04-16-2013 11:23 AM - edited 03-04-2019 07:36 PM
I am trying to connect my office 2801 router with a static IP to my home 2851 router that has a dynamic IP address via a VPN
Currently I seem to have a VPN connection but no data crosses it. When I issue the command SHOW CRYPTO SESSION, here is what I get:
OFFFICE 2801
Interface: FastEthernet0/0
Session status: UP-IDLE
Peer: 70.193.201.242 port 10327
IKEv1 SA: local 40.197.68.9/4500 remote 70.193.211.19/10327 Active
HOME 2851
Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 40.197.68.9 port 500
IPSEC FLOW: permit ip 192.168.70.0/255.255.255.252 40.197.68.0/255.255.255.7
Active SAs: 0, origin: crypto map
Interface: GigabitEthernet0/0
Session status: UP-IDLE
Peer: 40.197.68.9 port 4500
IKEv1 SA: local 192.168.70.2/4500 remote 40.197.68.9/4500 Active
Any idea why I am not able to get the IPSec part to work?
CONFIG FILES:
2801 OFFICE
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key VPNpassword address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TS-1 esp-3des esp-md5-hmac
!
crypto dynamic-map NCL-vpn 10
set security-association lifetime seconds 86400
set transform-set TS-1
match address VPN1-FLA-TRAFFIC
!
crypto map VPN-FLA-MAP 10 ipsec-isakmp dynamic NCL-vpn
!
interface FastEthernet0/0
ip address 40.197.68.9 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN-FLA-MAP
!
interface FastEthernet0/1
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
no ip forward-protocol nd
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 40.197.68.10
ip route 192.168.2.0 255.255.255.0 192.168.10.5
!
ip access-list extended VPN1-FLA-TRAFFIC
permit ip 40.197.68.0 0.0.0.248 192.168.70.0 0.0.0.3
2851 HOME
! ---------- This is used for local SSH only ----------
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2516279958
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2516279958
revocation-check none
rsakeypair TP-self-signed-2516279958
!
!
crypto pki certificate chain TP-self-signed-2516279958
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
! ------------------ END LOCAL USE PKI --------------------------
------------------For VPN use ------------------------
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key VPNpassword address 40.197.68.9
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map vpn-to-hq 10 ipsec-isakmp
set peer 40.197.68.9
set transform-set TS
match address VPN-TRAFFIC
!
interface GigabitEthernet0/0
description Router - C3524 Port Fa0/23 192.168.70.1
ip address 192.168.70.2 255.255.255.252
duplex auto
speed auto
crypto map vpn-to-hq
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.70.0 0.0.0.3 40.197.68.0 0.0.0.248
!
Solved! Go to Solution.
04-16-2013 11:40 AM
Hi,
2801 OFFICE
permit ip 40.197.68.0 0.0.0.248 192.168.70.0 0.0.0.3
2851 HOME
permit ip 192.168.70.0 0.0.0.3 40.197.68.0 0.0.0.248
you should replace the bolded IP addresses by your LAN subnet IPs as an IPSec tunnel is for LAN to LAN communication.
Regards
Alain
Don't forget to rate helpful posts.
04-16-2013 11:40 AM
Hi,
2801 OFFICE
permit ip 40.197.68.0 0.0.0.248 192.168.70.0 0.0.0.3
2851 HOME
permit ip 192.168.70.0 0.0.0.3 40.197.68.0 0.0.0.248
you should replace the bolded IP addresses by your LAN subnet IPs as an IPSec tunnel is for LAN to LAN communication.
Regards
Alain
Don't forget to rate helpful posts.
04-16-2013 03:25 PM
I made the changes you suggested and I now get the following results when I issue the command SH CRY SE
OFFICE 2801
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 70.193.202.106 port 14541
IKEv1 SA: local 40.197.68.9/4500 remote 70.193.202.106/14541 Active
IPSEC FLOW: permit ip 192.168.10.0/255.255.255.0 192.168.70.0/255.255.255.252
Active SAs: 2, origin: dynamic crypto map
HOME 2851
Interface: GigabitEthernet0/0
Session status: UP-ACTIVE
Peer: 40.197.68.9 port 4500
IKEv1 SA: local 192.168.70.2/4500 remote 40.197.68.9/4500 Active
IPSEC FLOW: permit ip 192.168.70.0/255.255.255.252 192.168.10.0/255.255.255.0
Active SAs: 2, origin: crypto map
But I cannot ping the 192.168.10.1 interface on the OFFICE router from my home router with the command:
ping 192.168.10.1 source 192.168.70.2
Ping did work on two ocasions but would quit for a while then come back. I had to reload the OFFICE router and I had lost my Internet at home. Now I can't ping at all. But I DO get the results above. Thus, I am connected but yet I am not.
Suggestions?
Changes OFFICE
ip access-list extended VPN1-FLA-TRAFFIC
permit ip 192.168.10.0 0.0.0.255 192.168.70.0 0.0.0.3
Changes HOME
ip access-list extended VPN-TRAFFIC
permit ip 192.168.70.0 0.0.0.3 192.168.10.0 0.0.0.255
The JPG below is my final goal. I might need help beyond the basic VPN setup.
10-18-2019 09:45 PM
thanks for your solution, this is for lan to lan and both side the sigment should be the same. your answer really hlep me!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide