cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
25261
Views
0
Helpful
5
Replies

IPSec VPN doesn't work

forrest_10011
Level 1
Level 1

Hi,

I need to setup VPN tunnel from our office to an external party. All information that I got was IP address of the remote site, internal IP address and shared-key. My settings currently is as follow 

!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxxxxxxxxx address <remote external IP> no-xauth
!
!
crypto ipsec transform-set VPNTRANS esp-3des esp-sha-hmac
!
crypto map VPN_MAP 1 ipsec-isakmp
set peer <remote external IP>
set transform-set VPNTRANS
match address VPNCONNECT

!

interface FastEthernet4
  ip address <local external IP> 255.255.255.252
  ip access-group XXX in
  ip nat outside
  ip inspect XXX_IPS out
  ip virtual-reassembly in
  ip virtual-reassembly out
  ip verify unicast reverse-path
  duplex auto
  speed auto
  crypto map VPN_MAP

!

ip access-list extended VPNCONNECT
  permit ip 192.168.2.0 0.0.0.255 172.17.7.0 0.0.0.255

!

access-list 23 permit <remote external IP>

With these settings, there's no sign of a VPN tunnel is running and I cannot ping the remote IP address. Can anyone please shed a light ?

Thanks

5 Replies 5

First you should confirm with your peer that you are using the same settings. 3DES/Group2 is legacy and it could be that they use some more modern crypto.

Not being able to ping the peer is quite common as this is often filtered.

On the interface you apply an access-list XXX. Make sure that ip/50 and udp/500, udp/4500 is allowed.

On your NAT-ACL (not shown in your config, but probably there) make sure that the VPN-traffic is not NATed.

Thanks Karsten for replying

First the sysadmin of the remote site confirms that my settings matched his end (shared keys & 3des etc.)

In the access-group, here are the settings that related

ip access-list extended XXX
  permit udp host <remote external IP> host <local external IP> eq non500-isakmp
  permit udp host <remote external IP> host <local external IP> eq isakmp
  permit esp host <remote external IP> host <local external IP>
  permit ahp host <remote external IP> host <local external IP>

And the NAT ACL

ip route <remote internal IP> 255.255.255.0 FastEthernet4

Did I miss something ?

The following line in the ACL is not needed:

permit ahp host  host

It's always better to use the next-hop IP instead of the outgoing interface:

ip route  255.255.255.0 FastEthernet4

The next hop is the same as you use in your default-route. If you don't have a default-route, you also need a route to the remote router IP.

How do you check the VPN? you have to initiate it with traffic that is part of the crypto ACL. That is by testing from an internal PC or with an extended ping on the router.

I have another setting

ip route 0.0.0.0 0.0.0.0 210.10.200.41

Is that the default route you talking about ?

Because I didn't make this work first time, I need to ask the other end to expose the remote IP, so I can ping it for now. Do I have to ask him to close it first in order for the VPN tunnel to trigger running ?

ip route 0.0.0.0 0.0.0.0 210.10.200.41

Is that the default route you talking about ?

Yes, the 210.10... is the next hop for your routes.

I need to ask the other end to expose the remote IP, so I can ping it for now. Do I have to ask him to close it first in order for the VPN tunnel to trigger running ?

Allowing to ping a VPN-gateway is not needed, but it makes troubleshooting a lot easier.

If all doesn't work, do a "debug crypto isakmp" and initiate the tunnel. It should throw a many lines of output. With a little luck we can see in the debug what's going wrong.

Review Cisco Networking for a $25 gift card