12-24-2012 02:27 PM - edited 03-04-2019 06:29 PM
Hi,
I am trying to create easy VPN on cisco 881 router. I have configured successfully and able to login also, but unfortunately not able to ping nor communicate to any computers on VPN LAN network.
Can anyone tell me where i am going wrong. Below is the config done.
interface loopback0 172.16.0.1
aaa new-model
aaa authentication login auth local
aaa authorization network auth local
ip local pool xyz 172.16.0.2 172.16.0.10
access-list 101 permit ip 172.16.0.0 0.0.0.255 any
crypto isakmp policy 10
encr 3des
authentication-preshare
group 2
crypto iaskmp client configuration group xyz
acl 101
key compaq
pool xyz
domain cisco.com optional
crypto isakmp profile isakmp-p(this is a word)
match identity group xyz
virtual-template 1
isakmp authorization auth
client authentication auth
client configuration address respond
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode transport
crypto ipsec profile S-S
set transform-set TS
set isakmp-profile ISAKMP-P
interface virtual-template 1 type tunnel
ip unnumbered fa0/0
tunnel protection ipsec profile S-S
tunnel mode ipsec ipv4
tunnel source fa0/0
Thanks in advance,
12-24-2012 02:54 PM
Hi Jeevan,
Try with this configuration:
aaa new-model
aaa authentication login auth local
aaa authorization network auth local
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group xyz
key compaq
pool xyz
acl 101
crypto isakmp profile isakmp-p(this is a word)
match identity group xyz
client authentication list auth
isakmp authorization list auth
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
!
!
crypto ipsec profile S-S
set transform-set TS
set isakmp-profile ISAKMP-P
!
!
interface Virtual-Template1 type tunnel
ip unnumbered FA0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile S-S
!
!
ip local pool xyz 172.16.0.2 172.16.0.10
!
access-list 101 permit ip X.X.X.X Y.Y.Y.Y any
Where X.X.X.X is your LAN computers segment.
Y.Y.Y.Y is the wild card for the LAN computers segment.
Your actual ACL is wrong because the source address is your LAN computer and not the VPN Client IP address.
If it is useful please rate.
Best regards.
01-01-2013 04:04 AM
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXX address 10.10.10.10
// set your key insted of XXX and it must match with your remote site. after that write address of your peer
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set XXX esp-3des esp-md5-hmac
!
crypto map YYY local-address <<
crypto map YYY 10 ipsec-isakmp
set peer 10.10.10.10
set transform-set ZZZ
match address 101
interface <<
crypto map YYYY
access-list 101 permit ip 192.168.1.0 0.0.0.255 11.11.11.11 (Remote user) 255.255.255.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 22.22.22.22(Remote user) 255.255.255.255
After that configure NAT with req. access-list
For troubleshooting
sh cry ipsec sa peer 10.10.10.10
sh cry session
hope your IPSec site to site VPN tunnel is working fine
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide