Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
879
Views
0
Helpful
2
Replies

Site to Site VPN Configuration Problems

nicholas.robinson
Level 1
Level 1

‎03-08-2012 12:41 AM - edited ‎03-04-2019 03:35 PM

After spending almost two days on trying to fix this an issue with getting traffic to flow through a site-to-site VPN. I am reaching out to see if anyone can shed some light on the creation of Site to Site VPN's using Cisco 1941W routers and what I have done wrong.

The two sites are connected via ADSL and myself and the other tech have tried creating the VPN tunnel using Config Professional as well as manually. Nether have worked . Below are our configs. If anyone could have a look and see what we have done wrong we will be estatic. Thank you in advance!

"Coach House" Location:

SWML-CH-RTR01#show run

Building configuration...

Current configuration : 5827 bytes

!

! Last configuration change at 07:43:35 UTC Thu Mar 8 2012 by t4tech

! NVRAM config last updated at 07:43:35 UTC Thu Mar 8 2012 by t4tech

! NVRAM config last updated at 07:43:35 UTC Thu Mar 8 2012 by t4tech

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname SWML-CH-RTR01

!

boot-start-marker

boot-end-marker

!

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 $1$OT.V$7heedf7HY7diX3KsvFA0N1

!

no aaa new-model

!

service-module wlan-ap 0 bootimage autonomous

!

no ipv6 cef

ip source-route

ip cef

!

!

!

ip dhcp excluded-address 10.10.2.1 10.10.2.20

ip dhcp excluded-address 10.10.2.101 10.10.2.191

ip dhcp excluded-address 10.10.2.193

!

ip dhcp pool ccp-pool1

network 10.10.2.0 255.255.255.128

default-router 10.10.2.1

dns-server 10.10.2.1

!

ip dhcp pool ccp-pool2

network 10.10.2.192 255.255.255.192

default-router 10.10.2.193

dns-server 10.10.2.193

lease infinite

!

!

ip domain name name.com.au

ip name-server 203.21.20.20

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

!

license udi pid CISCO1941W-N/K9 sn FGL15412391

license boot module c1900 technology-package securityk9

hw-module ism 0

!

!

!

redundancy

!

!

!

!

controller VDSL 0/0/0

!

ip ssh version 1

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key ourkey address 58.6.1.176

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to SWML HQ from CH

set peer 58.6.1.176

set transform-set ESP-3DES-SHA

match address 100

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$FW_OUTSIDE$

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

no mop enabled

!

interface wlan-ap0

description Service module interface to manage the embedded AP

no ip address

arp timeout 0

no mop enabled

no mop sysid

!

interface GigabitEthernet0/1

description $ES_LAN$$FW_INSIDE$

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip virtual-reassembly in

ip tcp adjust-mss 1412

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1.100

description $FW_INSIDE$$ETH-LAN$

encapsulation dot1Q 100

ip address 10.10.2.1 255.255.255.128

ip nat inside

ip virtual-reassembly in

no cdp enable

!

interface GigabitEthernet0/1.200

description $FW_INSIDE$

encapsulation dot1Q 200

ip address 10.10.2.129 255.255.255.192

ip nat inside

ip virtual-reassembly in

no cdp enable

!

interface Wlan-GigabitEthernet0/0

description Internal switch interface connecting to the embedded AP

switchport mode trunk

no ip address

!

interface ATM0/0/0

no ip address

no atm ilmi-keepalive

!

interface ATM0/0/0.1 point-to-point

pvc 8/35

pppoe-client dial-pool-number 2

!

!

interface Ethernet0/0/0

no ip address

shutdown

no fair-queue

!

interface Vlan1

ip address 10.10.2.193 255.255.255.192

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1412

!

interface Dialer0

ip address negotiated

ip mtu 1452

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 2

dialer-group 2

ppp authentication chap pap callin

ppp chap hostname dslname@westnet.com.au

ppp chap password 7 removed

ppp pap sent-username dslname@westnet.com.au password 7 removed

no cdp enable

crypto map SDM_CMAP_1

crypto ipsec df-bit clear

!

ip forward-protocol nd

!

ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip dns server

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 10.10.1.0 255.255.255.0 58.6.1.176

!

logging trap debugging

logging 10.10.1.11

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.10.2.0 0.0.0.127

access-list 1 permit 10.10.2.0 0.0.0.255

access-list 1 permit 10.10.2.128 0.0.0.63

access-list 2 remark CCP_ACL Category=2

access-list 2 permit 10.10.2.128 0.0.0.127

access-list 2 permit 10.10.2.0 0.0.0.127

access-list 2 permit 10.10.2.0 0.0.0.255

access-list 10 permit 10.10.1.11

access-list 100 remark IPSec Rules

access-list 100 permit ip 10.10.2.0 0.0.0.255 58.6.1.0 0.0.0.255

access-list 100 permit ip 10.10.2.0 0.0.0.255 10.10.1.0 0.0.0.255

access-list 100 permit ip 10.10.2.0 0.0.0.127 host 10.10.1.1

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

!

!

!

!

route-map sd permit 10

!

route-map SDM_RMAP_1 permit 1

match ip address 2

"HQ" Location:

hostname SWML-HQ-RTR01

!

clock timezone PCTime 8 0

service-module wlan-ap 0 bootimage autonomous

!

no ipv6 cef

no ip source-route

ip cef

!

ip dhcp excluded-address 10.10.1.1 10.10.1.20

ip dhcp excluded-address 10.10.1.101 10.10.1.191

ip dhcp excluded-address 10.10.1.193

!

ip dhcp pool ccp-pool1

network 10.10.1.192 255.255.255.192

default-router 10.10.1.193

dns-server 10.10.1.193

lease infinite

!

!

no ip bootp server

ip domain name name.com.au

ip name-server 203.21.20.20

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-191340246

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-191340246

revocation-check none

rsakeypair TP-self-signed-191340246

!        

crypto pki trustpoint test_trustpoint_config_created_for_sdm

subject-name e=sdmtest@sdmtest.com

revocation-check crl

!

!

crypto pki certificate chain TP-self-signed-191340246

certificate self-signed 01

30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31393133 34303234 36301E17 0D313131 31323430 34333935

345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3139 31333430

32343630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

8383B011 26ACCBF9 1E2CBB79 AE7CA9D8 72F553DF DAC8369D 67D8A46F 9C726DD2

FE1F3B8C 0DFB3506 943F8432 E764523E 867B9396 DFA0F67D E8B9F84D 0AFDD4CD

D6F393C9 3054AADD DA253DE8 041E55F5 C43FCA7D D35932EA 52A7876D 14F4C6A5

1BD9E369 58D387B0 3DCA3708 3329D21A 103A0B12 B7F1EF9C 93ECC557 B54C960B

02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D

23041830 16801483 01F42DFD 84AECE63 2CAD003F E316F7E3 C7A1E230 1D060355

1D0E0416 04148301 F42DFD84 AECE632C AD003FE3 16F7E3C7 A1E2300D 06092A86

4886F70D 01010505 00038181 006B7FBA 64522E2A 355BE979 33E4D5D9 6B82738F

09F67EE6 64DC79D0 40EF937D B7F39C4E AF4894AA 60FF3849 08F4C5D5 57C5FE39

72E28954 9AEBBBFB FB340475 140A75D3 24A7DC66 E10B62B0 D3E92339 A8680A2B

D0E954D0 72F6263D 14A7DBF0 B3B90512 0F77FFAC ECD080A4 7DC5139A 13E74309

7E21F365 8C3F41BE 0D84A236 01

       quit

crypto pki certificate chain test_trustpoint_config_created_for_sdm

license udi pid CISCO1941W-N/K9 sn FGL154820D0

license boot module c1900 technology-package securityk9

hw-module ism 0

!

!

!

vtp mode client

!

redundancy

!

!

!

!

controller VDSL 0/0/0

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh version 1

!        

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

!

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key ourkey address 203.59.231.119

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to SWML CH from HQ

set peer 203.59.231.119

set transform-set ESP-3DES-SHA

match address 103

!

interface Embedded-Service-Engine0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

!

interface GigabitEthernet0/0

description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$FW_OUTSIDE$

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

no mop enabled

!

interface wlan-ap0

description Service module interface to manage the embedded AP

no ip address

no ip unreachables

ip flow ingress

arp timeout 0

no mop enabled

no mop sysid

!

interface GigabitEthernet0/1

description $ES_LAN$$FW_INSIDE$

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

!        

interface GigabitEthernet0/1.100

description $FW_INSIDE$$ETH-LAN$

encapsulation dot1Q 100

ip address 10.10.1.1 255.255.255.128

ip nat inside

ip virtual-reassembly in

no cdp enable

!

interface GigabitEthernet0/1.200

description $FW_INSIDE$

encapsulation dot1Q 200

ip address 10.10.1.129 255.255.255.192

ip nat inside

ip virtual-reassembly in

no cdp enable

!

interface Wlan-GigabitEthernet0/0

description Internal switch interface connecting to the embedded AP

switchport mode trunk

no ip address

!

interface ATM0/0/0

no ip address

no atm ilmi-keepalive

!

interface ATM0/0/0.1 point-to-point

pvc 8/35

pppoe-client dial-pool-number 2

!

interface Ethernet0/0/0

no ip address

shutdown

no fair-queue

!

interface Vlan1

ip address 10.10.1.193 255.255.255.192

ip helper-address 10.10.1.11

no ip redirects

ip flow ingress

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1412

!

interface Dialer0

description $FW_OUTSIDE$

ip address 192.168.0.10 255.255.255.0

no ip redirects

ip mtu 1452

ip flow ingress

no cdp enable

!

interface Dialer2

ip address negotiated

ip mtu 1452

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 2

dialer-group 2

ppp authentication chap pap callin

ppp chap hostname name@westnet.com.au

ppp chap password 7 removed

ppp pap sent-username name password 7 removed

no cdp enable

crypto map SDM_CMAP_1

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip dns server

ip nat inside source static tcp 10.10.1.11 25 interface Dialer2 25

ip nat inside source static tcp 10.10.1.11 47 interface Dialer2 47

ip nat inside source static tcp 10.10.1.11 1723 interface Dialer2 1723

ip nat inside source static tcp 10.10.1.11 443 interface Dialer2 443

ip nat inside source static tcp 10.10.1.11 993 interface Dialer2 993

ip nat inside source static tcp 10.10.1.11 80 interface Dialer2 80

ip nat inside source static tcp 10.10.1.11 3389 interface Dialer2 3088

ip nat inside source route-map SDM_RMAP_1 interface Dialer2 overload

ip nat inside source route-map SDM_RMAP_2 interface Dialer2 overload

ip route 0.0.0.0 0.0.0.0 Dialer2

ip route 10.10.2.0 255.255.255.0 203.59.231.119

!

ip access-list extended ALLIP

remark ALL ip

remark CCP_ACL Category=1

permit ip any any

ip access-list extended OUTIP

remark OUTIP

remark CCP_ACL Category=1

remark OUT

permit ip any any

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

!

logging trap debugging

logging 10.10.1.11

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.10.1.0 0.0.0.127

access-list 1 permit 10.10.1.0 0.0.0.255

access-list 1 permit 10.10.1.128 0.0.0.63

access-list 2 remark CCP_ACL Category=2

access-list 2 permit 10.10.1.128 0.0.0.127

access-list 10 permit 10.10.1.11

access-list 100 remark CCP_ACL Category=4                

access-list 100 permit ip 10.10.1.128 0.0.0.63 10.10.2.128 0.0.0.63 log

access-list 100 remark CCP_ACL Category=4

access-list 100 permit ip 10.10.1.128 0.0.0.63 203.59.231.0 0.0.0.255 log

access-list 101 remark CCP_ACL Category=18

access-list 101 deny   ip 10.10.1.128 0.0.0.63 10.10.2.128 0.0.0.63

access-list 101 deny   ip 10.10.1.0 0.0.0.255 124.148.218.0 0.0.0.255 log

access-list 101 deny   ip 10.10.1.0 0.0.0.255 10.10.3.0 0.0.0.255 log

access-list 101 deny   ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255 log

access-list 101 permit ip 10.10.1.0 0.0.0.255 any

access-list 101 permit ip 10.10.1.0 0.0.0.127 any

access-list 101 permit ip 10.10.1.128 0.0.0.63 any

access-list 102 remark CCP_ACL Category=6

access-list 102 deny   ip 10.10.1.128 0.0.0.63 10.10.2.128 0.0.0.63

access-list 102 remark IPSec Rule

access-list 102 permit ip 10.10.1.128 0.0.0.63 10.10.2.128 0.0.0.63

access-list 103 remark IPSec Rules

access-list 103 permit ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255 log

access-list 103 permit ip 10.10.1.0 0.0.0.255 203.59.231.0 0.0.0.255 log

access-list 103 permit ip 10.10.1.0 0.0.0.127 host 10.10.2.1

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

!

no cdp run

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

route-map SDM_RMAP_2 permit 1

match ip address 102

!

Labels:
0 Helpful
2 Replies 2

andrew.prince
Level 10
Level 10

‎03-08-2012 01:32 AM

At first glance - you are using IP DHCP for your WAN connection at boths sites, how can they build a tunnel, if both endpoints can change at any time?  Have you confirmed that the IP addresses you have specified are the correct ones?

0 Helpful

Neeraj Arora
Level 3
Level 3

‎03-08-2012 01:34 AM

Nicholas,

Two changes that I would suggest in your config:

1. In the crypto ACL, you don't need to add the statement for allowing the traffic going towards VPN peer like "access-list 100 permit ip 10.10.2.0 0.0.0.255 58.6.1.0 0.0.0.255" & "access-list 103 permit ip 10.10.1.0 0.0.0.255 203.59.231.0 0.0.0.255 log". so remove this statement from the ACL

2. In SWML-CH-RTR01 router, the traffic which is supposed to traverse across the tunnel is not denied from being NAT. you'd have to use another extended ACL for the route-map SDM_RMAP_1 like its being done on the other router

Hope the above steps helps. In case you still face issues, do paste the output of:

sh ip nat translation

sh crypto isa sa

sh crypto ipsec sa

sh ip route

sh access-list

0 Helpful
Customers Also Viewed These Support Documents