Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1763
Views
0
Helpful
7
Replies

RVS4000 Site to Site VPN Issue

martynch1
Level 1
Level 1

‎03-21-2012 07:56 AM

Hi all, I'm having problems with my VPN, the tunnel is up but I can not get to the far end, when I trace to an IP address at the far end it times out after it his my VLAN interface on my Switch.

Configurations are as follows:

RVS4000

Local Group Setup  Local Security Gateway Type:   IP Only

IP address: xxx.xxx.141.69
Local Security Group Type:  Subnet
IP Address:  192.168.4.8 
Subnet Mask:  255.255.255.248   
--------------------------------------------------------------------------------

Remote Group Setup  Remote Security Gateway Type:   IP Only

Remote Security Group Type:  IP Addr

IP Address:  xxx.xxx.208.10

Remote Security Type: Subnet

IP Address: 172.16.0.0

Subnet Mask:  255.240.0.0   
------------------------------------------------------------------------------

IPSec Setup  Keying Mode:  IKE with Preshared keyl
Phase 1:
Encryption:  3DES 
Authentication:  SHA1
Group:  1024-bit
Key Life Time:   28800Sec.

Phase 2:

Encryption:  3DES 
Authentication:  SHA1 
Perfect Forward Secrecy:  Disable

Group: 1024-bit


Status  UP

Switch Configuration

Vlan4                  192.168.4.14    YES NVRAM  up                    up

interface FastEthernet0/36

description *****WORKS NETWORK*****

switchport access vlan 4

switchport mode access

switchport port-security maximum 3

switchport port-security aging time 1

switchport port-security violation protect

speed 100

duplex full

interface FastEthernet0/44

description *****UPLINK TO RVS4000 WORK*****

switchport trunk encapsulation dot1q

switchport mode trunk

duplex full

     192.168.4.0/29 is subnetted, 1 subnets

C       192.168.4.8 is directly connected, Vlan4

C    192.168.5.0/24 is directly connected, Vlan3

     10.0.0.0/24 is subnetted, 1 subnets

C       10.50.50.0 is directly connected, Vlan2

C    192.168.3.0/24 is directly connected, Vlan1

S*   0.0.0.0/0 [1/0] via 192.168.3.254

Can anybody help with me connecting to my works 172 network please?

Many thanks

Martyn

Labels:
0 Helpful
7 Replies 7

jasbryan
Level 6
Level 6

‎03-21-2012 08:46 AM

Martyn,

We need the configuration from both sides of the tunnel. just displaying one side wouldn't give us enough information for a problem.

Most likely its not going to be a problem on the RVS4000 since we are have limited configuration/options we can change. if the other router is a enterprise device i would call tac and open a case. I had similar case where Cisco 871 had a asynchronous routing configured and was causing similar problem.

Looking at your traffic selection for the remote security group i see you using /12 which is a huge amount of traffic selection to send across the tunnel and would affect how Internet access to certain sites behind RVS. normally this will only include /24 maybe a /21 for larger networks.

Please provide more details so we can find a solution or point you in the right direction like opening a case with TAC.

Jasbryan

0 Helpful

martynch1
Level 1
Level 1
In response to jasbryan

‎03-21-2012 09:55 AM

Thanks for your reply, yes the other side is a ASA 5540, below is my configuration on there.

Local Network: 172.16.0.0/12

Remote Network: 192.168.4.8/29

Crypto Map

PFS Disabled

NAT-T: enabled

Time: 8.0.0 hh.mm.ss

Traffic Volume: 4608000

Ike Neg Mode: Main

Tunnel Group:

Ike Peer ID Validation: Required

Monitor Keepalives: 10 seconds intervals with 2 seconds retry

IPsec Protocaol: Enabled

Does this give you enough information or would you like to see other configuration settings?

Thanks again

Martyn

0 Helpful

jasbryan
Level 6
Level 6
In response to martynch1

‎03-21-2012 10:02 AM

Please give me copy of phase 1policy (IKE), phase 2 policy and ACL attached to your crypto map policy for the RVS4000. It’s best if we can see all information for tunnel.

You can mask public ip addresses.

What's your phase 2 key lifetime on RVS4000?

Jasbryan

0 Helpful

martynch1
Level 1
Level 1
In response to martynch1

‎03-22-2012 03:02 PM

Sorry for the delay, mad day at work.

I hope this is the required info

access-list VLAN-773_Outside_81_cryptomap extended permit ip 172.16.0.0 255.240.0.0 192.168.4.8 255.255.255.248

crypto map VLAN-773_Outside_map 81 match address VLAN-773_Outside_81_cryptomap

crypto map VLAN-773_Outside_map 81 set peer 217.137.xxx.xx

crypto map VLAN-773_Outside_map 81 set transform-set ESP-3DES-SHA

tunnel-group 217.137.xxx.xx type ipsec-l2l

tunnel-group 217.137.xxx.xx general-attributes

default-group-policy lan2lan

tunnel-group 217.137.xxx.xx ipsec-attributes

pre-shared-key *****

group-policy lan2lan internal

group-policy lan2lan attributes

vpn-filter none

vpn-tunnel-protocol IPSec svc

If you require please let me know

Regards

Martyn

0 Helpful

martynch1
Level 1
Level 1
In response to martynch1

‎03-23-2012 08:56 AM

Does this help you at all?

Thanks martyn

Sent from Cisco Technical Support iPad App

0 Helpful

martynch1
Level 1
Level 1
In response to martynch1

‎03-30-2012 09:05 AM

Any further help on this would be great... thanks

0 Helpful

jasbryan
Level 6
Level 6
In response to martynch1

‎03-30-2012 09:46 AM

Marty,

I know the problem will be over on IOS router configuration as we have limited amount of information we can change in the small business. it would be good to get a case started with TAC and after they review settings have them to 3 way SBSC and we'll work together to get this issue resolved for you.

Jasbryan

0 Helpful
Customers Also Viewed These Support Documents