First you should confirm with

forrest_10011 · ‎05-31-2016

Hi,

I need to setup VPN tunnel from our office to an external party. All information that I got was IP address of the remote site, internal IP address and shared-key. My settings currently is as follow

!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxxxxxxxxx address <remote external IP> no-xauth
!
!
crypto ipsec transform-set VPNTRANS esp-3des esp-sha-hmac
!
crypto map VPN_MAP 1 ipsec-isakmp
set peer <remote external IP>
set transform-set VPNTRANS
match address VPNCONNECT

!

interface FastEthernet4
ip address <local external IP> 255.255.255.252
ip access-group XXX in
ip nat outside
ip inspect XXX_IPS out
ip virtual-reassembly in
ip virtual-reassembly out
ip verify unicast reverse-path
duplex auto
speed auto
crypto map VPN_MAP

!

ip access-list extended VPNCONNECT
permit ip 192.168.2.0 0.0.0.255 172.17.7.0 0.0.0.255

!

access-list 23 permit <remote external IP>

With these settings, there's no sign of a VPN tunnel is running and I cannot ping the remote IP address. Can anyone please shed a light ?

Thanks

Karsten Iwen · ‎05-31-2016

First you should confirm with your peer that you are using the same settings. 3DES/Group2 is legacy and it could be that they use some more modern crypto.

Not being able to ping the peer is quite common as this is often filtered.

On the interface you apply an access-list XXX. Make sure that ip/50 and udp/500, udp/4500 is allowed.

On your NAT-ACL (not shown in your config, but probably there) make sure that the VPN-traffic is not NATed.

forrest_10011 · ‎05-31-2016

Thanks Karsten for replying

First the sysadmin of the remote site confirms that my settings matched his end (shared keys & 3des etc.)

In the access-group, here are the settings that related

ip access-list extended XXX
permit udp host <remote external IP> host <local external IP> eq non500-isakmp
permit udp host <remote external IP> host <local external IP> eq isakmp
permit esp host <remote external IP> host <local external IP>
permit ahp host <remote external IP> host <local external IP>

And the NAT ACL

ip route <remote internal IP> 255.255.255.0 FastEthernet4

Did I miss something ?

Karsten Iwen · ‎05-31-2016

The following line in the ACL is not needed:

permit ahp host  host

It's always better to use the next-hop IP instead of the outgoing interface:

ip route  255.255.255.0 FastEthernet4

The next hop is the same as you use in your default-route. If you don't have a default-route, you also need a route to the remote router IP.

How do you check the VPN? you have to initiate it with traffic that is part of the crypto ACL. That is by testing from an internal PC or with an extended ping on the router.

forrest_10011 · ‎06-01-2016

I have another setting

ip route 0.0.0.0 0.0.0.0 210.10.200.41

Is that the default route you talking about ?

Because I didn't make this work first time, I need to ask the other end to expose the remote IP, so I can ping it for now. Do I have to ask him to close it first in order for the VPN tunnel to trigger running ?

Karsten Iwen · ‎06-02-2016

ip route 0.0.0.0 0.0.0.0 210.10.200.41

Is that the default route you talking about ?

Yes, the 210.10... is the next hop for your routes.

I need to ask the other end to expose the remote IP, so I can ping it for now. Do I have to ask him to close it first in order for the VPN tunnel to trigger running ?

Allowing to ping a VPN-gateway is not needed, but it makes troubleshooting a lot easier.

If all doesn't work, do a "debug crypto isakmp" and initiate the tunnel. It should throw a many lines of output. With a little luck we can see in the debug what's going wrong.

IPSec VPN doesn't work