Buy or Renew
Buy or Renew
Notice: The file download function is disabled. We apologize for the inconvenience.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1548
Views
0
Helpful
2
Replies

Site to Site VPN troubleshooting

thiyagarajankalaiselvan
Level 1
Level 1

‎10-13-2011 03:13 AM - edited ‎03-07-2019 02:46 AM

Hi All,

I have tried to setup site-to site IPSEC VPN. As far I know, I have done the configuration Phase 1, Phase 2 and intresting traffic are correct.

however, tunnel is not comming up. Below is the configuration. Can anybody help me identify why tunnel is not comming up.

I have tried intiating traffic also through tunnel, Still it is not comming up. Please help me to know the troubleshooting command as well.

R1<=============================>R2

R1 S0/0 IP--> 172.16.1.1/16

R2 s0/0 IP --->172.16.1.2/16

R1 LAN --> 192.168.1.0/24

R2 LAN --> 10.0.0.1/24

R1 Config:

R1#sh run

!
ip cef
no ip domain lookup
!
ip audit notify log
ip audit po max-events 100
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 84000
crypto isakmp key cisco address 172.16.1.2
!
!
crypto ipsec transform-set PHASE2 esp-aes esp-sha-hmac
!
crypto map ROUTERA 10 ipsec-isakmp
set peer 172.16.1.2
set transform-set PHASE2
match address 101

!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Serial0/0
ip address 172.16.1.1 255.255.0.0
serial restart_delay 0
crypto map ROUTERA

ip route 10.0.0.0 255.255.255.0 172.16.1.2
!
!
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
!

R2 Config:

ip cef
!

crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 84000
crypto isakmp key cisco address 172.16.1.1
!
!
crypto ipsec transform-set PHASE2 esp-aes esp-sha-hmac
!
crypto map ROUTERA 10 ipsec-isakmp
set peer 172.16.1.1
set transform-set PHASE2
match address 101

!

access-list 101 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255

ip route 192.168.1.0 255.255.255.0 172.16.1.1

interface Loopback0
ip address 10.0.0.1 255.255.255.0
!
interface Serial0/0
ip address 172.16.1.2 255.255.0.0
serial restart_delay 0
no fair-queue
crypto map ROUTERA

Labels:
0 Helpful
2 Replies 2

Latchum Naidu
VIP Alumni
VIP Alumni

‎10-13-2011 03:36 AM

Hi,

There is no profile for second phase like below...

crypto ipsec profile xxxxxxxx
set security-association lifetime seconds 120
set transform-set strong


And make sure you have denied access from 10.0.0.0 to 192.168.1.0 in your Global NAT.


Please rate the helpful posts.
Regards,
Naidu.

0 Helpful

Gavin Lodge
Level 1
Level 1
In response to Latchum Naidu

‎10-13-2011 06:36 AM

Try adding another router in between so the source router doesn't have an ip address that's on the same network as the VPN destination address. Also remove the ip route 10.0.0.0 255.255.255.0 172.16.1.2 and put a default route  0.0.0.0 .0.0.0.0 X.X.X.X being your new middle router.

R1------Internet Router---------R2

0 Helpful
Customers Also Viewed These Support Documents