Solved: S2S VPN - Page 3

love2xlr8 · ‎06-02-2012

Hello,

I been trying to get my cisco VPN for few days now, and haven't gotten far.. NO traffic going across the sites..

RouterB# 2801 IOS adventerprisek9-mz.124-22.YB8

crypto isakmp policy 10

authentication pre-share

group 2

crypto isakmp key P2P address 24.47.184.XX

!

crypto ipsec transform-set P2P ah-sha-hmac

!

crypto map S2S-VPN-MAP 100 ipsec-isakmp

set peer 24.47.184.XX

set transform-set P2P

match address S2S-VPN-TRAFFIC

--------------------------------------------------

IPv4 Crypto ISAKMP SA

dst src state conn-id status

IPv6 Crypto ISAKMP SA

_____________________________________

Crypto Map "S2S-VPN-MAP" 100 ipsec-isakmp

Peer = 24.47.184.XX

Extended IP access list S2S-VPN-TRAFFIC

access-list S2S-VPN-TRAFFIC permit ip 0.0.0.0 255.255.0.0 0.0.0.0 255.255.0.0

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

P2P: { ah-sha-hmac } ,

}

Interfaces using crypto map S2S-VPN-MAP:

RouterB# 2821 IOS 2800nm-advipservicesk9-mz.124-24.T1

crypto isakmp policy 10

authentication pre-share

group 2

crypto isakmp key P2P address 108.170.99.XX

!

crypto ipsec transform-set P2P ah-sha-hmac

!

crypto map S2S-VPN-MAP 100 ipsec-isakmp

set peer 108.170.99.XXX

set transform-set P2P

match address S2S-VPN-TRAFFIC

--------------------------------------------------------------------

Crypto Map "S2S-VPN-MAP" 100 ipsec-isakmp

Peer = 108.170.99.XX

Extended IP access list S2S-VPN-TRAFFIC

access-list S2S-VPN-TRAFFIC permit ip 0.0.0.0 255.255.0.0 0.0.0.0 255.255.0.0

Security association lifetime: 4608000 kilobytes/3600 seconds

Responder-Only (Y/N): N

PFS (Y/N): N

Transform sets={

P2P: { ah-sha-hmac } ,

}

Interfaces using crypto map S2S-VPN-MAP:

--------------------------------------------------------------------------

IPv4 Crypto ISAKMP SA

dst src state conn-id status

IPv6 Crypto ISAKMP SA

I have applied the crypto map on the interfaces and created ACL to allow the traffic..

I would appreciate if someone can point me on the right direction..

gaurav bhardwaj · ‎06-03-2012

sir i am looking you router config,as i am seeing that crypto map is not bind with outiside interface,

love2xlr8 · ‎06-03-2012

Hello,

its is now:

interface FastEthernet0/0

description to ISP

ip address 108.170.99.xx 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map S2S-VPN-MAP

mikull.kiznozki · ‎06-03-2012

wasn't the tunnel up this morning but had no traffic flow?

i would make router B inititate the tunnel( as you run DHCP on the gig0/0 interface) make router A an answer only device for this ipsec tunnel and also set the peer of router B on router A tunnel configs as 0.0.0.0

love2xlr8 · ‎06-03-2012

Yeah it was up but nothing made it across..

I'll make the other changes..

Thx

Jennifer Halim · ‎06-03-2012

Should be all good now.

Here are all the changes:

Router A:

- ACL 120 order was the other way round

- Add ACL "WANfilter2" to include ESP, UDP/500 and UDP/4500

- Apply crypto map on the external interface

Router B:

- Add default route

- Apply crypto map on the external interface

- Remove the static NAT statements

mikull.kiznozki · ‎06-04-2012

that's great. could I please know the sh cry ipsec sa on router b? should the local peers at both the ends match? as when i saw it this early morning, the router B had a local peer as the 192.168.1.x address as it was getting a DHCP address from the device in front of it(that was the way the ISP handed the public ip to the same).

thanks.

love2xlr8 · ‎06-04-2012

Of course here you have it:

RouterB#sh crypto ipsec sa

interface: GigabitEthernet0/0

Crypto map tag: S2S-VPN-MAP, local addr 192.168.1.21

protected vrf: (none)

local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.22.100.0/255.255.255.0/0/0)

current_peer 108.170.99.74 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 192.168.1.21, remote crypto endpt.: 108.170.99.74

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas: