11-20-2015 02:36 AM - edited 03-05-2019 02:47 AM
Hello everyone,
I have been working on VPN remote user connecting to my head office network using Cisco 2801 router & for that i done this configuration, but when the remote user connects and i use show crypto ipsec sa command i see no packets recieved and decrypted, secondly remote user connects to one of the IP's defined in VPN POOL. Other than that i wont be able to ping this remote user nor he able to ping my router. Kindly suggest the cause of the problem. If there is any configuration required or any other misconfiguration then please notify. NEED HELP in this regards.
Thanks
Talha
---------------------------------------------------
Building configuration...
Current configuration : 1801 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
aaa session-id common
dot11 syslog
ip source-route
!
!
!
!
ip cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
username cisco password 0 cisco
archive
log config
hidekeys
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group EZVPN_GROUP
key cisco123
dns 4.2.2.2
wins 4.2.2.2
pool ippool
acl 108
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
interface FastEthernet0/0
ip address X.Y.Z.251 255.255.255.248
speed 100
full-duplex
crypto map clientmap
!
interface FastEthernet0/1
ip address 172.16.118.1 255.255.255.0
speed 100
full-duplex
!
interface FastEthernet0/3/0
!
interface FastEthernet0/3/1
!
interface FastEthernet0/3/2
!
interface FastEthernet0/3/3
!
interface Vlan1
no ip address
!
ip local pool ippool 172.16.100.100 172.16.100.200
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 X.Y.Z.249
ip route 172.16.100.0 255.255.255.0 172.16.118.55
no ip http server
no ip http secure-server
!
!
!
access-list 108 permit ip 172.16.118.0 0.0.0.255 172.16.100.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
end
11-22-2015 11:17 AM
The route for the VPN pool, 172.16.100.0/24 should be via the outside interface.
11-23-2015 02:02 AM
My undestanding to check the crypto key with far end peer IP address .
Very simple concept about site to site VPN over IPSEC
01. To create ISAKMP Policy - specify the initial VPN security details .
02. To specifity the IPsec details - specify how the Ipsec packet will be encapsulate .
03. To Crypto ACL - define the ACL to allow the traffic .
04. To VPN Tunnel info - create the crypto map that combine the ISAKMP policy , IPsec transform set , VPN peer address , crypto ACL .
05. Apply those parameters into the Interface where you wan to create the VPN .
--------------------------------------------------------------------------------------------------------------
Initally you have to check the ISAKMP # show crypto session incase ACTIVE then you chent the IPSEC # show crypto ipsec sa incase encaps & decaps not happening to check the step 3 ,4 , 5 .
----------------------------------------------------
11-23-2015 10:39 AM
This is not a site to site VPN, it is a user to site VPN ...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide