Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
916
Views
0
Helpful
2
Replies

Cisco 887 VPN to Billion Router

Johnblake2948
Level 1
Level 1

‎03-21-2015 05:50 PM - edited ‎03-05-2019 01:04 AM

Hi guys, I'm trying to work out how to create a site to site VPN tunnel to a Billion router.

The main office originally had a billion router and the Cisco has been used in its place.

I have tried to duplicate the settings in the cisco to connect to the other billion but have had no success.

I have attached a snapshot of the original config of the tunnel that used to be the primary router and below is my current config.

Can someone pls have a look and hit me over the head.

With this config below I can see the tunnels attempt to negotiate but never coming up.

 

version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MALG
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network ciscocp_vpn_group_ml_1 local 
!
!
!
!
!
aaa session-id common
clock timezone Perth 8 0
!
crypto pki trustpoint TP-self-signed-4079136762
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4079136762
 revocation-check none
 rsakeypair TP-self-signed-4079136762
!
!
ip cef
!
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp excluded-address 192.168.0.151 192.168.0.254
!
ip dhcp pool ccp-pool
 import all
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.254 
 dns-server 192.168.0.254 
 lease 0 8
!
!
!
ip domain name yourdomain.com
ip name-server 203.0.178.191
no ipv6 cef
!
!
license udi pid C887VA-W-E-K9 sn FGL1905222U
!
        
!
controller VDSL 0
!
! 
crypto ctcp port 10000 
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key mykey address 202.76.167.206 
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac 
 mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp 
 set peer 202.76.167.206
 set transform-set TS 
 match address VPN-TRAFFIC
!
!
!
!
!
interface ATM0
 description ------ IINET ADSL ----
 no ip address
 no atm ilmi-keepalive
 pvc 8/35 
  tx-ring-limit 3
  encapsulation aal5snap
  pppoe-client dial-pool-number 1
 !
!
interface Ethernet0
 description $ETH-WAN$
 no ip address
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface FastEthernet0
 no ip address
 spanning-tree portfast
!
interface FastEthernet1
 no ip address
 spanning-tree portfast
!
interface FastEthernet2
 no ip address
 spanning-tree portfast
!
interface FastEthernet3
 no ip address
 spanning-tree portfast
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 no ip address
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip unnumbered Vlan1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 192.168.0.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1412
!
interface Dialer0
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username XXXXXX password 0 XXXXXXX
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
 no cdp enable
 crypto map CMAP
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat source list 100 interface Dialer0 overload
ip nat inside source list 100 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended VPN-TRAFFIC
 permit ip 192.168.0.0 0.0.0.255 192.168.141.0 0.0.0.255
!
ip sla auto discovery
access-list 1 permit 192.185.167.252
access-list 1 permit 101.169.255.250
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark -=[Define NAT Service]=-
access-list 100 deny   ip 192.168.0.0 0.0.0.255 192.168.141.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 remark 
access-list 101 remark CCP_ACL Category=2
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
!
!
!
line con 0
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 stopbits 1
line vty 0 4
 access-class 23 in
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 66.219.116.140 prefer source Dialer0

Output from a show crypto session gives the below

 

Crypto session current status

Interface: Dialer0
Session status: DOWN-NEGOTIATING
Peer: 202.76.167.206 port 500 
  IKEv1 SA: local 203.59.131.105/500 remote 202.76.167.206/500 Inactive 
  IKEv1 SA: local 203.59.131.105/500 remote 202.76.167.206/500 Inactive 
  IPSEC FLOW: permit ip 192.168.0.0/255.255.255.0 192.168.141.0/255.255.255.0 
        Active SAs: 0, origin: crypto map

And a show crypto ipsec sa gives

 

interface: Dialer0
    Crypto map tag: CMAP, local addr 203.59.131.105

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.141.0/255.255.255.0/0/0)
   current_peer 202.76.167.206 port 500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 143, #recv errors 0

     local crypto endpt.: 203.59.131.105, remote crypto endpt.: 202.76.167.206
     path mtu 1452, ip mtu 1452, ip mtu idb Dialer0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
Labels:
Preview file
484 KB
0 Helpful
2 Replies 2

rizwanr74
Level 7
Level 7

‎03-22-2015 11:08 AM

Hi there,

 

You config looks fine.

Try this though.

 

crypto ipsec transform-set TS esp-3des esp-md5-hmac 
 no mode tunnel

 

crypto map CMAP 10 ipsec-isakmp
 reverse-route

 

Thanks

Rizwan Rafeek

 

0 Helpful

Johnblake2948
Level 1
Level 1
In response to rizwanr74

‎03-24-2015 10:08 PM

Thanks for the response.

I was working on this over a weekend remotely and frustration was showing. After many hair pulling hours i decided to sit back have a coffee and listen to some nice Bach.

It was during this retreat i had an epiphany and decided i should check the other end namely the billion router. Low and behold I found my problem.

At some time during the night whilst i was configuring the Cisco the billion router in the Melbourne office had been subjected to a electrical spike (prom the storm activity), it survived but was locked up.

On the Monday when staff were once again on-site it was power cycled and wallah. The tunnels formed and there was activity.

So there are many morals to the story but i think i'll just take away one reminder.... The K.I.S.S Principle.

again thanks for taking the time to look. Ill now try the peanut butter solution and see if any of my hair will grow back :)

0 Helpful
Customers Also Viewed These Support Documents