03-04-2004 08:01 AM - edited 02-21-2020 01:03 PM
Thanks for any suggestions in advance.
I'm attempting to configure a simple VPN between two 2621s over the web. Since I'm fairly new to this, I'm thinking I've probably overlooked something obvious in my configuration.
So without further ado, here it is (IPs changed for security):
Router 1:
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key VPNtunnel address x.x.x.x
!
!
crypto ipsec transform-set TUNNEL0 esp-des esp-md5-hmac
!
crypto map TO-CG local-address FastEthernet0/0
crypto map TO-CG 1 ipsec-isakmp
set peer 4.1.1.164
set transform-set TUNNEL0
match address 100
!
!
!
!
!
interface FastEthernet0/0
description Connection to Internet through DSL
ip address x.1.x.x 255.255.255.248
ip nat outside
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
ntp disable
no cdp enable
crypto map TO-CG
!
interface Serial0/0
no ip address
shutdown
no fair-queue
no cdp enable
!
interface FastEthernet0/1
description Connection to Internal Network 1.1.0.0
ip address x.x.x.x 255.255.255.0
ip nat inside
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface Serial0/1
no ip address
shutdown
no cdp enable
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip classless
no ip forward-protocol udp
ip route 0.0.0.0 0.0.0.0 3.1.1.9
no ip http server
!
access-list 1 permit 1.1.0.0 0.0.0.255
access-list 100 permit ip 1.1.0.0 0.0.0.255 2.0.0.0 0.0.0.255
access-list 100 permit ip 1.1.0.0 0.0.0.255 any
no cdp run
Router 2:
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key VPNTunnel address x.x.x.x
!
!
crypto ipsec transform-set TUNNEL0 esp-des esp-md5-hmac
!
crypto map CG-TO local-address FastEthernet0/1
crypto map CG-TO 1 ipsec-isakmp
set peer 3.1.1.13
set transform-set TUNNEL0
match address 100
!
!
!
!
!
interface FastEthernet0/0
description Connection
ip address 2.0.0.2 255.255.0.0
ip nat inside
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address x.x.x 255.255.255.240
ip nat outside
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface Serial0/1
no ip address
shutdown
!
ip default-gateway 4.1.1.161
ip nat inside source list 1 interface FastEthernet0/1 overload
ip classless
no ip forward-protocol udp
ip route 0.0.0.0 0.0.0.0 4.1.1.161
no ip http server
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 permit ip 2.0.0.0 0.0.255.255 1.1.0.0 0.0.0.255
access-list 100 permit ip 2.0.0.0 0.0.255.255 any
Each router can see eachs other's WAN IP and hosts on each internal network can ping the remote router's WAN port. Each router must be able to route both VPN and general Internet traffic.
Do I need a route-map policy? Or is having a standard access-list (for NAT) and an extended access-list (for IPSec) not the solution here?
Thanks!
03-04-2004 02:37 PM
You don't seem to have applied the crypto map to interface fast0/1 on router 2
03-05-2004 08:21 AM
Sorry, my mistake, that was a copy/paste error - it actually is applied to the interface, but still no go.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide