07-13-2012 08:46 AM - edited 03-07-2019 07:45 AM
Dear All,
I have been troubeshooting this issue since with no luck and would greatly appreciate your input. Basically I am tryin to set up a site to site ipsec coonection. AT site A, I have Vlan's 652-10.55.216.0/24, Vlan653 -10.55.217.0/24, Vlan 654-10.55.217.0/24 and Vlan655-10.55.219.0/24 and at site B, Vlan650-10.55.214.0/24 and Vlan651-10.55.215.0/24.
The problem is that I am unable to get any associations when i do a "sh crypto isakmp sa"/"sh crypto ipsec sa" on either router at each site.
I am also unable to ping by pluging in a laptop into the site at each site. Laptop at site A is set to access vlan 655 and laptop at site B is set to acess vlan 651. I can ping all the devices from one end to the other.I have turned on debug crypto isakmp, debug crypto ipsec, debug crypto ipsec errors but dont get anything at all as output.
I have attached the sh run for each router Cisco (1941/K9) and switch (Catalyst 3750) at each site.
Thanks in advance.
Solved! Go to Solution.
07-13-2012 08:56 AM
Hello Abayomi,
unless there is dynamic routing in place, you need also to define the IP routing for the remote end IP subnets, because you are not using GRE over IPSec
on router A:
add
ip route 10.55.214.0 255.255.255.0 192.168.1.254
ip route 10.55.215.0 255.255.255.0 192.168.1.254
on routerB:
add
ip route 10.55.216.0 255.255.255.0 192.168.1.253
ip route 10.55.217.0 255.255.255.0 192.168.1.253
ip route 10.55.218.0 255.255.255.0 192.168.1.253
ip route 10.55.219.0 255.255.255.0 192.168.1.253
Hope to help
Giuseppe
07-13-2012 08:58 AM
On Router SiteA you don't have any route to the remote subnets. When you send traffic from your internal networks to the remote side, the router won't route the traffic out of the outside interface where your crypto map waits to protect the traffic.
Another hint: For Router-to-Router-VPNs, Virtual Tunnel Interfaces (VTIs) are much easier to handle than crypto maps are.
07-13-2012 08:56 AM
Hello Abayomi,
unless there is dynamic routing in place, you need also to define the IP routing for the remote end IP subnets, because you are not using GRE over IPSec
on router A:
add
ip route 10.55.214.0 255.255.255.0 192.168.1.254
ip route 10.55.215.0 255.255.255.0 192.168.1.254
on routerB:
add
ip route 10.55.216.0 255.255.255.0 192.168.1.253
ip route 10.55.217.0 255.255.255.0 192.168.1.253
ip route 10.55.218.0 255.255.255.0 192.168.1.253
ip route 10.55.219.0 255.255.255.0 192.168.1.253
Hope to help
Giuseppe
07-13-2012 09:33 AM
Thanks for the response Giuseppe.
However it didnt work. Still unable to get pings across and unable to get anything for show crypto isakmp/ipsec sa.
Cheers,
Yomi
07-13-2012 11:46 AM
Hi Guys, Thanks for the pointer. It was static routing alright. Had to configure them on the switches and routers. There must be a static route with the next hop for each of the vlans.
Many thanks,
Yomi
07-13-2012 08:58 AM
On Router SiteA you don't have any route to the remote subnets. When you send traffic from your internal networks to the remote side, the router won't route the traffic out of the outside interface where your crypto map waits to protect the traffic.
Another hint: For Router-to-Router-VPNs, Virtual Tunnel Interfaces (VTIs) are much easier to handle than crypto maps are.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide