cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1023
Views
0
Helpful
4
Replies

unable to ping over site to site IPSEC

Abayomi Smith
Level 1
Level 1

Dear All,

I have been troubeshooting this issue since with no luck and would greatly appreciate your input. Basically I am tryin to set up a site to site ipsec coonection. AT site A, I have Vlan's 652-10.55.216.0/24, Vlan653 -10.55.217.0/24, Vlan 654-10.55.217.0/24 and Vlan655-10.55.219.0/24 and at site B, Vlan650-10.55.214.0/24 and Vlan651-10.55.215.0/24.

The problem is that I am unable to get any associations when i do a "sh crypto isakmp sa"/"sh crypto ipsec sa" on either router at each site.

I am also unable to ping by pluging in a laptop into the site at each site. Laptop at site A is set to access vlan 655 and laptop at site B is set to acess vlan 651. I can ping all the devices from one end to the other.I have turned on debug crypto isakmp, debug crypto ipsec, debug crypto ipsec errors but dont get anything at all as output.

I have attached the sh run for each router Cisco (1941/K9) and switch (Catalyst 3750) at each site.

Thanks in advance.

2 Accepted Solutions

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Abayomi,

unless there is dynamic routing in place, you need also to define the IP routing for the remote end IP subnets, because you are not using GRE over IPSec

on router A:

add

ip route 10.55.214.0 255.255.255.0 192.168.1.254

ip route 10.55.215.0 255.255.255.0 192.168.1.254

on routerB:

add

ip route 10.55.216.0 255.255.255.0 192.168.1.253

ip route 10.55.217.0 255.255.255.0 192.168.1.253

ip route 10.55.218.0 255.255.255.0 192.168.1.253

ip route 10.55.219.0 255.255.255.0 192.168.1.253

Hope to help

Giuseppe

View solution in original post

On Router SiteA you don't have any route to the remote subnets. When you send traffic from your internal networks to the remote side, the router won't route the traffic out of the outside interface where your crypto map waits to protect the traffic.

Another hint: For Router-to-Router-VPNs, Virtual Tunnel Interfaces (VTIs) are much easier to handle than crypto maps are.

View solution in original post

4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Abayomi,

unless there is dynamic routing in place, you need also to define the IP routing for the remote end IP subnets, because you are not using GRE over IPSec

on router A:

add

ip route 10.55.214.0 255.255.255.0 192.168.1.254

ip route 10.55.215.0 255.255.255.0 192.168.1.254

on routerB:

add

ip route 10.55.216.0 255.255.255.0 192.168.1.253

ip route 10.55.217.0 255.255.255.0 192.168.1.253

ip route 10.55.218.0 255.255.255.0 192.168.1.253

ip route 10.55.219.0 255.255.255.0 192.168.1.253

Hope to help

Giuseppe

Thanks for the response Giuseppe.

However it didnt work. Still unable to get pings across and unable to get anything for show crypto isakmp/ipsec sa.

Cheers,

Yomi

Hi Guys, Thanks for the pointer. It was static routing alright. Had to configure them on the switches and routers. There must be a static route with the next hop for each of the vlans.

Many thanks,

Yomi

On Router SiteA you don't have any route to the remote subnets. When you send traffic from your internal networks to the remote side, the router won't route the traffic out of the outside interface where your crypto map waits to protect the traffic.

Another hint: For Router-to-Router-VPNs, Virtual Tunnel Interfaces (VTIs) are much easier to handle than crypto maps are.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: