Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
841
Views
0
Helpful
4
Replies

IPSec question

flokki123
Level 3
Level 3

‎07-29-2013 01:31 AM - edited ‎03-07-2019 02:38 PM

hi all,

two of our routers were configured with the following config:

Site A:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key des address xxx.xxx.xxx.xxx    <---- WAN IP of the other site

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to xxx.xxx.xxx.xxx

set peer xxx.xxx.xxx.xxx  <---- WAN IP of the other site

set transform-set ESP-3DES-SHA

match address 104

access-list 104 permit ip 172.16.11.0 0.0.0.255 192.168.0.0 0.0.0.255

Site B:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key des address xxx.xxx.xxx.xxx   <---WAN IP of the other site

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to xxx.xxx.xxx.xxx

set peer xxx.xxx.xxx.xxx    <-----  WAN IP of the other site

set transform-set ESP-3DES-SHA

match address 101

access-list 101 permit ip 192.168.0.0 0.0.0.255 172.16.11.0 0.0.0.255

Could somone just confirm is this config should work like configured above. the tunnel just doesnt come up. Just want to make sure that the config is alright, so i know i have to look somewhere else for the problem.

Also when i run the VPN troubleshooting tool from the SDM i get the following message:

"A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not fragment' packets."

Any help is appreciated!!! Thanks

Labels:
0 Helpful
4 Replies 4

johnlloyd_13
Level 9
Level 9

‎07-29-2013 02:42 AM

hi,

you forgot to apply your crypto map under your WAN interface.

interface x

crypto map SDM_CMAP_1

0 Helpful

flokki123
Level 3
Level 3
In response to johnlloyd_13

‎07-29-2013 06:04 AM

hi john,

sorry, didnt show that i actually did apply the crypto maps to the WAN interfaces. that should be alright.

thanks anyway for trying to help!

0 Helpful

shanilkumar2003
Level 1
Level 1
In response to flokki123

‎07-29-2013 07:22 AM

Hi config seems to be fine. What type of wan interface you have, if its adsl you may have to setup mtu 1412 on dialer. Verify your wan reachabilty Also please paste

Sh crypto isakmp sa
Sh crypto ipsec sa
Thanks
Shanil

Sent from Cisco Technical Support iPhone App

0 Helpful

flokki123
Level 3
Level 3
In response to shanilkumar2003

‎07-30-2013 02:46 AM

hi shanil,

thanks for your reply. the wan interface is the FE4  interface as in front of the cisco is another router which takes care of  dialing in. so the standard mtu for ethernet should be alright.

if the config seems alright, i guess the problem must be with the other router in front of the cisco.

what i will do is to connect the two cisco routers back to back and try to establish the vpn tunnel just via ethernet first.

if that works, i know the cisco routers are alright and the problem must be somewhere else.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card