do not let delete the nat from the interface 

ciscuso(config)no ip nat inside source list 13 interface gigabitEthernet 0/0/$
%Dynamic mapping in use, cannot remove
ciscuso(config)

 

interface GigabitEthernet0/0/0
description WAN
ip address 181.143.239.70 255.255.255.248
ip nat outside
negotiation auto
crypto map CMAP
!
interface GigabitEthernet0/0/1
description LAN 13
ip address 192.168.13.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan1
no ip address
!
ip nat inside source list 13 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 181.143.239.66
!

ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.255 any
!
access-list 113 deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 113 permit ip 192.168.13.0 0.0.0.255 any
!
!
route-map NAT permit 10
match ip address 113
match interface GigabitEthernet0/0/0
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
login
!
network-clock synchronization automatic
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
ciscuso(config)no ip nat inside source list 13 interface gigabitEthernet 0/0/$
%Dynamic mapping in use, cannot remove
ciscuso(config)#

thanks for your aprote helped me

doing the suggested configuration I still have no connection between lan

ciscuso#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status

IPv6 Crypto ISAKMP SA

ciscuso#show crypto ipsec sa

interface: GigabitEthernet0/0/0
Crypto map tag: CMAP, local addr 181.143.239.70

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
current_peer 181.53.244.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 181.143.239.70, remote crypto endpt.: 181.53.244.1
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 181.53.244.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 181.143.239.70, remote crypto endpt.: 181.53.244.1
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:
ciscuso#
ciscuso#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms
ciscuso#ping 181.53.244.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 181.53.244.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/45/48 ms
ciscuso#ping 181.53.244.106
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 181.53.244.106, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
ciscuso#show crypto session
Crypto session current status

Interface: GigabitEthernet0/0/0
Session status: DOWN
Peer: 181.53.244.1 port 500
IPSEC FLOW: deny ip 192.168.13.0/255.255.255.0 192.168.5.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.13.0/255.255.255.0 192.168.5.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.13.0/255.255.255.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map

Interface: (unknown)
Session status: DOWN-NEGOTIATING
Peer: 181.52.244.105 port 500
Session ID: 0
IKEv1 SA: local 181.143.239.70/500 remote 181.53.244.106/500 Inactive

Make sure your router runs the latest firmware (zipped BIN file attached)...

Hello,

 

add the lines in bold to your configuration and check if that makes a difference. Also remove the route map and use the list in your NAT statement:

 

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Usocali123 address 181.52.244.1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TS-VPN esp-3des esp-md5-hmac
mode tunnel

!

crypto map CMAP 10 ipsec-isakmp
set peer 181.52.244.1
set security-association lifetime seconds 86400
set transform-set TS-VPN
set pfs group2
reverse-route remote peer 181.52.244.1
match address VPN
!
interface GigabitEthernet0/0/0
description WAN
ip address 181.143.239.68 255.255.255.248
ip nat outside
negotiation auto
crypto map CMAP
!
interface GigabitEthernet0/0/1
description LAN-13
ip address 192.168.13.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan1
no ip address
!
ip nat inside source list 113 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 181.143.239.65
!
ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
!
access-list 113 deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 113 permit ip 192.168.13.0 0.0.0.255 any
!
control-plane
!
line con 0
transport input none
stopbits 1
line vty 0 4
login
!
network-clock synchronization automatic
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

hola

nada mi amigo hice la configuracion que me propones aun sigue sin tener conexion con la lan

hi
I made the configuration according to the instruction but I have no connection to the lan


protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
current_peer 181.52.244.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 181.143.239.68, remote crypto endpt.: 181.52.244.1
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:
ciscuso#
ciscuso#
ciscuso#
ciscuso#sho
ciscuso#show star
ciscuso#show startup-config
Using 3034 out of 33554432 bytes
!
! Last configuration change at 20:47:13 UTC Wed Aug 7 2019
! NVRAM config last updated at 20:50:51 UTC Wed Aug 7 2019
!
version 16.8
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname ciscuso
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
crypto pki trustpoint ca
revocation-check crl
!
crypto pki trustpoint TP-self-signed-3083821897
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3083821897
revocation-check none
rsakeypair TP-self-signed-3083821897
!
!
crypto pki certificate chain ca
crypto pki certificate chain TP-self-signed-3083821897
certificate self-signed 01 nvram:IOS-Self-Sig#7.cer
!
license udi pid C1111-8P sn FGL231413FX
license accept end user agreement
license boot suite FoundationSuiteK9
license boot level appxk9
license boot level securityk9
no license smart enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Usocali123 address 181.52.244.1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TS-VPN esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 181.52.244.1
set security-association lifetime seconds 86400
set transform-set TS-VPN
set pfs group2
match address VPN
reverse-route remote-peer 181.52.244.1
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description WAN
ip address 181.143.239.68 255.255.255.248
ip nat outside
negotiation auto
crypto map CMAP
!
interface GigabitEthernet0/0/1
description LAN-13
ip address 192.168.13.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan1
no ip address
!
ip nat inside source route-map NAT interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 181.143.239.65
!
!
ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
!
access-list 113 permit ip 192.168.13.0 0.0.0.255 any
access-list 113 deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
!
!
route-map NAT permit 10
match ip address 113
match interface GigabitEthernet0/0/0
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
login
!
network-clock synchronization automatic
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

ciscuso#
ciscuso#
ciscuso#debug crypto isakmp
Crypto ISAKMP debugging is on
ciscuso#ping 181.52.244.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 181.52.244.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/43/44 ms
ciscuso#debug crypto ipse
ciscuso#debug crypto ipsec sa
Aug 7 21:00:52.067 UTC: ISAKMP-PAK: (0):received packet from 203.91.118.180 dpo
rt 500 sport 45931 Global (N) NEW SA
Aug 7 21:00:52.067 UTC: ISAKMP: (0):Created a peer struct for 203.91.118.180, p
eer port 45931
Aug 7 21:00:52.067 UTC: ISAKMP: (0):New peer created peer = 0x7F5E127018 peer_h
andle = 0x8000014F
Aug 7 21:00:52.067 UTC: ISAKMP: (0):Locking peer struct 0x7F5E127018, refcount
1 for crypto_isakmp_process_block
Aug 7 21:00:52.067 UTC: ISAKMP: (0):local port 500, remote port 45931
Aug 7 21:00:52.068 UTC: ISAKMP: (0):insert sa successfully sa = 7F620C0490
Aug 7 21:00:52.068 UTC: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 7 21:00:52.068 UTC: ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM
1

Aug 7 21:00:52.068 UTC: ISAKMP: (0):processing SA payload. message ID = 0
Aug 7 21:00:52.068 UTC: ISAKMP: (0):processing vendor id payload
Aug 7 21:00:52.068 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 174 mis
match
Aug 7 21:00:52.068 UTC: ISAKMP: (0):processing vendor id payload
Aug 7 21:00:52.068 UTC: ISAKMP: (0):processing IKE frag vendor id payload
Aug 7 21:00:52.068 UTC: ISAKMP: (0):Support for IKE Fragmentation not enabled
Aug 7 21:00:52.068 UTC: ISAKMP: (0):processing vendor id payload
Aug 7 21:00:52.069 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mism
atch
Aug 7 21:00:52.069 UTC: ISAKMP: (0):vendor ID is NAT-T RFC 3947
Aug 7 21:00:52.069 UTC: ISAKMP: (0):processing vendor id payload
Aug 7 21:00:52.069 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mis
match
Aug 7 21:00:52.069 UTC: ISAKMP: (0):vendor ID is NAT-T v2
Aug 7 21:00:52.069 UTC: ISAKMP: (0):processing vendor id payload
Aug 7 21:00:52.069 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 194 mis
match
Aug 7 21:00:52.069 UTC: ISAKMP: (0):processing vendor id payload
Aug 7 21:00:52.069 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 241 mis
match
Aug 7 21:00:52.069 UTC: ISAKMP: (0):processing vendor id payload
Aug 7 21:00:52.069 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 184 mis
match
Aug 7 21:00:52.069 UTC: ISAKMP: (0):processing vendor id payload
Aug 7 21:00:52.069 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 134 mis
match
Aug 7 21:00:52.069 UTC: ISAKMP-ERROR: (0):No pre-shared key with 203.91.118.180
!
Aug 7 21:00:52.070 UTC: ISAKMP: (0):Scanning profiles for xauth ...
Aug 7 21:00:52.070 UTC: ISAKMP: (0):Checking ISAKMP transform 1 against priorit
y 10 policy
Aug 7 21:00:52.070 UTC: ISAKMP: (0): encryption AES-CBC
Aug 7 21:00:52.070 UTC: ISAKMP: (0): keylength of 128
Aug 7 21:00:52.070 UTC: ISAKMP: (0): hash SHA
Aug 7 21:00:52.070 UTC: ISAKMP: (0): default group 2
Aug 7 21:00:52.070 UTC: ISAKMP: (0): auth XAUTHInitPreShared
Aug 7 21:00:52.070 UTC: ISAKMP: (0): life type in seconds
Aug 7 21:00:52.070 UTC: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

Aug 7 21:00:52.070 UTC: ISAKMP: (0): unknown attribute 16384
Aug 7 21:00:52.071 UTC: ISAKMP-ERROR: (0):Encryption algorithm offered does not
match policy!
Aug 7 21:00:52.071 UTC: ISAKMP-ERROR: (0):atts are not acceptable. Next payload
is 3
Aug 7 21:00:52.071 UTC: ISAKMP: (0):Checking ISAKMP transform 2 against priorit
y 10 policy
Aug 7 21:00:52.071 UTC: ISAKMP: (0): encryption 3DES-CBC
Aug 7 21:00:52.071 UTC: ISAKMP: (0): hash SHA
Aug 7 21:00:52.071 UTC: ISAKMP: (0): default group 2
Aug 7 21:00:52.071 UTC: ISAKMP: (0): auth XAUTHInitPreShared
Aug 7 21:00:52.071 UTC: ISAKMP: (0): life type in seconds
Aug 7 21:00:52.071 UTC: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

Aug 7 21:00:52.071 UTC: ISAKMP: (0): unknown attribute 16384
Aug 7 21:00:52.071 UTC: ISAKMP-ERROR: (0):Hash algorithm offered does not match
policy!
Aug 7 21:00:52.071 UTC: ISAKMP-ERROR: (0):atts are not acceptable. Next payload
is 0
Aug 7 21:00:52.072 UTC: ISAKMP-ERROR: (0):no offers accepted!
Aug 7 21:00:52.072 UTC: ISAKMP-ERROR: (0):phase 1 SA policy not acceptable! (lo
cal 181.143.239.68 remote 203.91.118.180)
Aug 7 21:00:52.072 UTC: ISAKMP: (0):: incrementing error counter on sa, attempt
1 of 5: construct_fail_ag_init
Aug 7 21:00:52.072 UTC: ISAKMP-PAK: (0):sending packet to 203.91.118.180 my_por
t 500 peer_port 45931 (R) MM_NO_STATE
Aug 7 21:00:52.072 UTC: ISAKMP: (0):Sending an IKE IPv4 Packet.
Aug 7 21:00:52.072 UTC: ISAKMP: (0):peer does not do paranoid keepalives.
Aug 7 21:00:52.072 UTC: ISAKMP-ERROR: (0):deleting SA reason "Phase1 SA policy
proposal not accepted" state (R) MM_NO_STATE (peer 203.91.118.180)
Aug 7 21:00:52.072 UTC: ISAKMP: (0):processing vendor id payload
Aug 7 21:00:52.073 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 174 mis
match
Aug 7 21:00:52.073 UTC: ISAKMP: (0):processing vendor id payload
Aug 7 21:00:52.073 UTC: ISAKMP: (0):processing IKE frag vendor id payload
Aug 7 21:00:52.073 UTC: ISAKMP: (0):Support for IKE Fragmentation not enabled
Aug 7 21:00:52.073 UTC: ISAKMP: (0):processing vendor id payload
Aug 7 21:00:52.073 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mism
atch
Aug 7 21:00:52.073 UTC: ISAKMP: (0):vendor ID is NAT-T RFC 3947
Aug 7 21:00:52.073 UTC: ISAKMP: (0):processing vendor id payload
Aug 7 21:00:52.073 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mis
match
Aug 7 21:00:52.073 UTC: ISAKMP: (0):vendor ID is NAT-T v2
Aug 7 21:00:52.073 UTC: ISAKMP: (0):processing vendor id payload
Aug 7 21:00:52.073 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 194 mis
match
Aug 7 21:00:52.073 UTC: ISAKMP: (0):processing vendor id payload
Aug 7 21:00:52.073 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 241 mis
match
Aug 7 21:00:52.074 UTC: ISAKMP: (0):processing vendor id payload
Aug 7 21:00:52.074 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 184 mis
match
Aug 7 21:00:52.074 UTC: ISAKMP: (0):processing vendor id payload
Aug 7 21:00:52.074 UTC: ISAKMP: (0):vendor ID seems Unity/DPD but major 134 mis
match
Aug 7 21:00:52.074 UTC: ISAKMP-ERROR: (0):(0): FSM action returned error: 2
Aug 7 21:00:52.074 UTC: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN
_MODE
Aug 7 21:00:52.074 UTC: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM
1

Aug 7 21:00:52.074 UTC: ISAKMP-ERROR: (0):deleting SA reason "Phase1 SA policy
proposal not accepted" state (R) MM_NO_STATE (peer 203.91.118.180)
Aug 7 21:00:52.074 UTC: ISAKMP: (0):Unlocking peer struct 0x7F5E127018 for isad
b_mark_sa_deleted(), count 0
Aug 7 21:00:52.075 UTC: ISAKMP: (0):Deleting peer node by peer_reap for 203.91.
118.180: 7F5E127018
Aug 7 21:00:52.075 UTC: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Aug 7 21:00:52.075 UTC: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_DEST
_SA

Aug 7 21:00:52.075 UTC: ISAKMP-ERROR: (0):Invalid IKE exchange type 243
Aug 7 21:00:52.075 UTC: ISAKMP-ERROR: (0):Bad header. IKE Packet dropped.
Aug 7 21:00:53.563 UTC: ISAKMP-PAK: (0):received packet from 203.91.118.180 dpo
rt 500 sport 45931 Global (R) MM_NO_STATE
Aug 7 21:00:59.645 UTC: ISAKMP-ERROR: (0):Invalid IKE exchange type 243
Aug 7 21:00:59.646 UTC: ISAKMP-ERROR: (0):Bad header. IKE Packet dropped.
Aug 7 21:00:59.646 UTC: ISAKMP-PAK: (0):received packet from 203.91.118.180 dpo
rt 500 sport 45931 Global (R) MM_NO_STATE
Aug 7 21:01:52.073 UTC: ISAKMP: (0):purging SA., sa=7F620C0490, delme=7F620C049
0
^
% Invalid input detected at '^' marker.

ciscuso#no debug crypto isakmp

The most recent debug output creates additional confusion. What the debug shows is an attempt to negotiate a vpn from address 203.91.118.180. You do not have anything in your configuration about this device and so the negotiation fails. Do you have any idea what this device is and why it is attempting to negotiate vpn with your router?  

 

I will attempt to explain the problem again since you do not seem to understand my previous effort to identify the problem. Your 1100 router is using the wrong IP address for its remote vpn peer. It is using 181.52.244.1 and it should be using 181.52.244.105. I think perhaps you are confused by some terminology. You have been saying that 181.52.244.1 is the gateway and for the rv042g that is correct. But that is not the address that your 1100 should peer with. Perhaps the confusion starts from the way that the rv042g describes the vpn as gateway to gateway. In that context gateway is equivalent to router and it is saying that the vpn is router to router or perhaps that it is site to site. (the alternative vpn would be client to router vpn for remote access vpn)  If it were truly gateway to gateway then it would be between 181.52.244.1 and 181.143.239.65.

 

Please change the address used in the 1100 config to 181.52.244.105 and let us know if the behavior changes. 

 

HTH

 

Rick

Hello,

 

post a screenshot of the VPN summary page on the RV042 (VPN --> Summary), as shown on page 126 of the attached admin guide...

 

https://www.cisco.com/c/dam/en/us/td/docs/routers/csbr/rv0xx/administration/guide/rv0xx_AG_78-19576.pdf

Adjunto configuracion de cisco rgv042g

The original poster has given us the screenshot of the vpn summary page as requested. It shows some useful details but fails to show the most important detail. That detail is included in a post on 8/7 at 12:14 which shows the vpn Gateway to Gateway details. That screen shot clearly shows that the Local Security Gateway is 181.52.244.105 and the Local Lan is 192.168.5.0/24. It also shows that the Remote Security Gateway is 181.143.239.68 and the Remote Lan is 192.168.13.0/24. This confirms what I have been saying which is that the 1100 should not use 181.52.244.1 as the peer address and should use 181.52.244.105 as the peer address.

 

HTH

 

Rick

---

@Richard Burts wrote:

The original poster has given us the screenshot of the vpn summary page as requested. It shows some useful details but fails to show the most important detail. That detail is included in a post on 8/7 at 12:14 which shows the vpn Gateway to Gateway details. That screen shot clearly shows that the Local Security Gateway is 181.52.244.105 and the Local Lan is 192.168.5.0/24. It also shows that the Remote Security Gateway is 181.143.239.68 and the Remote Lan is 192.168.13.0/24. This confirms what I have been saying which is that the 1100 should not use 181.52.244.1 as the peer address and should use 181.52.244.105 as the peer address.

 

HTH

 

Rick

---

---

@Richard Burts wrote:

The original poster has given us the screenshot of the vpn summary page as requested. It shows some useful details but fails to show the most important detail. That detail is included in a post on 8/7 at 12:14 which shows the vpn Gateway to Gateway details. That screen shot clearly shows that the Local Security Gateway is 181.52.244.105 and the Local Lan is 192.168.5.0/24. It also shows that the Remote Security Gateway is 181.143.239.68 and the Remote Lan is 192.168.13.0/24. This confirms what I have been saying which is that the 1100 should not use 181.52.244.1 as the peer address and should use 181.52.244.105 as the peer address.

 

HTH

 

Rick

---

Hi good day
in summary I made the suggested configuration and it was totally without access to the lan and to the internet I sent the changed configuration

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Usocali123 address 181.52.244.105
!
!
crypto ipsec transform-set TS-VPN esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 181.52.244.105
set transform-set TS-VPN
set pfs group2
match address VPN
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description WAN
ip address 181.143.239.68 255.255.255.248
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
description LAN-10
ip address 192.168.13.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan1
no ip address
!
ip nat inside source route-map NAT interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 181.143.239.65
!
!
ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 any
!
access-list 113 permit ip 192.168.5.0 0.0.0.255 any
!
!
route-map NAT permit 10
match ip address 113
match interface GigabitEthernet0/0/0

Router>enable
Router#ping 192.168.13.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.1, timeout is 2 seconds:
!!!!!
Success rate is 0 percent (0/5)
Router#ping 181.52.244.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 181.52.244.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/49/84 ms
Router#ping 181.52.244.105
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 181.52.244.105, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router#ping 182.165.5.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 182.165.5.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router#deb
Router#debug is
Router#debug cry
Router#debug crypto is
Router#debug crypto isakmp
Crypto ISAKMP debugging is on
Router#show cry
Router#show crypto isa
Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status

IPv6 Crypto ISAKMP SA
Router#show crypto ipse
Router#show crypto ipsec sa
No SAs found
Router#show crypto se
Router#show crypto session

Hello,

 

your access lists are completely wrong again. I am not sure why you keep changing them. They need to be:

 

ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
!

access-list 113 deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 113 permit ip 192.168.13.0 0.0.0.255 any