Solved: VPN SITE to SITE Configuration Issue

umairsaulat1 · ‎04-15-2015

anyone please check and confirm what is the main error on these configuration????

I need to establish VPN between our offices
--------------------------------------------------------------------------------------------

SITE A

Public IP 203.170.74.74
Private 192.168.211.0

SITE B

Public IP 202.141.0.12
Private 192.168.210.0

R1(config)# crypto isakmp policy 1
R1(config-isakmp)# encr 3des
R1(config-isakmp)# hash md5
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 2
R1(config-isakmp)# lifetime 86400

R1(config)# crypto isakmp key cisco address 203.170.74.74
R1(config)# ip access-list extended VPN-TRAFFIC
R1(config-ext-nacl)# permit ip 192.168.211.90 0.0.0.255 192.168.210.90 0.0.0.255
R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
R1(config)# crypto map CMAP 10 ipsec-isakmp
R1(config-crypto-map)# set peer 203.170.74.74
R1(config-crypto-map)# set transform-set TS
R1(config-crypto-map)# match address VPN-TRAFFIC
R1(config)# interface FastEthernet0/1
R1(config- if)# crypto map CMAP

R1(config)# ip nat inside source list 100 interface fastethernet0/1 overload
R1(config)# access-list 100 remark -=[Define NAT Service]=-
R1(config)# access-list 100 deny ip 192.168.211.90 0.0.0.255 192.168.210.90 0.0.0.255
R1(config)# access-list 100 permit ip 192.168.211.90 0.0.0.255 any
R1(config)# access-list 100 remark

R2(config)# crypto isakmp policy 1
R2(config-isakmp)# encr 3des
R2(config-isakmp)# hash md5
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# group 2
R2(config-isakmp)# lifetime 86400
R2(config)# crypto isakmp key cisco address 202.141.0.12
R2(config)# ip access-list extended VPN-TRAFFIC
R2(config-ext-nacl)# permit ip 192.168.210.90 0.0.0.255 192.168.211.90 0.0.0.255
R2(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
R2(config)# crypto map CMAP 10 ipsec-isakmp
R2(config-crypto-map)# set peer 202.141.254.14
R2(config-crypto-map)# set transform-set TS
R2(config-crypto-map)# match address VPN-TRAFFIC
R2(config)# interface FastEthernet0/1
R2(config- if)# crypto map CMAP

R2(config)# ip nat inside source list 100 interface fastethernet0/1 overload
R2(config)# access-list 100 remark -=[Define NAT Service]=-
R2(config)# access-list 100 deny ip 192.168.210.90 0.0.0.255 192.168.211.90 0.0.0.255
R2(config)# access-list 100 permit ip 192.168.210.90 0.0.0.255 any
R2(config)# access-list 100 remark

mpalmiero · ‎04-15-2015

I found what I believe to be two errors in your config.

Your Crypomap "Set Peer" configurations do not match up with the Public IP addresses you have listed.

Site A Should have a "set peer" statement with Site B's Public IP address like so:

R1(config-crypto-map)# set peer 202.141.0.12

Site B Should be:

R2(config-crypto-map)# set peer 203.170.74.74

I believe you have the same problem where you set the "key" for the tunnel.

Site A Should have a "address" with Site B's Public IP address like so:

R1(config)# crypto isakmp key cisco address 202.141.0.12

Site B Should be:

R2(config)# crypto isakmp key cisco address 203.170.74.74

I hope I was of help. It would be a first. (on this forum).

View solution in original post

mpalmiero · ‎04-15-2015

I found what I believe to be two errors in your config.

Your Crypomap "Set Peer" configurations do not match up with the Public IP addresses you have listed.

Site A Should have a "set peer" statement with Site B's Public IP address like so:

R1(config-crypto-map)# set peer 202.141.0.12

Site B Should be:

R2(config-crypto-map)# set peer 203.170.74.74

I believe you have the same problem where you set the "key" for the tunnel.

Site A Should have a "address" with Site B's Public IP address like so:

R1(config)# crypto isakmp key cisco address 202.141.0.12

Site B Should be:

R2(config)# crypto isakmp key cisco address 203.170.74.74

I hope I was of help. It would be a first. (on this forum).

umairsaulat1 · ‎04-15-2015

Thank you very much mpalmiero