Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- Technology and Support
- Networking
- Routing
- IPSEC VPN TWO Cisco router not connecet
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
219
Views
0
Helpful
2
Replies
IPSEC VPN TWO Cisco router not connecet
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-04-2018 05:36 AM - edited 03-05-2019 10:42 AM
hello i have problem to connected two cisco device ipsec vpn.
one side cisco have multiple vpn connections and gre tunels i don't know if there are problem or my router i have sh run two router
R1
#sh run
Building configuration... Current configuration : 13039 bytes ! ! Last configuration change at 14:11:53 Tbilisi Wed Jul 4 2018 by admin ! NVRAM config last updated at 14:40:04 Tbilisi Sat Jun 16 2018 by admin ! version 15.5 service timestamps debug datetime msec service timestamps log datetime msec no platform punt-keepalive disable-kernel-core ! hostname EMSC ! boot-start-marker boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! enable secret 5 $1$GvBy$.XsD4VRpxLcXxhhR3ebPa0 ! aaa new-model ! ! ! ! ! ! ! aaa session-id common clock timezone Tbilisi 4 0 ! ! ! ! ! ! ! ! ! ! ! ip name-server $$$$$$$$$$$$$$$ ip domain name yourdomain.com no ip dhcp use vrf connected ip dhcp excluded-address 10.195.195.1 10.195.195.50 ip dhcp excluded-address 10.195.195.180 10.195.195.254 ip dhcp excluded-address 10.195.195.156 ip dhcp excluded-address 10.195.195.66 ip dhcp excluded-address 10.195.195.253 ip dhcp excluded-address 10.195.195.248 ip dhcp excluded-address 10.195.195.249 ip dhcp excluded-address 10.195.195.247 ip dhcp excluded-address 10.195.195.246 ip dhcp excluded-address 10.195.195.245 ip dhcp excluded-address 10.195.195.243 ip dhcp excluded-address 10.195.195.241 ip dhcp excluded-address 10.195.195.242 ip dhcp excluded-address 10.195.195.252 ip dhcp excluded-address 10.195.195.236 ip dhcp excluded-address 10.195.195.237 ip dhcp excluded-address 10.195.195.221 ip dhcp excluded-address 10.195.195.222 ip dhcp excluded-address 10.195.195.230 ip dhcp excluded-address 10.195.195.231 ip dhcp excluded-address 10.195.195.232 ip dhcp excluded-address 10.195.195.234 ip dhcp excluded-address 10.195.195.148 ip dhcp excluded-address 10.195.195.142 ip dhcp excluded-address 10.195.195.159 ip dhcp excluded-address 10.195.195.239 ip dhcp excluded-address 10.195.195.238 ! ip dhcp pool lan network 10.195.195.0 255.255.255.0 dns-server $$$$$$$$$$$$$$$$$$$$$$$$$$ default-router 10.150.150.1 ! ! ! ! ! ! ! ! ! ! subscriber templating ! multilink bundle-name authenticated ! ! ! ! license udi pid ISR4321/K9 sn FDO20060ZBD ! spanning-tree extend system-id ! username sa privilege 15 secret 5 $1$Q6/F$KdKUW7P8aLsnBojUpbWHu/ username admin privilege 15 secret 5 $1$mxJ4$HckDyjlAIr4JMMR9ngLYK. ! redundancy mode none ! ! ! ! ! vlan internal allocation policy ascending no cdp run ! track 1 ip sla 1 reachability delay down 2 up 5 ! track 2 ip sla 2 reachability delay down 2 up 5 ! ! ! ! ! ! ! crypto isakmp policy 5 encr 3des authentication pre-share group 2 lifetime 3600 ! crypto isakmp policy 10 encr aes authentication pre-share group 2 ! crypto isakmp policy 45 encr aes 256 group 2 lifetime 28800 ! crypto isakmp policy 101 encr 3des hash md5 authentication pre-share group 2 crypto isakmp ^^^^^^^ crypto isakmp k^^^^^^^^^^^^^^ crypto isakmp key^^^^^^^^^^^^^ crypto isakmp key ^ crypto isakmp key ^^^^^^^^^^^^^^^^^^^^ crypto isakmp key ^^^^^^^^^^^^^^^^^^^^^^^h crypto isakmp key s^^^^^^^^^^^^^^^^^^^^^^^ crypto isakmp key ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ crypto isakmp key u^^^^^^^^^^^^^^^^^^ crypto isakmp ^^^^^^^^^^^^^^^^^^^^^^^^^ crypto isakmp key VPNdosoEM@!# address 81.16.245.206 crypto isakmp invalid-spi-recovery crypto isakmp keepalive 10 periodic ! ! crypto ipsec transform-set aes128-sha esp-aes esp-sha-hmac mode tunnel crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac mode tunnel crypto ipsec transform-set DOSOVPN esp-3des esp-md5-hmac mode tunnel ! crypto ipsec profile 3des-sha set transform-set 3des-sha ! crypto ipsec profile aes128-sha set transform-set aes128-sha ! ! ! crypto map CryptoDeltanet 5 ipsec-isakmp description simulation set peer set transform-set aes128-sha match address EMSC-Simulat crypto map CryptoDeltanet 55 ipsec-isakmp set peer 81.16.245.206 set transform-set DOSOVPN match address VPN-DOSO ! crypto map DOSO 11 ipsec-isakmp set peer set transform-set DOSOVPN match address DOSOVPN ! ! ! ! ! ! ! ! ! ! ! ! interface Tunnel10 description TO_112 ip address 172.30.0.1 255.255.255.252 ip tcp adjust-mss 1350 tunnel source tunnel mode ipsec ipv4 tunnel destination tunnel path-mtu-discovery tunnel protection ipsec profile aes128-sha ! interface Tunnel11 description TO_MOLHSA ip address 172.40.0.202 255.255.255.252 ip tcp adjust-mss 1350 tunnel source tunnel mode ipsec ipv4 tunnel destination tunnel path-mtu-discovery tunnel protection ipsec profile aes128-sha ! interface Tunnel18 description AKA1 ip address 172.50.0.1 255.255.255.252 ip nat outside tunnel source GigabitEthernet0/0/0 tunnel mode ipsec ipv4 tunnel destination 188.169.44.234 tunnel path-mtu-discovery tunnel protection ipsec profile 3des-sha ! interface Tunnel100 description TO_Magticom ip address 10.17.1.66 255.255.255.252 tunnel source tunnel destination ! interface Tunnel111 description Magticom-VOIP ip address 10.33.14.38 255.255.255.252 tunnel source tunnel mode ipsec ipv4 tunnel destination 8 tunnel path-mtu-discovery tunnel protection ipsec profile 3des-sha ! interface Tunnel122 description DES ip address 172.21.1.154 255.255.255.252 ip nat outside tunnel source tunnel mode ipsec ipv4 tunnel destination 178.249.18.1 tunnel path-mtu-discovery tunnel protection ipsec profile 3des-sha ! interface Tunnel188 description AKA2 ip address 172.51.0.1 255.255.255.252 ip nat outside tunnel source GigabitEthernet0/0/1 tunnel mode ipsec ipv4 tunnel destination tunnel path-mtu-discovery tunnel protection ipsec profile 3des-sha ! interface Tunnel210 description TO_112_2 ip address 172.16.120.2 255.255.255.252 ip tcp adjust-mss 1350 tunnel source tunnel mode ipsec ipv4 tunnel destination tunnel path-mtu-discovery tunnel protection ipsec profile aes128-sha ! interface Tunnel1111 description Magticom-VoipFromSilk ip address 10.33.14.46 255.255.255.252 tunnel source tunnel mode ipsec ipv4 tunnel destination 81.95.167.53 tunnel path-mtu-discovery tunnel protection ipsec profile 3des-sha ! interface GigabitEthernet0/0/0 description ISP1 ip address 252 ip nat outside negotiation auto crypto map CryptoDeltanet ip virtual-reassembly ! interface GigabitEthernet0/0/1 description ISP2 ip address 255.255.255.252 ip nat outside negotiation auto ! interface GigabitEthernet0/1/0 switchport access vlan 90 shutdown speed 100 ! interface GigabitEthernet0/1/1 ! interface GigabitEthernet0/1/2 speed 100 ! interface GigabitEthernet0/1/3 switchport access vlan 2 ! interface GigabitEthernet0 vrf forwarding Mgmt-intf no ip address shutdown negotiation auto ! interface Vlan1 description LAN ip address 10.195.195.1 255.255.255.0 ip nat inside ip tcp adjust-mss 1452 ip virtual-reassembly ! interface Vlan2 description Region ip address 10.17.3.1 255.255.255.0 ! ip local policy route-map ISP_loop ip nat inside source static tcp 10.195.195.232 3389 interface GigabitEthernet0/0/0 20005 ip nat inside source static tcp 10.195.195.159 3389 interface GigabitEthernet0/0/0 20002 ip nat inside source static tcp 10.195.195.142 3389 interface GigabitEthernet0/0/0 20001 ip nat inside source static tcp 10.195.195.148 3389 interface GigabitEthernet0/0/0 20000 ip nat inside source static tcp 10.195.195.66 3389 interface GigabitEthernet0/0/0 16001 ip nat inside source static tcp 10.195.195.235 3389 interface GigabitEthernet0/0/0 3389 ip nat inside source static tcp 10.195.195.207 47 interface GigabitEthernet0/0/0 47 ip nat inside source static tcp 10.195.195.207 1723 interface GigabitEthernet0/0/0 1723 ip nat inside source static tcp 10.195.195.16 3389 interface GigabitEthernet0/0/0 2277 ip nat inside source static tcp 10.195.195.156 3389 interface GigabitEthernet0/0/0 16000 ip nat inside source list 150 interface GigabitEthernet0/0/0 overload ip nat inside source list nat_to_napr interface Tunnel122 overload ip nat inside source route-map ISP1 interface GigabitEthernet0/0/0 overload ip nat inside source route-map ISP2 interface GigabitEthernet0/0/1 overload ip forward-protocol nd ip ftp username cisco ip ftp password cisco123 no ip http server no ip http secure-server ip tftp source-interface GigabitEthernet0 ip route 0.0.0.0 0.0.0.0 92.51.76.53 100 track 1 ip route 0.0.0.0 0.0.0.0 37.232.96.185 150 track 2 ip route 10.10.112.0 255.255.255.0 172.30.0.2 name TO_112_Servers ip route 10.16.21.0 255.255.255.0 10.17.1.65 ip route 10.60.226.11 255.255.255.255 172.30.0.2 name To_112_Servers ip route 10.60.226.14 255.255.255.255 172.30.0.2 name To_112_Servers ip route 10.120.121.0 255.255.255.0 92.51.79.142 name simulation ip route 81.95.160.47 255.255.255.255 81.95.160.245 name magti ip route 81.95.167.53 255.255.255.255 37.232.96.185 ip route 81.95.168.22 255.255.255.255 10.33.14.37 name Magticom-VOIP ip route 81.95.168.22 255.255.255.255 10.33.14.45 10 name Magticom-VOIP ip route 178.249.17.1 255.255.255.255 92.51.76.53 name NAPR_Tunnel_Route ip route 178.249.17.129 255.255.255.255 172.21.1.153 name NAPR_Des_Server ip route 178.249.20.59 255.255.255.255 172.21.1.153 name NAPR_HR_Server ip route 192.168.1.0 255.255.255.0 Tunnel18 name to_MPSAKA1 ip route 192.168.1.0 255.255.255.0 Tunnel188 name to_MPSAKA188 ! ! ip access-list extended DOSOVP ip access-list extended DOSOVPN permit ip 10.195.195.0 0.0.0.255 192.168.250.0 0.0.0.255 ip access-list extended EMSC-Simulat permit ip 10.195.195.0 0.0.0.255 10.120.121.0 0.0.0.255 ip access-list extended INBOUND permit ip host 109.238.235.182 host 10.195.195.252 permit ip any any ip access-list extended NAT deny ip 10.195.195.0 0.0.0.255 10.120.121.0 0.0.0.255 deny ip 10.195.195.0 0.0.0.255 host 10.60.226.11 deny ip 10.195.195.0 0.0.0.255 host 10.60.226.14 deny ip 10.195.195.0 0.0.0.255 10.10.112.0 0.0.0.255 deny ip 10.195.195.0 0.0.0.255 host 178.249.20.59 deny ip host 10.195.195.195 host 178.249.17.129 deny ip 10.195.195.0 0.0.0.255 host 178.249.17.129 deny ip host 10.195.195.150 host 178.249.17.129 deny ip host 10.195.195.40 host 178.249.17.129 deny ip host 10.195.195.41 host 178.249.17.129 permit ip 10.195.195.0 0.0.0.255 any deny ip 10.195.195.0 0.0.0.255 192.168.247.0 0.0.0.255 ip access-list extended NAT2 deny ip 10.195.195.0 0.0.0.255 any permit ip host 10.195.195.160 any ip access-list extended VPN-DOSO permit ip 10.195.195.0 0.0.0.255 192.168.247.0 0.0.0.255 ip access-list extended nat_to_napr permit ip 10.195.195.0 0.0.0.255 host 178.249.20.59 permit ip host 10.195.195.195 host 178.249.17.129 permit ip host 10.195.195.150 host 178.249.17.129 permit ip host 10.195.195.40 host 178.249.17.129 permit ip host 10.195.195.41 host 178.249.17.129 permit ip 10.195.195.0 0.0.0.255 host 178.249.17.129 ! ip sla 1 icmp-echo 92.51.76.53 source-interface GigabitEthernet0/0/0 request-data-size 32 frequency 5 history hours-of-statistics-kept 24 ip sla schedule 1 life forever start-time now ip sla 2 icmp-echo 37.232.96.185 source-interface GigabitEthernet0/0/1 request-data-size 32 frequency 5 history hours-of-statistics-kept 24 ip sla schedule 2 life forever start-time now access-list 102 permit tcp host 10.195.195.202 any eq smtp access-list 102 deny tcp any any eq smtp access-list 102 permit ip any any access-list 150 deny ip 10.195.195.0 0.0.0.255 192.168.247.0 0.0.0.255 access-list 150 permit ip 10.195.195.0 0.0.0.255 any access-list 2000 remark ISP1_Loop access-list 2000 permit ip host 92.51.76.54 any access-list 2001 remark ISP2_Loop access-list 2001 permit ip host 37.232.96.186 any ! route-map ISP_loop permit 1 match ip address 2000 set ip next-hop 92.51.76.53 ! route-map ISP_loop permit 2 match ip address 2001 set ip next-hop 37.232.96.185 ! route-map LocalPolicy permit 100 match ip address NAT match interface GigabitEthernet0/0/0 set ip next-hop verify-availability 92.51.76.53 1 track 1 ! route-map LocalPolicy permit 110 match ip address NAT2 match interface GigabitEthernet0/0/1 set ip next-hop verify-availability 37.232.96.185 20 track 2 ! route-map ISP2 permit 1001 match ip address NAT match interface GigabitEthernet0/0/1 ! route-map ISP1 permit 1000 match ip address NAT match interface GigabitEthernet0/0/0 ! ! ! ! ! control-plane ! ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 privilege level 15 transport input telnet ssh ! scheduler max-task-time 5000 ntp server 176.58.109.199 event manager applet natclear event track 1 state any action 0.9 cli command "enable" action 1.0 cli command "clear ip nat translation *" action 2.0 cli command "clear ip nat translation forced" ! end
and
R2
Current configuration : 2435 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname doso ! boot-start-marker boot-end-marker ! enable secret 5 $1$TFVW$jcIdNpb8rMm9pWZN5Lnns/ ! no aaa new-model ! resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ip cef ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 ! crypto isakmp policy 50 encr aes ! crypto isakmp policy 55 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key address 109.238.235.226 crypto isakmp key VPNdosoEM@!# address 92.51.76.54 ! ! crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set VPNEMC esp-3des esp-md5-hmac ! crypto map PRIMEVPN 15 ipsec-isakmp set peer 109.238.235.226 set transform-set 3DES-SHA set pfs group2 match address 100 crypto map PRIMEVPN 20 ipsec-isakmp ! Incomplete crypto map PRIMEVPN 60 ipsec-isakmp set peer 92.51.76.54 set transform-set VPNEMC match address VPN-EMC ! ! ! interface FastEthernet0/0 mac-address 0023.5e39.20b7 ip address dhcp ip access-group 102 in ip nat outside ip virtual-reassembly ip policy route-map NONAT duplex auto speed auto crypto map PRIMEVPN ! interface FastEthernet0/1 ip address 192.168.247.254 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto ! ip classless ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 ip route 192.168.250.0 255.255.255.0 192.168.247.253 ! ip http server no ip http secure-server ip nat inside source list 150 interface FastEthernet0/0 overload ip nat inside source route-map NONAT interface FastEthernet0/0 overload ip nat inside source static tcp 192.168.250.12 3389 interface FastEthernet0/0 3389 ! ip access-list extended VPN-EMC permit ip 192.168.247.0 0.0.0.255 10.195.195.0 0.0.0.255 ! access-list 100 permit ip 192.168.247.0 0.0.0.255 10.130.130.0 0.0.0.255 access-list 100 permit ip 10.130.130.0 0.0.0.255 192.168.247.0 0.0.0.255 access-list 103 permit tcp any eq 3389 any access-list 110 deny ip 192.168.247.0 0.0.0.255 10.130.130.0 0.0.0.255 access-list 110 permit ip 192.168.247.0 0.0.0.255 any access-list 110 deny ip 192.168.247.0 0.0.0.255 10.195.195.0 0.0.0.255 route-map NONAT permit 10 match ip address 110 ! ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 password login ! end
Labels:
- Labels:
-
Other Routing
2 Replies 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-04-2018 01:46 PM
There is no good to mix crypto-map and SVTI.
So my advice is to reconfigure your crypto-map to SVTI
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-04-2018 11:29 PM
this rotuer not mine side and using multiple vpns and gre tunels how i can easly connecet this two router ipsec vpn ?
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
Customers Also Viewed These Support Documents