IPSEC VPN CONNECTION BETWEEN CISCO ROUTER 1921 and CYBEROAM

chrismtove · ‎03-27-2015

Hi Guys

I have been working on this cisco router to configure IPSEC VPN between cisco router 1921 and cyberoam 750i,configs are as attched on the documenst,unfortunately i cant ping between the device,tunnel cannot be established?

What will be wrong with the configs and what will be pocbo solution.help me out please?

Thanks in advance

David Johan Castro Fernandez · ‎03-30-2015

Hi Chris,

I saw the VPN configuration on the router:

Phase 2:
crypto map TAAMAP 10 ipsec-isakmp
 set peer 41.59.251.110
 set security-association lifetime seconds 86400
 set transform-set TAASONGWE
 set pfs group2
 match address L2L

crypto ipsec transform-set TAASONGWE esp-3des esp-md5-hmac

ip access-list extended L2L
 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

ip nat inside source list 100 interface GigabitEthernet0/1 overload

access-list 100 permit ip any any
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any

Phase 1:
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key taasongwe address 41.59.251.110

This is matching at phase 1 and phase 2 effectively. Make sure that on both sides it is using Main mode, not the quick mode. Also I noticed your NAT is not set up correctly, you are missing a NAT exempt:

ip nat inside source list 100 interface GigabitEthernet0/1 overload

access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip any any
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any

After this take this output:

* Show crypto isakmp sa --> so we can see the status

* show crypto ipsec sa --> to see phase 2 if the SAs are formed

Also running debugs work:

* debug crypto condition peer <peer IP address>

* debug crypto isakmp

* debug crypto ipsec

Please proceed to rate and mark as correct this if it helped you!

David Castro,

Regards,