Re: Dynamic-to-Static Router-to-Router Problem

mmaxel · ‎06-24-2005

Hello. I've setup my two routers (1751 and 831) with the document "Configuring Router-to-Router Dynamic-to-Static IPSec with NAT" at http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml

However, "sh crypto isakmp sa" never shows a connection and when I turn on the crypto debugging (ipsec, isakmp and engine) I never see ANY messages. I can ping the internet IPs from each other, so that's not the problem. The only difference from the documentation is that for the dynamic IP I'm using PPPoE on a DSL connection to get it, so I have a Dialer interface over the Ethernet to handle the PPPoE.

Thanks for any help you can give me.

Richard Burts · ‎06-26-2005

Based on the example in the link and on your description of your situation I can think of 4 areas in which there could be a problem that would produce the symptoms that you describe.

- 1) ip connectivity problems between the routers.

- 2) problems with the PPPoE, or Dialer interface.

- 3) problems with the IPSec configuration.

- 4) problems with the NAT configuration.

You say that you can ping the internet IPs (I assume you mean the outside or public) address of each router. And I think you are saying that you can ping from remote to hub and from hub to remote. So 1) is probably not the issue.

If you can access the internet and can ping from the remote to the hub then 2) is probably not the issue.

If you say that you are not seeing any crypto activity then I suspect that 3) is the problem. For this implementation the connection is initiated by the remote. So it is particularly important to do debugs and other diagnostics on the remote. Would you post the output of debugs for isakmp (as a start)? It would also be helpful if you would post the configs of both routers.

HTH

Rick

HTH

Rick