Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1543
Views
0
Helpful
20
Replies

Site to Site VPN Error through CDM

nexlevel315
Level 1
Level 1

‎06-18-2008 07:53 AM - edited ‎03-03-2019 10:24 PM

We are setting up a pt to pt vpn through the cisco cdm. We have tried everything under the sun to get this tunnel to the up status with no luck. The VPN troubleshooting Report passes everything except the tunnel being up. It reports There is no response from the peer VPN device. I have included the mirrors for review. Any help is much appreciated.

Mirror 1:

The mirror configuration should only be used as a guide when configuring the peer.

The following configuration MUST NOT be directly applied to the peer device.

crypto isakmp policy 1

authentication pre-share

encr 3des

hash sha

group 2

lifetime 86400

exit

crypto isakmp key password! address 24.x.x.15

crypto ipsec transform-set ESP-3DES-SHA1 esp-sha-hmac esp-3des

mode tunnel

exit

ip access-list extended SDM_2

remark SDM_ACL Category=4

remark IPSec Rule

permit ip 172.18.3.0 0.0.0.255 172.18.2.0 0.0.0.255

exit

crypto map SDM_CMAP_1 3 ipsec-isakmp

description Apply the crypto map on the peer router's interface having IP address 208.125.212.18 that connects to this router.

set transform-set ESP-3DES-SHA1

set peer 24.213.143.15

match address SDM_2

exit

Mirror 2:

The mirror configuration should only be used as a guide when configuring the peer.

The following configuration MUST NOT be directly applied to the peer device.

crypto isakmp policy 1

authentication pre-share

encr 3des

hash sha

group 2

lifetime 86400

exit

crypto isakmp key password! address 208.125.212.18

crypto ipsec transform-set ESP-3DES-SHA1 esp-sha-hmac esp-3des

mode tunnel

exit

ip access-list extended SDM_2

remark SDM_ACL Category=4

remark IPSec Rule

permit ip 172.18.2.0 0.0.0.255 172.18.3.0 0.0.0.255

exit

crypto map SDM_CMAP_1 3 ipsec-isakmp

description Apply the crypto map on the peer router's interface having IP address 24.213.143.15 that connects to this router.

set transform-set ESP-3DES-SHA1

set peer 208.x.x.18

match address SDM_2

exit

Labels:
0 Helpful
20 Replies 20

nexlevel315
Level 1
Level 1
In response to Mark Yeates

‎06-25-2008 06:42 AM

Mark,

I added the permit hosts and still no luck.I have another idea that i would like your help with. This is extremely time sensitive and since we can't get the tunnel up i want to try this approach. we have current tunnels like this:

SiteA >> SiteC

SiteB >> SiteC

what would i need to do to pass the traffic from a to b through c?

SiteA: 172.18.2.0

SiteB: 172.18.3.0

SiteC: 172.18.1.0

can i just ad permit 172.18.3.0 to 172.18.2.0 on the 172.18.1.0 acl?

or do i ad static routes? if so, what should they look like?

0 Helpful

nexlevel315
Level 1
Level 1
In response to nexlevel315

‎06-25-2008 11:15 AM

I added into static route into the .3 router

172.18.2.0 172.18.1.1

into the .2 router

172.18.3.0 172.18.1.1

my understanding is that this will send any traffic requests for the .2/.3 network to the 1.1 router, which i would think could route that appropriately.

pings time out from .2/.3 going to the respective network. Any ideas?

0 Helpful

Mark Yeates
Level 7
Level 7
In response to nexlevel315

‎06-25-2008 04:33 PM

Have you identified if the tunnels are up yet?

what is the output of

"show crypto sessions"

Or

"show crypto isakmp sa"

We are looking for up/up. After the tunnels are up then we can work on the routing of traffic across the tunnels.

0 Helpful

nexlevel315
Level 1
Level 1
In response to Mark Yeates

‎06-27-2008 09:14 AM

Mark,

We have been unsuccessful at bringing the tunnels up. i was trying to come up with a work around to pass the traffic since we have tunnels up to a central location. It is time sensitive and we have been beating our heads at the tunnels. I assumed that since both sites have up tunnels to a central site, that we could pass the traffic that way. that is where my static route idea came into play. Would you be interested in doing a remote session over the telephone to assist me with this?

0 Helpful

Mark Yeates
Level 7
Level 7
In response to nexlevel315

‎06-27-2008 09:09 PM

I am more than willing to help you (if time permits). Looking back at your configs I see that you are using private IP space for your internal network. There is no way to make this work without a tunnel of some sort. A work around would be to NAT to make this work, and will require much more work than it would be to get your VPN tunnels up and working. I do understand time is not on your side. Shoot me your email address and I'll do my best to help you out.

Mark

0 Helpful

nexlevel315
Level 1
Level 1
In response to Mark Yeates

‎06-30-2008 05:56 AM

matt [at] nexlevelnet [dot] com

I really appreciate your help. I would like to discuss this further so please e-mail me as soon as time permits. thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card