Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
491
Views
0
Helpful
0
Replies

VPN troubleshooting - no output "show crypto isakmp sa"

mdelator
Cisco Employee
Cisco Employee

‎06-04-2015 12:47 PM - edited ‎03-05-2019 01:37 AM

Hello All,

 

Trying to set up Site to Site VPN using 3825 to 2801

I am a complete noob to VPN. I have some understanding of Networking and Switching (CCENT)

 

I am trying to set up a Site-to-Site VPN connection from one testbed gateway to another within a lab environment

Here are the configs of router 1

 


!
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key 6 vpnkey address 172.100.100.3
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set vpnset esp-aes 256 esp-sha-hmac
!
!
crypto map vpnset 10 ipsec-isakmp
 set peer 172.100.100.3
 set transform-set vpnset
 match address 100
!
!
!

!
!
interface GigabitEthernet0/0
 ip address 172.100.100.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 media-type rj45
 ntp broadcast client
 crypto map vpnset
!
interface GigabitEthernet0/1
 ip address 172.0.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 media-type rj45
 crypto map vpnset
!
interface GigabitEthernet0/1.1
 description Data VLAN2
 encapsulation dot1Q 2
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface GigabitEthernet0/1.2
 description Voice VLAN3
 encapsulation dot1Q 3
 ip address 10.0.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface GigabitEthernet0/1.3
 description Office
 encapsulation dot1Q 4
 ip address 20.0.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Integrated-Service-Engine1/0
 no ip address
 shutdown
 no keepalive
!
ip default-gateway 172.100.100.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.100.100.1
!
!
no ip http server
no ip http secure-server
ip nat source static tcp 192.168.0.4 902 172.100.100.2 1008 extendable
ip nat inside source list NAT_ADDRESSES interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.0.4 22 interface GigabitEthernet0/0 1006
ip nat inside source static tcp 192.168.0.5 3389 172.100.100.2 1003 extendable
ip nat inside source static tcp 192.168.0.50 3389 172.100.100.2 1004 extendable
ip nat inside source static tcp 192.168.0.6 22 172.100.100.2 1005 extendable
ip nat inside source static tcp 192.168.0.4 443 172.100.100.2 1007 extendable
!
ip access-list standard NAT_ADDRESSES
 permit 192.168.0.0 0.0.0.255
 permit 10.0.0.0 0.0.0.255
 permit 20.0.0.0 0.0.0.255
!
access-list 100 permit ip 172.0.0.0 0.0.0.255 172.0.1.0 0.0.0.255

 

==================================

Configs for router 2

 

!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key 6 vpnkey address 172.100.100.2
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set vpnset esp-aes 256 esp-sha-hmac
!
!
crypto map vpnset 10 ipsec-isakmp
 set peer 172.100.100.2
 set transform-set vpnset
 match address 100
!
!
!
!
interface FastEthernet0/0
 ip address 172.100.100.3 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 172.0.1.1 255.255.255.0
 duplex auto
 speed auto
 no vrrp 1 preempt
 crypto map vpnset
!
interface FastEthernet0/1.1
 encapsulation dot1Q 2
 ip address 1.1.1.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 vrrp 2 description MAIN-OFFICE
 vrrp 2 ip 1.1.1.1
 no vrrp 2 preempt
!
interface FastEthernet0/1.2
 encapsulation dot1Q 3
 ip address 2.2.2.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 vrrp 3 description MARKETING
 vrrp 3 ip 2.2.2.1
 no vrrp 3 preempt
!
interface FastEthernet0/1.3
 encapsulation dot1Q 4
 ip address 3.3.3.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 vrrp 4 description CUSTSERV
 vrrp 4 ip 3.3.3.1
 no vrrp 4 preempt
!
ip default-gateway 172.100.100.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.100.100.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list NAT_ADDRESSES interface FastEthernet0/0 overload
ip nat inside source static tcp 1.1.1.20 443 172.100.100.3 1001 extendable
ip nat inside source static tcp 1.1.1.50 443 172.100.100.3 1002 extendable
!
ip access-list standard NAT_ADDRESSES
 permit 1.1.1.0 0.0.0.255
 permit 2.2.2.0 0.0.0.255
 permit 3.3.3.0 0.0.0.255
!
access-list 100 permit ip 172.0.1.0 0.0.0.255 172.0.0.0 0.0.0.255

 

================================================

 

At this point I am stumped. The two routers share a gateway (172.100.100.1) that goes out to the internet

Routers can ping each other, but I cannot ping the subnets on the subinterfaces unless I add a specific route (1.1.1.0 255.255.255.0 172.100.100.2 for example)

 

Here is the "show crypto isakmp sa" output for each router:

 

R1

R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status

IPv6 Crypto ISAKMP SA

 

R2

R2#sh crypto isakmp sa
dst             src             state          conn-id slot status

 

 

R1 is a 3825

R2 is a 2801

 

Any advice will be greatly appreciated. Thank you!

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card