Solved: Need VPN HELP!!! UP-IDLE only.

Michael Durham · ‎04-16-2013

I am trying to connect my office 2801 router with a static IP to my home 2851 router that has a dynamic IP address via a VPN

Currently I seem to have a VPN connection but no data crosses it. When I issue the command SHOW CRYPTO SESSION, here is what I get:

OFFFICE 2801

Interface: FastEthernet0/0

Session status: UP-IDLE

Peer: 70.193.201.242 port 10327

IKEv1 SA: local 40.197.68.9/4500 remote 70.193.211.19/10327 Active

HOME 2851

Interface: GigabitEthernet0/0

Session status: DOWN

Peer: 40.197.68.9 port 500

IPSEC FLOW: permit ip 192.168.70.0/255.255.255.252 40.197.68.0/255.255.255.7

Active SAs: 0, origin: crypto map

Interface: GigabitEthernet0/0

Session status: UP-IDLE

Peer: 40.197.68.9 port 4500

IKEv1 SA: local 192.168.70.2/4500 remote 40.197.68.9/4500 Active

Any idea why I am not able to get the IPSec part to work?

CONFIG FILES:

2801 OFFICE

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key VPNpassword address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set TS-1 esp-3des esp-md5-hmac

!

crypto dynamic-map NCL-vpn 10

set security-association lifetime seconds 86400

set transform-set TS-1

match address VPN1-FLA-TRAFFIC

!

crypto map VPN-FLA-MAP 10 ipsec-isakmp dynamic NCL-vpn

!

interface FastEthernet0/0

ip address 40.197.68.9 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map VPN-FLA-MAP

!

interface FastEthernet0/1

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

no ip forward-protocol nd

!

ip nat inside source list 1 interface FastEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 40.197.68.10

ip route 192.168.2.0 255.255.255.0 192.168.10.5

!

ip access-list extended VPN1-FLA-TRAFFIC

permit ip 40.197.68.0 0.0.0.248 192.168.70.0 0.0.0.3

2851 HOME

! ---------- This is used for local SSH only ----------

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-2516279958

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2516279958

revocation-check none

rsakeypair TP-self-signed-2516279958

!

crypto pki certificate chain TP-self-signed-2516279958

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

! ------------------ END LOCAL USE PKI --------------------------

------------------For VPN use ------------------------

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key VPNpassword address 40.197.68.9

!

crypto ipsec transform-set TS esp-3des esp-md5-hmac

!

crypto map vpn-to-hq 10 ipsec-isakmp

set peer 40.197.68.9

set transform-set TS

match address VPN-TRAFFIC

!

interface GigabitEthernet0/0

description Router - C3524 Port Fa0/23 192.168.70.1

ip address 192.168.70.2 255.255.255.252

duplex auto

speed auto

crypto map vpn-to-hq

!

ip access-list extended VPN-TRAFFIC

permit ip 192.168.70.0 0.0.0.3 40.197.68.0 0.0.0.248

!

cadet alain · ‎04-16-2013

Hi,

2801 OFFICE

permit ip 40.197.68.0 0.0.0.248 192.168.70.0 0.0.0.3

2851 HOME

permit ip 192.168.70.0 0.0.0.3 40.197.68.0 0.0.0.248

you should replace the bolded IP addresses by your LAN subnet IPs as an IPSec tunnel is for LAN to LAN communication.

Regards

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎04-16-2013

Hi,

2801 OFFICE

permit ip 40.197.68.0 0.0.0.248 192.168.70.0 0.0.0.3

2851 HOME

permit ip 192.168.70.0 0.0.0.3 40.197.68.0 0.0.0.248

you should replace the bolded IP addresses by your LAN subnet IPs as an IPSec tunnel is for LAN to LAN communication.

Regards

Alain

Don't forget to rate helpful posts.

Michael Durham · ‎04-16-2013

I made the changes you suggested and I now get the following results when I issue the command SH CRY SE

OFFICE 2801

Interface: FastEthernet0/0

Session status: UP-ACTIVE

Peer: 70.193.202.106 port 14541

IKEv1 SA: local 40.197.68.9/4500 remote 70.193.202.106/14541 Active

IPSEC FLOW: permit ip 192.168.10.0/255.255.255.0 192.168.70.0/255.255.255.252

Active SAs: 2, origin: dynamic crypto map

HOME 2851

Interface: GigabitEthernet0/0

Session status: UP-ACTIVE

Peer: 40.197.68.9 port 4500

IKEv1 SA: local 192.168.70.2/4500 remote 40.197.68.9/4500 Active

IPSEC FLOW: permit ip 192.168.70.0/255.255.255.252 192.168.10.0/255.255.255.0

Active SAs: 2, origin: crypto map

But I cannot ping the 192.168.10.1 interface on the OFFICE router from my home router with the command:

ping 192.168.10.1 source 192.168.70.2

Ping did work on two ocasions but would quit for a while then come back. I had to reload the OFFICE router and I had lost my Internet at home. Now I can't ping at all. But I DO get the results above. Thus, I am connected but yet I am not.

Suggestions?

Changes OFFICE

ip access-list extended VPN1-FLA-TRAFFIC

permit ip 192.168.10.0 0.0.0.255 192.168.70.0 0.0.0.3

Changes HOME

ip access-list extended VPN-TRAFFIC

permit ip 192.168.70.0 0.0.0.3 192.168.10.0 0.0.0.255

The JPG below is my final goal. I might need help beyond the basic VPN setup.

zhuli_ca1 · ‎10-18-2019

thanks for your solution, this is for lan to lan and both side the sigment should be the same. your answer really hlep me!