.1.0
can i just ad permit 172.18.3.0 to 172.18.2.0 on the 172.18.1.0 acl?
or do i ad static routes? if so, what should they look like?
06-25-2008 11:15 AM
I added into static route into the .3 router
172.18.2.0 172.18.1.1
into the .2 router
172.18.3.0 172.18.1.1
my understanding is that this will send any traffic requests for the .2/.3 network to the 1.1 router, which i would think could route that appropriately.
pings time out from .2/.3 going to the respective network. Any ideas?
06-25-2008 04:33 PM
Have you identified if the tunnels are up yet?
what is the output of
"show crypto sessions"
Or
"show crypto isakmp sa"
We are looking for up/up. After the tunnels are up then we can work on the routing of traffic across the tunnels.
06-27-2008 09:14 AM
Mark,
We have been unsuccessful at bringing the tunnels up. i was trying to come up with a work around to pass the traffic since we have tunnels up to a central location. It is time sensitive and we have been beating our heads at the tunnels. I assumed that since both sites have up tunnels to a central site, that we could pass the traffic that way. that is where my static route idea came into play. Would you be interested in doing a remote session over the telephone to assist me with this?
06-27-2008 09:09 PM
I am more than willing to help you (if time permits). Looking back at your configs I see that you are using private IP space for your internal network. There is no way to make this work without a tunnel of some sort. A work around would be to NAT to make this work, and will require much more work than it would be to get your VPN tunnels up and working. I do understand time is not on your side. Shoot me your email address and I'll do my best to help you out.
Mark
06-30-2008 05:56 AM
matt [at] nexlevelnet [dot] com
I really appreciate your help. I would like to discuss this further so please e-mail me as soon as time permits. thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide