cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2768
Views
0
Helpful
12
Replies

Site to site VPN not working on Cisco 881

jsandau
Level 1
Level 1

I have 2 Cisco 881 I have created the a site to site vpn connection between them. the CCP interface indicates that the vpn is up and active, but I can't ping anything on the other network, even the routers can't ping each other.

I think the issue might be on router A, because Router B has other sites to site connections that work fine.

Here is the running config for router A:


Building configuration...

Current configuration : 6673 bytes
!
! Last configuration change at 22:32:06 UTC Wed Mar 16 2016 by admin
!
version 15.5
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-76299383
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-76299383
revocation-check none
rsakeypair TP-self-signed-76299383
!
!
crypto pki certificate chain TP-self-signed-76299383
certificate self-signed 01
30820227 30820190 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 37363239 39333833 301E170D 31333031 33313231 30333034
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D373632 39393338
3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B39C
1F1F1B5A 620D3DB7 E4B82486 D8A6E928 E880F817 20D8D5D8 744A6985 B48A0AEF
072919C9 6ABF6428 272B2F4E 28382554 1D1CC5CD 701F9646 38EEE5CE 67F475C4
DD5B464B ECBD78AF A5B6B36B D2791CFE E6CB886F B030E179 7A209BC4 1CDC6BA1
711616C4 4FD6BE16 489DCC5F A5EE9729 365858FD 1654EA5F 3B7F90B2 19470203
010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304
18301680 1465D9D2 8C6F18DF 98EF832A 03DE7ADD D45A6C59 97301D06 03551D0E
04160414 65D9D28C 6F18DF98 EF832A03 DE7ADDD4 5A6C5997 300D0609 2A864886
F70D0101 05050003 818100A6 928BFD76 AEE144B3 7DC2339D 540415EE B6142CF6
60E3A6DF 06DA321C 80755902 B711183C 2D1D9407 857F05ED B987C08D 25002B5F
F3C0F996 8CDA1830 3F85456B 6C6F2A4B 774B93DC 256AB90E 5A46126C C2D044DB
3B76F1A2 0E98D2F0 A0D656CF 5031C7D7 1D9D2F88 E97C7B83 4D188927 EEAA3915
ECF7239B 5B7F0FDD E4C9CA
quit
no ip source-route
!
!
!
!
!
!
!
!


!
ip dhcp excluded-address 192.168.136.22 192.168.136.30
!
ip dhcp pool Internet
network 192.168.136.0 255.255.255.224
dns-server 96.45.0.15
default-router 192.168.136.30
!
!
!
ip name-server 70.28.245.227
ip name-server 184.151.118.254
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
cts logging verbose
license udi pid C881-K9 sn FGL1927224B
!
!
archive
log config
hidekeys
username **** privilege 15 secret 5 $1$TOHi$xwZvR0n8p6r00xE5nnBE11
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ***** address 96.45.14.xx
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA8 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA9 esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to96.45.14.xx
set peer 96.45.14.xx
set transform-set ESP-3DES-SHA9
match address 100
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
!
interface FastEthernet4
description WAN port
ip address dhcp
ip mask-reply
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description Control Network
ip address 192.168.132.157 255.255.255.0
ip access-group VLAN1_In in
ip access-group VLAN1_Out out
ip nat inside
ip virtual-reassembly in
!
ip local pool VPN 192.168.132.152 192.168.132.155
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
top 10
sort-by bytes
!
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 174.0.0.1 permanent
!
ip access-list extended VLAN1_In
remark Inbound Traffic
remark CCP_ACL Category=1
remark Cross Talk
deny ip 192.168.135.0 0.0.0.255 192.168.130.0 0.0.1.255
deny ip 192.168.136.0 0.0.0.255 192.168.130.0 0.0.1.255
remark Cross Talk
deny ip 192.168.130.0 0.0.1.255 192.168.135.0 0.0.0.255
deny ip 192.168.130.0 0.0.1.255 192.168.136.0 0.0.0.255
permit ip any any
ip access-list extended VLAN1_Out
remark For diagnositcs
remark CCP_ACL Category=1
remark Diag
permit ip any any log
ip access-list extended allow_all
remark CCP_ACL Category=1
permit ip any any log
!
!
route-map SDM_RMAP_1 permit 1
match ip address 105
!
route-map SDM_RMAP_2 permit 1
match ip address 109
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.168.130.0 0.0.0.255
access-list 50 remark CCP_ACL Category=16
access-list 50 permit 192.168.132.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.132.0 0.0.0.255 192.168.125.0 0.0.0.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.132.0 0.0.0.255 192.168.120.0 0.0.0.255
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class allow_all in
access-class allow_all out
privilege level 15
password ****
login
transport input telnet
transport output telnet
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
!
!
webvpn gateway WAN
ip address 192.168.126.9 port 44443
http-redirect port 80
ssl trustpoint TP-self-signed-76299383
inservice
!
webvpn context PLC
gateway WAN
!
ssl authenticate verify all
inservice
!
policy group default
functions svc-enabled
svc address-pool "VPN" netmask 255.255.255.224
svc keep-client-installed
svc rekey method new-tunnel
svc split include 192.168.131.0 255.255.255.224
mask-urls
default-group-policy default
!
end

Here is the running config for router B (the site to site in question is to the external ip of 174.90.251.xx, Router A's internal ip is 192.168.132.157):


Building configuration...

Current configuration : 23346 bytes
!
! Last configuration change at 22:30:40 UTC Wed Mar 16 2016 by admin
! NVRAM config last updated at 21:25:21 UTC Wed Mar 16 2016 by admin
! NVRAM config last updated at 21:25:21 UTC Wed Mar 16 2016 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router b
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 $1$0Mqk$PTzjoGE3Qu0zlI7VQf9mI0
enable password enable
!
aaa new-model
!
!
aaa group server radius sdm-vpn-server-group-1
server 192.168.125.1
!
aaa authentication login default local group radius
aaa authentication login sdm_vpn_xauth_ml_1 local group radius
aaa authentication login ciscocp_vpn_xauth_ml_1 group sdm-vpn-server-group-1
aaa authentication ppp default if-needed group radius local
aaa authorization exec default local
aaa authorization network default group radius if-authenticated
aaa authorization network sdm_vpn_group_ml_1 local group radius
!
!
!
!
!
aaa session-id common
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2930397915
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2930397915
revocation-check none
rsakeypair TP-self-signed-2930397915
!
!
crypto pki certificate chain TP-self-signed-2930397915
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32393330 33393739 3135301E 170D3132 31303039 32313430
32385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 39333033
39373931 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009957 5213B434 427AE757 8B9C511F C27E8C4F 7815810B B65FD6B7 0EB245C7
DC83FA45 279BE531 95406154 6783EC8F 250B0016 7BD045D0 90246F03 B73EF149
B455468E 81399DC6 3D7B69DE BE15DC9A F4E255AC 75064947 3C857F0B 32EC4631
CB141B29 D4C45E0D 542EF72F 72352728 2D70C051 95E9FAD0 8D801184 BD2DDFA3
97F70203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14A67962 4BC36A2A B38FCC06 776AE0E7 2C5C3982 1F301D06
03551D0E 04160414 A679624B C36A2AB3 8FCC0677 6AE0E72C 5C39821F 300D0609
2A864886 F70D0101 05050003 81810058 5D534BDD A90E062B F269F032 715603F8
D0D5211D E9FF852D 477DD9AB D0647A85 EED653B3 EC2D0C53 D13CDE5E 0C6EA85B
E4A538DF 8CA7CA52 CC844C15 1F054C97 447F50FE 8607F50E 9DB1B9AD 5E9B35AC
BF2C52DF 30E05DD0 432D818F 09859EB6 9D4739A8 8324B1AC 20EDFEAD 5E20FC4E
930610A1 66BC9F6D BD965EA7 049FCF
quit
ip source-route
!
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.201 192.168.1.254
!
ip dhcp pool ccp-pool1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 96.45.0.15 208.67.222.222
!
!
ip cef
no ip domain lookup
ip domain name nrscwtp.local
ip name-server 96.45.0.15
ip name-server 208.67.222.222
no ipv6 cef
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid CISCO891-K9 sn FGL164122U6
!
!
username **** privilege 15 secret 5 $1$v9Ho$uswL44gc/2504TxxwQDzv1
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
crypto isakmp key **** address 184.151.220.xx
crypto isakmp key **** address 174.90.251.xx
!
crypto isakmp client configuration group Admins
key L3tm31n
dns 192.168.125.1 192.168.125.2
domain nrscwtp.local
pool SDM_POOL_1
acl 100
include-local-lan
split-dns nrscwtp.local
max-users 5
max-logins 10
netmask 255.255.255.0
banner ^CYou are now on the Control Network.

This connection is reserved for Control System Administrators as it allows
full access to the Control Network. If this connection has been made in error,
disconnect immediately and notify promptly.

You have full access to 192.168.125.0 / 255.255.255.0

Split Tunelling is enabled, other network connections are allowed during session

Press Continue to begin your session. ^C
!
crypto isakmp client configuration group Operators
key ****
dns 192.168.125.1 192.168.125.2
domain nrscwtp.local
pool SDM_POOL_2
acl 101
include-local-lan
max-users 50
max-logins 2
netmask 255.255.255.0
banner ^CYou are now connected to the NRSC Control Network

This VPN is reserved for Control System operators ONLY. Please Disconnect
immediately and report this error to NRSC if you should not be allowed access.

Other network connections are disabled during your remote session
Email and Internet will not work on your local machine while connected

To access the control system open a web browser and type in: http://hmi-ts1/tsweb

Press Continue to begin your remote session. ^C
!
crypto isakmp client configuration group RO_DU_BASS
key ****
dns 192.168.125.1 192.168.125.2
domain nrscwtp.local
pool SDM_POOL_3
acl 102
include-local-lan
max-users 50
max-logins 2
netmask 255.255.255.0
banner ^CYou are now connected to the NRSC Control Network

This VPN is reserved for Control System operators ONLY. Please Disconnect
immediately and report this error to NRSC if you should not be allowed access.

Press Continue to begin your remote session. ^C
crypto isakmp profile sdm-ike-profile-1
match identity group Admins
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto isakmp profile VPN_Operators-ike-profile-1
match identity group Operators
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 3
crypto isakmp profile RO_DU_BASS-ike-profile-1
match identity group RO_DU_BASS
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 5
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-HMAC esp-aes 256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA8 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA9 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA10 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA11 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA12 esp-3des esp-sha-hmac
!
crypto ipsec profile RO_DU_BASS
set security-association idle-time 1800
set transform-set ESP-3DES-SHA ESP-3DES-SHA1 ESP-AES-HMAC ESP-AES-SHA
set isakmp-profile RO_DU_BASS-ike-profile-1
!
crypto ipsec profile SDM_Profile1
set security-association idle-time 1800
set transform-set ESP-AES-HMAC ESP-AES-SHA ESP-3DES-SHA ESP-3DES-SHA1
set isakmp-profile sdm-ike-profile-1
!
crypto ipsec profile VPN_Operators
set security-association idle-time 1800
set transform-set ESP-AES-HMAC ESP-AES-SHA ESP-3DES-SHA ESP-3DES-SHA1
set isakmp-profile VPN_Operators-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to184.151.220.xx
set peer 184.151.220.xx
set transform-set ESP-3DES-SHA11
match address 103
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to174.90.251.xx
set peer 174.90.251.xx
set transform-set ESP-3DES-SHA12
match address 105
!
!
!
!
!
interface Loopback0
ip address 192.168.124.254 255.255.255.0
!
interface Loopback1
ip address 192.168.122.254 255.255.255.0
!
interface Loopback2
ip address 192.168.123.254 255.255.255.0
!
interface Loopback4
description VPN CLIENT ADMINS
ip address 192.168.120.254 255.255.255.0
!
interface Loopback5
ip address 192.168.121.254 255.255.255.0
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 4
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
description EIDNET VLAype tunnel$ETH-LAN$
ip address 192.168.126.254 255.255.255.0
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
duplex half
speed 10
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback4
ip access-group VPN_IN in
ip access-group VPN_OUT out
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Virtual-Template2
ip unnumbered GigabitEthernet0
!
interface Virtual-Template3 type tunnel
ip unnumbered GigabitEthernet0
ip access-group sdm_virtual-template3_in in
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN_Operators
!
interface Virtual-Template4
ip unnumbered Loopback0
!
interface Virtual-Template5 type tunnel
description Rosemary, Duchess, Bassano HMI VPN
ip unnumbered Loopback2
tunnel mode ipsec ipv4
tunnel protection ipsec profile RO_DU_BASS
!
interface GigabitEthernet0
description EIDNET Internet$ETH-WAN$
ip address 96.45.14.xx 255.255.255.224
ip access-group sdm_fastethernet0_in in
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed 10
crypto map SDM_CMAP_1
!
interface Vlan1
description Control Network VLAN$ETH-SW-LAUNCH$$INTF-INFO-FE 2$
ip address 192.168.125.254 255.255.255.0
ip access-group VLAN1_In in
ip access-group VLAN1_OUT out
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan2
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan4
description FAIRVIEW RESERVOIR PORT
ip address 192.168.2.254 255.255.255.0
!
interface Async1
no ip address
encapsulation slip
!
ip local pool SDM_POOL_1 192.168.120.10 192.168.120.20
ip local pool SSL_VPN_2 192.168.124.1 192.168.124.100
ip local pool SDM_POOL_2 192.168.121.1 192.168.121.250
ip local pool SDM_POOL_3 192.168.122.100 192.168.122.110
ip forward-protocol nd
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool LNR_Inet 192.168.135.129 192.168.135.158 netmask 255.255.255.224
ip nat inside source static tcp 192.168.2.1 443 interface GigabitEthernet0 4443
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 permanent
ip route 192.168.2.0 255.255.255.0 Vlan4 permanent
ip route 192.168.120.0 255.255.255.0 Loopback4
ip route 192.168.126.0 255.255.255.0 FastEthernet8 permanent
ip route 192.168.130.0 255.255.255.224 192.168.126.1 2 permanent
ip route 192.168.130.32 255.255.255.224 192.168.126.2 permanent
ip route 192.168.130.64 255.255.255.224 192.168.126.3 permanent
ip route 192.168.130.96 255.255.255.224 192.168.126.4 permanent
ip route 192.168.130.128 255.255.255.224 192.168.126.5 permanent
ip route 192.168.130.160 255.255.255.224 192.168.126.6 permanent
ip route 192.168.130.192 255.255.255.224 192.168.126.8 permanent
ip route 192.168.130.224 255.255.255.224 192.168.126.7 permanent
ip route 192.168.131.0 255.255.255.224 192.168.126.9 permanent
ip route 192.168.135.0 255.255.255.224 192.168.126.1 permanent
ip route 192.168.135.32 255.255.255.224 192.168.126.2 permanent
ip route 192.168.135.64 255.255.255.224 192.168.126.3 permanent
ip route 192.168.135.96 255.255.255.224 192.168.126.4 permanent
ip route 192.168.135.128 255.255.255.224 192.168.126.5 permanent
ip route 192.168.135.160 255.255.255.224 192.168.126.6 permanent
ip route 192.168.135.192 255.255.255.224 192.168.126.8 permanent
ip route 192.168.135.224 255.255.255.224 192.168.126.7 permanent
ip route 192.168.136.0 255.255.255.224 192.168.126.9 permanent
!
ip access-list extended Internet
remark Block from our VLAN, allow to internet
remark CCP_ACL Category=1
permit ip any host 10.10.10.254
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
ip access-list extended PALL
remark Allow Pall Remote Access to PLC and HMI
remark CCP_ACL Category=1
remark Allow Access to HMI
permit ip any host 192.168.125.154
remark Allow Access to PLC
permit ip any host 192.168.125.28
remark Allow Access to PLC
deny ip any any
ip access-list extended SSL_Admin
remark Full Network Access
remark CCP_ACL Category=1
remark IP
permit ip any any
ip access-list extended SSL_SCADA
remark Allow Access to Terminal Server for SCADA Screens
remark CCP_ACL Category=1
remark Allow RDP
permit tcp any host 192.168.125.5 eq 3389
remark Allow RDP
permit tcp any host 192.168.125.5 eq www
ip access-list extended VLAN1_In
remark Control Traffic out of Control Network
remark CCP_ACL Category=1
permit udp host 192.168.125.1 eq 1645 host 192.168.125.254
permit udp host 192.168.125.1 eq 1646 host 192.168.125.254
permit ip any host 192.168.125.254
remark Allow Radius Requests from Router
permit tcp any host 192.168.125.254 eq 1645
remark Allow Radius Requests from Router
permit udp any host 192.168.125.254 eq 1645
remark Allow Radius Requests from Router
permit tcp any host 192.168.125.254 eq 1646
remark Allow Radius Requests from Router
permit udp any host 192.168.125.254 eq 1646
remark Allow VPN Client Access
permit ip any 192.168.120.0 0.0.0.255
remark Allow VPN Client Access
permit ip any 192.168.121.0 0.0.0.255
remark Allow SSL VPN Client Access
permit ip any 192.168.122.0 0.0.0.255
remark Allow SSL VPN Client Access
permit ip any 192.168.124.0 0.0.0.255
remark Remote Sites Network Access
permit ip any 192.168.126.0 0.0.0.255
remark Tilley Network Access
permit ip any 192.168.130.0 0.0.1.255
remark Fairview Link
permit ip any 192.168.2.0 0.0.0.255
remark Email for WIN911
permit tcp host 192.168.125.5 any eq smtp
remark Email for WIN911
permit tcp host 192.168.125.151 any eq smtp
remark Email for WIN911
permit tcp 192.168.125.0 0.0.0.255 any eq smtp
remark Nat - T VPN
permit tcp any any eq 10000
remark Allow Tilley Control Network Traffic
deny ip any any
ip access-list extended VLAN1_OUT
remark CCP_ACL Category=1
permit ip any any
ip access-list extended VPN_IN
remark CCP_ACL Category=1
permit ip any any
ip access-list extended VPN_OUT
remark CCP_ACL Category=1
permit ip any any
ip access-list extended WAN_VLAN_In
remark CCP_ACL Category=1
permit ip any any log
ip access-list extended sdm_fastethernet0_in
remark CCP_ACL Category=1
remark IPSec Rule
permit ip 192.168.131.0 0.0.0.255 192.168.120.0 0.0.0.255
remark IPSec Rule
permit ip 192.168.131.0 0.0.0.255 192.168.125.0 0.0.0.255
permit udp host 184.151.220.33 host 96.45.14.xx eq non500-isakmp
permit udp host 184.151.220.33 host 96.45.14.xx eq isakmp
permit esp host 184.151.220.33 host 96.45.14.xx
permit ahp host 184.151.220.33 host 96.45.14.xx
remark IPSec Rule
permit ip 192.168.132.0 0.0.0.255 192.168.120.0 0.0.0.255
remark IPSec Rule
permit ip 192.168.132.0 0.0.0.255 192.168.125.0 0.0.0.255
permit udp host 174.90.251.xx host 96.45.14.xx eq non500-isakmp
permit udp host 174.90.251.xx host 96.45.14.xx eq isakmp
permit esp host 174.90.251.xx host 96.45.14.xx
permit ahp host 174.90.251.xx host 96.45.14.xx
permit udp any host 96.45.14.xx eq non500-isakmp
permit udp any host 96.45.14.xx eq isakmp
permit esp any host 96.45.14.xx
permit ahp any host 96.45.14.xx
remark NAT-T VPN
permit tcp any any eq 10000
permit tcp any host 96.45.14.xx eq 44443
permit udp any eq domain host 96.45.14.xx
permit udp host 208.67.222.xx eq domain any
permit udp host 96.45.0.xx eq domain any
remark IKE Negotiation Traffic
permit udp any any eq isakmp
remark VPN Encapsulated Traffic
permit esp any any
remark Internet Access
permit tcp any eq www any
remark Internet Access
permit tcp any eq ftp any
remark Internet Access
permit tcp any eq ftp-data any
remark HTTPS
permit tcp any eq 443 any
remark Fotigate VPN's
permit tcp any eq 10443 any
remark MAIL
permit tcp any eq smtp any
remark Citrix ICA
permit tcp any eq 1494 any
remark Citrix IMA
permit tcp any eq 2598 any
remark Citrix Mangement Console
permit tcp any eq 2513 any
remark Citrix Application / Desktop
permit tcp any eq 8080 any
remark Citrix MPE Port
permit tcp any eq 8740 any
ip access-list extended sdm_virtual-template3_in
remark SDM_ACL Category=1
remark DNS for Name Resolutions
permit udp any host 192.168.125.1 eq domain
remark Allow HTTP for RDP over the Web
permit tcp any host 192.168.125.5 eq www
remark Allow RDP to Terminal Server
permit tcp any host 192.168.125.5 eq 3389
remark Allow HTTP for RDP over the Web
permit tcp any host 192.168.125.6 eq www
remark Allow RDP to Terminal Server
permit tcp any host 192.168.125.6 eq 3389
!
access-list 1 remark OUTGOING MAIL
access-list 1 permit 192.168.125.5
access-list 1 remark OUTGOING MAIL
access-list 1 permit 192.168.125.151
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 remark Remote Internet
access-list 1 permit 192.168.135.0 0.0.0.255
access-list 1 permit 192.168.136.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit any
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.125.0 0.0.0.255 any
access-list 100 permit ip 192.168.126.0 0.0.0.255 any
access-list 100 permit ip 192.168.120.0 0.0.0.255 any
access-list 100 permit ip 192.168.130.0 0.0.1.255 any
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.125.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 permit ip host 192.168.130.194 any
access-list 102 permit ip host 192.168.130.226 any
access-list 102 permit ip host 192.168.131.2 any
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.125.0 0.0.0.255 192.168.131.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.120.0 0.0.0.255 192.168.131.0 0.0.0.255
access-list 104 remark CCP_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.120.0 0.0.0.255 192.168.132.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.120.0 0.0.0.255 192.168.131.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.125.0 0.0.0.255 192.168.132.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.125.0 0.0.0.255 192.168.131.0 0.0.0.255
access-list 104 permit ip 192.168.136.0 0.0.0.255 any
access-list 104 remark Remote Internet
access-list 104 permit ip 192.168.135.0 0.0.0.255 any
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 remark OUTGOING MAIL
access-list 104 permit ip host 192.168.125.151 any
access-list 104 permit ip host 192.168.125.5 any
access-list 105 remark CCP_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.125.0 0.0.0.255 192.168.132.0 0.0.0.255
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.120.0 0.0.0.255 192.168.132.0 0.0.0.255
no cdp run
arp 192.168.126.4 0025.8455.27a0 ARPA
arp 192.168.126.5 0025.8455.2958 ARPA
arp 192.168.126.2 0025.841c.1a92 ARPA
arp 192.168.126.3 0025.8455.2a96 ARPA
arp 192.168.126.1 0025.8455.2d07 ARPA
arp 192.168.126.6 44d3.cad7.41b6 ARPA
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 104
!
!
snmp-server community public RO
radius-server host 192.168.125.1 timeout 10 key *****
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
b
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
!
webvpn gateway gateway_1
ip address 96.45.14.xx port 447
ssl encryption rc4-md5
ssl trustpoint TP-self-signed-2930397915

!
end

Router  B has been working for some time, the only new addition is the site to site vpn with router A

12 Replies 12

Philip D'Ath
VIP Alumni
VIP Alumni

Router A references access-list 105 for its NAT config, but this access-list does not exist.

I recreated the NAT ans site to site on router A using CCP but the vpn still can't see anything, even though CCP says it is up. Here is the current config for Router A:


Building configuration...

Current configuration : 7662 bytes
!
! Last configuration change at 14:23:00 UTC Thu Mar 17 2016 by admin
!
version 15.5
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router A
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-76299383
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-76299383
revocation-check none
rsakeypair TP-self-signed-76299383
!
!
crypto pki certificate chain TP-self-signed-76299383
certificate self-signed 01
30820227 30820190 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 37363239 39333833 301E170D 31333031 33313231 30333034
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D373632 39393338
3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B39C
1F1F1B5A 620D3DB7 E4B82486 D8A6E928 E880F817 20D8D5D8 744A6985 B48A0AEF
072919C9 6ABF6428 272B2F4E 28382554 1D1CC5CD 701F9646 38EEE5CE 67F475C4
DD5B464B ECBD78AF A5B6B36B D2791CFE E6CB886F B030E179 7A209BC4 1CDC6BA1
711616C4 4FD6BE16 489DCC5F A5EE9729 365858FD 1654EA5F 3B7F90B2 19470203
010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304
18301680 1465D9D2 8C6F18DF 98EF832A 03DE7ADD D45A6C59 97301D06 03551D0E
04160414 65D9D28C 6F18DF98 EF832A03 DE7ADDD4 5A6C5997 300D0609 2A864886
F70D0101 05050003 818100A6 928BFD76 AEE144B3 7DC2339D 540415EE B6142CF6
60E3A6DF 06DA321C 80755902 B711183C 2D1D9407 857F05ED B987C08D 25002B5F
F3C0F996 8CDA1830 3F85456B 6C6F2A4B 774B93DC 256AB90E 5A46126C C2D044DB
3B76F1A2 0E98D2F0 A0D656CF 5031C7D7 1D9D2F88 E97C7B83 4D188927 EEAA3915
ECF7239B 5B7F0FDD E4C9CA
quit
no ip source-route
!
!
!
!
!
!
!
!


!
ip dhcp excluded-address 192.168.136.22 192.168.136.30
!
ip dhcp pool Internet
network 192.168.136.0 255.255.255.224
dns-server 96.45.0.15
default-router 192.168.136.30
!
!
!
ip name-server 70.28.245.227
ip name-server 184.151.118.254
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
cts logging verbose
license udi pid C881-K9 sn FGL1927224B
!
!
archive
log config
hidekeys
username **** privilege 15 secret 5 $1$TOHi$xwZvR0n8p6r00xE5nnBE11
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key **** address 96.45.14.xx
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA8 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA9 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA10 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA11 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA12 esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to96.45.14.xx
set peer 96.45.14.xx
set transform-set ESP-3DES-SHA12
match address 103
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
!
interface FastEthernet4
description WAN port
ip address dhcp
ip mask-reply
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description Control Network
ip address 192.168.132.157 255.255.255.0
ip access-group VLAN1_In in
ip access-group VLAN1_Out out
ip nat inside
ip virtual-reassembly in
!
ip local pool VPN 192.168.132.152 192.168.132.155
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
top 10
sort-by bytes
!
ip nat inside source route-map SDM_RMAP_3 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 174.0.0.1 permanent
!
ip access-list extended VLAN1_In
remark Inbound Traffic
remark CCP_ACL Category=1
remark Cross Talk
deny ip 192.168.135.0 0.0.0.255 192.168.130.0 0.0.1.255
deny ip 192.168.136.0 0.0.0.255 192.168.130.0 0.0.1.255
remark Cross Talk
deny ip 192.168.130.0 0.0.1.255 192.168.135.0 0.0.0.255
deny ip 192.168.130.0 0.0.1.255 192.168.136.0 0.0.0.255
permit ip any any
ip access-list extended VLAN1_Out
remark For diagnositcs
remark CCP_ACL Category=1
remark Diag
permit ip any any log
ip access-list extended allow_all
remark CCP_ACL Category=1
permit ip any any log
!
!
route-map SDM_RMAP_1 permit 1
match ip address 105
!
route-map SDM_RMAP_2 permit 1
match ip address 109
!
route-map SDM_RMAP_3 permit 1
match ip address 104
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.168.130.0 0.0.0.255
access-list 50 remark CCP_ACL Category=16
access-list 50 permit 192.168.132.0 0.0.0.255
access-list 50 permit 192.168.125.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.132.0 0.0.0.255 192.168.125.0 0.0.0.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.132.0 0.0.0.255 192.168.120.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.132.0 0.0.0.255 192.168.125.0 0.0.0.255
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.132.0 0.0.0.255 192.168.125.0 0.0.0.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.132.0 0.0.0.255 192.168.125.0 0.0.0.255
access-list 104 remark CCP_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.132.0 0.0.0.255 192.168.125.0 0.0.0.255
access-list 104 permit ip 192.168.132.0 0.0.0.255 any
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class allow_all in
access-class allow_all out
privilege level 15
password ****
login
transport input telnet
transport output telnet
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
!
!
webvpn gateway WAN
ip address 192.168.126.9 port 44443
http-redirect port 80
ssl trustpoint TP-self-signed-76299383
inservice
!
webvpn context PLC
gateway WAN
!
ssl authenticate verify all
inservice
!
policy group default
functions svc-enabled
svc address-pool "VPN" netmask 255.255.255.224
svc keep-client-installed
svc rekey method new-tunnel
svc split include 192.168.131.0 255.255.255.224
mask-urls
default-group-policy default
!
end

Is this static default route correct?

ip route 0.0.0.0 0.0.0.0 174.0.0.1 permanent

I wonder if the issue might be that router uses DHCP to obtain its outside IP address. Typically when doing a site to site VPN for a router using DHCP the peer router (router B) would configure a dynamic map since the IP of the peer might change. But router B config of its VPN treats the VPN as going to a fixed IP peer.

HTH

Rick

HTH

Rick

I'm pretty sure that default route is correct.  I have another router with pretty much the same config as router A and everything works there. The only difference is that Router A has a NAT rule where the other router doesn't.

Here is the running config for the other router maybe a fresh set of eyes can spot why one router works and the other doesn't


Building configuration...

Current configuration : 5689 bytes
!
! Last configuration change at 15:15:47 UTC Thu Mar 17 2016 by admin
!
version 15.5
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-76299383
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-76299383
revocation-check none
rsakeypair TP-self-signed-76299383
!
!
crypto pki certificate chain TP-self-signed-76299383
certificate self-signed 01
30820227 30820190 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 37363239 39333833 301E170D 31333031 33313231 30333034
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D373632 39393338
3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B39C
1F1F1B5A 620D3DB7 E4B82486 D8A6E928 E880F817 20D8D5D8 744A6985 B48A0AEF
072919C9 6ABF6428 272B2F4E 28382554 1D1CC5CD 701F9646 38EEE5CE 67F475C4
DD5B464B ECBD78AF A5B6B36B D2791CFE E6CB886F B030E179 7A209BC4 1CDC6BA1
711616C4 4FD6BE16 489DCC5F A5EE9729 365858FD 1654EA5F 3B7F90B2 19470203
010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304
18301680 1465D9D2 8C6F18DF 98EF832A 03DE7ADD D45A6C59 97301D06 03551D0E
04160414 65D9D28C 6F18DF98 EF832A03 DE7ADDD4 5A6C5997 300D0609 2A864886
F70D0101 05050003 818100A6 928BFD76 AEE144B3 7DC2339D 540415EE B6142CF6
60E3A6DF 06DA321C 80755902 B711183C 2D1D9407 857F05ED B987C08D 25002B5F
F3C0F996 8CDA1830 3F85456B 6C6F2A4B 774B93DC 256AB90E 5A46126C C2D044DB
3B76F1A2 0E98D2F0 A0D656CF 5031C7D7 1D9D2F88 E97C7B83 4D188927 EEAA3915
ECF7239B 5B7F0FDD E4C9CA
quit
no ip source-route
!
!
!
!
!
!
!
!


!
ip dhcp excluded-address 192.168.136.22 192.168.136.30
!
ip dhcp pool Internet
network 192.168.136.0 255.255.255.224
dns-server 96.45.0.15
default-router 192.168.136.30
!
!
!
ip name-server 70.28.245.227
ip name-server 184.151.118.254
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
cts logging verbose
license udi pid C881-K9 sn FGL1927224D
!
!
archive
log config
hidekeys
username **** privilege 15 secret 5 $1$TOHi$xwZvR0n8p6r00xE5nnBE11
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key **** address 96.45.14.xx
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to96.45.14.xx
set peer 96.45.14.xx
set transform-set ESP-3DES-SHA
match address 100
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
!
interface FastEthernet4
description WAN port
ip address dhcp
ip mask-reply
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description Control Network
ip address 192.168.131.126 255.255.255.224
ip access-group VLAN1_In in
ip nat inside
ip virtual-reassembly in
!
ip local pool VPN 192.168.131.121 192.168.131.124
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
top 10
sort-by bytes
!
ip route 0.0.0.0 0.0.0.0 184.0.0.1 permanent
!
ip access-list extended VLAN1_In
remark Inbound Traffic
remark CCP_ACL Category=1
remark Cross Talk
deny ip 192.168.135.0 0.0.0.255 192.168.130.0 0.0.1.255
deny ip 192.168.136.0 0.0.0.255 192.168.130.0 0.0.1.255
remark Cross Talk
deny ip 192.168.130.0 0.0.1.255 192.168.135.0 0.0.0.255
deny ip 192.168.130.0 0.0.1.255 192.168.136.0 0.0.0.255
permit ip any any
ip access-list extended VLAN1_Out
remark For diagnositcs
remark CCP_ACL Category=1
remark Diag
permit ip any any log
ip access-list extended allow_all
remark CCP_ACL Category=1
permit ip any any log
!
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.168.130.0 0.0.1.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.131.96 0.0.0.31 192.168.125.0 0.0.0.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.131.0 0.0.0.255 192.168.120.0 0.0.0.255
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class allow_all in
access-class allow_all out
privilege level 15
password ****
login
transport input telnet
transport output telnet
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
!
!
webvpn gateway WAN
ip address 192.168.126.9 port 44443
http-redirect port 80
ssl trustpoint TP-self-signed-76299383
inservice
!
webvpn context PLC
gateway WAN
!
ssl authenticate verify all
inservice
!
policy group default
functions svc-enabled
svc address-pool "VPN" netmask 255.255.255.224
svc keep-client-installed
svc rekey method new-tunnel
svc split include 192.168.131.0 255.255.255.224
mask-urls
default-group-policy default
!
end

 

In reading back through this discussion I notice in the first post that you seem to say that router A and router B can not ping each other. Is that the case? If so we should look into what is the issue with that because lack of basic IP connectivity is one of the most common problems with site to site VPN. As a starting point can you post the output of show ip route and of an attempt to traceroute to the peer address?

HTH

Rick 

HTH

Rick

Here is the Show IP route form router A

Gateway of last resort is 192.168.168.1 to network 0.0.0.0

S* 0.0.0.0/0 [254/0] via 192.168.168.1
192.168.132.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.132.0/24 is directly connected, Vlan1
L 192.168.132.157/32 is directly connected, Vlan1
192.168.168.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.168.0/24 is directly connected, FastEthernet4
L 192.168.168.193/32 is directly connected, FastEthernet

and here is the trace route from router A to the external IP of Router B

Tracing the route to h96-45-14-xx-eidnet.org.14.45.96.in-addr.arpa (96.45.14.xx)

VRF info: (vrf in name/id, vrf out name/id)

1 192.168.168.1 0 msec 0 msec 0 msec

2 172.25.16.188 56 msec 56 msec 72 msec

3 172.25.16.185 60 msec 56 msec 60 msec

4 172.25.21.11 52 msec 60 msec 80 msec

5 172.25.20.14 60 msec 60 msec 60 msec

6 172.25.16.2 60 msec 60 msec 64 msec

7 204.101.4.225 60 msec 64 msec 64 msec

8 tcore3-calgaryqa_bundle-ether5.net.bell.ca (64.230.118.140) 60 msec 52 msec

tcore4-calgaryqa_bundle-ether5.net.bell.ca (64.230.118.142) 64 msec

9 bx2-calgaryqa_et7-1-0.net.bell.ca (64.230.118.129) 64 msec

bx2-calgaryqa_et5-1-0.net.bell.ca (64.230.118.127) 56 msec

bx2-calgaryqa_et7-1-0.net.bell.ca (64.230.118.129) 64 msec

10 154.11.2.177 60 msec 56 msec 60 msec

11 96.1.215.15 64 msec 76 msec 64 msec

12 204.191.148.169 68 msec 80 msec 68 msec

13 host96-45-0-2-0.45.96.in-addr.arpa (96.45.0.2) 80 msec 64 msec 72 msec

14 h96-45-15-100-eidnet.org (96.45.15.100) 92 msec 72 msec 72 msec

and here is the trace route from router A to the internal ip address of router B

Tracing the route to 192.168.125.254

VRF info: (vrf in name/id, vrf out name/id)

1 192.168.168.1 0 msec 0 msec 0 msec

2 172.25.16.188 76 msec 56 msec 60 msec

This output does not match up with the config that you posted for router A. This output shows 192.168.168.0 as the network for the FastEther4 which is not what your config showed.

I understood in the original post that router A could not ping router B. But this output does look like there is IP connectivity between A and B. So why would ping not work?

HTH

Rick

HTH

Rick

I did a bit of digging around Router A and it looks like the 192.168.168.0 subnet is assigned to the router by the modem. The modem is a microhard cellular modem. It seem like the microhard assignes ip to devices plugged into it (so the modem acts like a LAN). The modem has a static IP of 174.90.251.xx (the ip address being used in the site to site vpn) and forwards all traffic to the Cisco router.

The same kind of microhard modem is in place at another router that connects to router B and that router is working fine. I did a trace route from the router that is working fine to router B and I got the same output as I posted earlier.

https://t.co/mk82ebg3ow

Try this tool to see if you have any VPN configuration issues.

I clicked on that link, I was prompted to log in with my cisco account, then I got a page that said unauthorized access.

Carlos Villagran
Cisco Employee
Cisco Employee

Hello jsandau,

Can you reach public addess  96.45.14.xx stated in the isakmp policy via your default route?

(crypto isakmp key ***** address 96.45.14.xx) 

Are you getting hits in your ACL used for the crypto map?

Regards.

JC

how would I test that?

Review Cisco Networking for a $25 gift card