05-31-2016 09:48 PM - edited 03-05-2019 04:08 AM
Hi,
I need to setup VPN tunnel from our office to an external party. All information that I got was IP address of the remote site, internal IP address and shared-key. My settings currently is as follow
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxxxxxxxxx address <remote external IP> no-xauth
!
!
crypto ipsec transform-set VPNTRANS esp-3des esp-sha-hmac
!
crypto map VPN_MAP 1 ipsec-isakmp
set peer <remote external IP>
set transform-set VPNTRANS
match address VPNCONNECT
!
interface FastEthernet4
ip address <local external IP> 255.255.255.252
ip access-group XXX in
ip nat outside
ip inspect XXX_IPS out
ip virtual-reassembly in
ip virtual-reassembly out
ip verify unicast reverse-path
duplex auto
speed auto
crypto map VPN_MAP
!
ip access-list extended VPNCONNECT
permit ip 192.168.2.0 0.0.0.255 172.17.7.0 0.0.0.255
!
access-list 23 permit <remote external IP>
With these settings, there's no sign of a VPN tunnel is running and I cannot ping the remote IP address. Can anyone please shed a light ?
Thanks
05-31-2016 11:23 PM
First you should confirm with your peer that you are using the same settings. 3DES/Group2 is legacy and it could be that they use some more modern crypto.
Not being able to ping the peer is quite common as this is often filtered.
On the interface you apply an access-list XXX. Make sure that ip/50 and udp/500, udp/4500 is allowed.
On your NAT-ACL (not shown in your config, but probably there) make sure that the VPN-traffic is not NATed.
05-31-2016 11:40 PM
Thanks Karsten for replying
First the sysadmin of the remote site confirms that my settings matched his end (shared keys & 3des etc.)
In the access-group, here are the settings that related
ip access-list extended XXX
permit udp host <remote external IP> host <local external IP> eq non500-isakmp
permit udp host <remote external IP> host <local external IP> eq isakmp
permit esp host <remote external IP> host <local external IP>
permit ahp host <remote external IP> host <local external IP>
And the NAT ACL
ip route <remote internal IP> 255.255.255.0 FastEthernet4
Did I miss something ?
05-31-2016 11:49 PM
The following line in the ACL is not needed:
permit ahp hosthost
ip route 255.255.255.0 FastEthernet4
The next hop is the same as you use in your default-route. If you don't have a default-route, you also need a route to the remote router IP.
How do you check the VPN? you have to initiate it with traffic that is part of the crypto ACL. That is by testing from an internal PC or with an extended ping on the router.
06-01-2016 09:48 PM
I have another setting
ip route 0.0.0.0 0.0.0.0 210.10.200.41
Is that the default route you talking about ?
Because I didn't make this work first time, I need to ask the other end to expose the remote IP, so I can ping it for now. Do I have to ask him to close it first in order for the VPN tunnel to trigger running ?
06-02-2016 01:07 AM
ip route 0.0.0.0 0.0.0.0 210.10.200.41
Is that the default route you talking about ?
Yes, the 210.10... is the next hop for your routes.
I need to ask the other end to expose the remote IP, so I can ping it for now. Do I have to ask him to close it first in order for the VPN tunnel to trigger running ?
Allowing to ping a VPN-gateway is not needed, but it makes troubleshooting a lot easier.
If all doesn't work, do a "debug crypto isakmp" and initiate the tunnel. It should throw a many lines of output. With a little luck we can see in the debug what's going wrong.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide