1) Please see the attached file for the config on the Netgear Side.

2) Please see the attached file for the config on the cisco side

and the show crypto ipsec sa peer <peer ip> detail

This is a Site-To-Site VPN Tunnel with static IP address on both site.

I'm trying to ping from to Cisco to the Netgear and vice versa. No respond to ping on both side.

sorry about that but i'm a beginner with cisco router.

Let me know !

Thank You !

Patrick Lussier
Orizonmobile
www.orizonmobile.com

Hi Plussier1,

I see the tunnel is up and interesting traffic matches on both ends.

However I see the encap and decap counter null. Have you taken this output when you initiated traffic? If yes, from where to where?

GoMobile3616#show crypto ipsec sa peer xxx.xxx.xxx.xxx detail

interface: GigabitEthernet0/1

    Crypto map tag: ToReseau2, local addr 192.168.20.100

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.116.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

   current_peer xxx.xxx.xxx.xxx port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0

    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0

    #pkts invalid prot (recv) 0, #pkts verify failed: 0

    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0

    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0

    ##pkts replay failed (rcv): 0

    #pkts tagged (send): 0, #pkts untagged (rcv): 0

    #pkts not tagged (send): 0, #pkts not untagged (rcv): 0

    #pkts internal err (send): 0, #pkts internal err (recv) 0

According to the above output I see no packets getting encapsulated and none decapsulated.

Please take this output when you initiate some traffic and attach here again.

Attach the show tech output of the router too here. Need to check the nats.

Thanks!!

Hi,

Please see the show crypto ipsec command again with trafic generated on both side, look like that the cisco decrypt packet but nothing hapend on the encrypt side.

--------------------------------------

First I did a ping test from the Netgear Router to the Cisco Router.

4 Packet sent but 100% lost

-------------------------------------------------

Second I did a ping test from the Netgear Router (192.168.2.1) to my Laptop (192.168.116.101) connected to the cisco router.

4 Packet sent but 100% lost

That why we see that #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8

------------------------------------------------------------

Third I did a ping test from my laptop (192.168.116.101) connected to the cisco router to the netgear Router (192.168.2.1)

4 Packet sent but 100% lost

this is the result with the show crypto ipsec command

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

--------------------------------------------------------

For the last test I did a ping test From my Laptop (192.168.116.101) connected to the Cisco router to an other Laptop (192.168.2.95) connected to the Netgear Router.

Still the same result

4 Packet sent but 100% lost

this is the result with the show crypto ipsec command

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

-----------------------------------------------------------------

GoMobile3616#show crypto ipsec sa peer xxx.xxx.xxx.xxx detail

interface: GigabitEthernet0/1
Crypto map tag: ToReseau2, local addr 192.168.20.100

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.116.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer 216.226.46.178 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8  ( Ping from 192.168.2.1 network to 192.168.116.101 this is my laptop but no ping responce. )
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 192.168.20.100, remote crypto endpt.: 216.226.46.178
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x3233EF(3290095)
PFS (Y/N): Y, DH group: group2

inbound esp sas:
spi: 0xAB177A98(2870442648)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: Onboard VPN:1, sibling_flags 80000040, crypto map: ToReseau2
sa timing: remaining key lifetime (k/sec): (4157029/3117)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x3233EF(3290095)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: Onboard VPN:2, sibling_flags 80000040, crypto map: ToReseau2
sa timing: remaining key lifetime (k/sec): (4157030/3117)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:
GoMobile3616#

Please see the cisco 1921.pdf file for the show tech-support command.

Thank You again to take time to helping me.

Patrick Lussier

OrizonMobile

So you are not able to reach from the laptop behind the Cisco router to the Cisco router itself?

Please give me the output of show IP route from the Cisco router.

Do a traceroute from the laptop for the netgear router and give me the results. Next do traceroute for the Cisco router from the laptop and paste it hear.

Thanks!

Hi,

For the Laptop (192.168.116.101) connected on the Cisco Router (192.168.116.1), it can reach it, the ping is working.

Please see the attached .pdf file for the network schematic.

What append is that the VPN tunnel look like to be established but no data pass through it.

Please see the word file for the Trace Route.

here is the

GoMobile3616#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 192.168.20.1 to network 0.0.0.0

S*    0.0.0.0/0 [254/0] via 192.168.20.1
      192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.20.0/24 is directly connected, GigabitEthernet0/1
L        192.168.20.100/32 is directly connected, GigabitEthernet0/1
      192.168.116.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.116.0/24 is directly connected, Vlan1
L        192.168.116.1/32 is directly connected, Vlan1

---------------------------------------------------------------------------------------------------------

GoMobile3616#show crypto ipsec sa peer xxx.xxx.xxx.xxx detail

interface: GigabitEthernet0/1
    Crypto map tag: ToReseau2, local addr 192.168.20.100

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.116.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer xxx.xxx.xxx.xxx port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 291, #pkts decrypt: 291, #pkts verify: 291
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts tagged (send): 0, #pkts untagged (rcv): 0
    #pkts not tagged (send): 0, #pkts not untagged (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0

     local crypto endpt.: 192.168.20.100, remote crypto endpt.: xxx.xxx.xxx.xxx
     plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0x758FCFD(123272445)
     PFS (Y/N): Y, DH group: group2

     inbound esp sas:
      spi: 0xE49DD805(3835549701)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2003, flow_id: Onboard VPN:3, sibling_flags 80000040, crypto map: ToReseau2
        sa timing: remaining key lifetime (k/sec): (4209713/2243)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x758FCFD(123272445)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2004, flow_id: Onboard VPN:4, sibling_flags 80000040, crypto map: ToReseau2
        sa timing: remaining key lifetime (k/sec): (4209713/2243)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
GoMobile3616#

I did the modification and now the trafic is able to pass in the VPN tunnel  between Cisco1921 and Netgear fvx538.

 #pkts encaps: 661, #pkts encrypt: 661, #pkts digest: 661
    #pkts decaps: 666, #pkts decrypt: 666, #pkts verify: 666

Thank You very much for your time.

Have a good day !

Hi,

Can we setup more than one Site-ToSite VPN on the Cisco 1921 ?

I tried to setup a second one but it conflict with the first one.

when i applied the crypto map Test to the same interface GE0/1 it do nothnig and the other VPN to the 192.168.2.0 network goes down ?

Do you have some documents about how to configure multiple site-to-site VPN.

I need to setup 15 Site-To-Site VPN between the Cisco 1921 and 15 Netgear FVX538 on different site.

Thank You !

Hi Plussier,

I think what you have done is you have created a new crypto map and applied it on the same interface.

You do not have to do that otherwise it will over-write the first one.  You cannot have multiple crypto maps applied on a single interface.

Just create multiple entries in the same crypto map.

Example: crypto map 1 test match address <name>

                crypto map 1 test set peer q.q.q.q

                 crypto map 1 test set transform set <name>

                  crypto map 2 test match address <name>

                   crypto map 2 test set peer t.t.t.t

                   crypto map 2 test set transform set <name>  

So here would be two tunnel on the same box forming tunnels with two differnet peers. And you just apply the crypto map "test" on the interface. 

  Hope this helps!

Thanks!

Moved post to Network Infrastructure Community.

Hi Glen,

I tried what jumukhi wrote bellow but I can't add number before the name test.

Please see my complete Site-To-Site tunnel command on attached files.

I need to have around 16 Site-To-Site VPN between my CISCO 1921 with the same interface.

I tried that but the router can't accept the number in red. 

Example: crypto map 1 test match address <name>

                crypto map 1 test set peer q.q.q.q

                 crypto map 1 test set transform set <name>

                  crypto map 2 test match address <name>

                   crypto map 2 test set peer t.t.t.t

                   crypto map 2 test set transform set <name>  

Please let my know what I need to do to add more than one site-to-site VPN on the same Interface.

Thank You !

Patrick

jumukhi 12 days ago

Hi,

I Tested That and it is worked now.

Thank You and have a Good day !

If I have other question on different subject, can I continue to Write on this Discussion or it is better to Start a new One ?

Patrick Lussier