Site-to-site VPN issues on Cisco IOS

oukpaka · ‎02-02-2014

Hi People,

I am having issues trying to bring to get a site-site VPN directly connect up.

I think I have made the basic requirements for the VPN configurations however when I do a test ping on R7 fsourced from the lo0 interface to the 2.2.2.2 i do not see any responses likewise when I do when I ping the 1.1.1.1 sourced from lo R8, no reply. the Isakmp SA is not activated too.

I have tried the same conguration on different IOS but still to no avail.

Every assistance is deeply appreciated.

The routers are 7200 ios and they are versioned as follows:

Cisco IOS Software, 7200 Software (C7200-JK9O3S-M), Version 12.4(19), RELEASE S OFTWARE (fc1)

See configuration below:

For R7

=====

hostname R7

!

boot-start-marker

boot-end-marker

!

no aaa new-model

no ip icmp rate-limit unreachable

!

ip cef

no ip domain lookup

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

ip tcp synwait-time 5

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp peer address 10.1.12.2

!

crypto ipsec transform-set TEST esp-3des esp-md5-hmac

!

crypto map CMAP 10 ipsec-isakmp

set peer 10.1.12.2

set transform-set TEST

match address 120

!

interface Loopback0

ip address 1.1.1.1 255.255.255.0

!

interface FastEthernet0/0

ip address 10.1.12.1 255.255.255.0

ip ospf 1 area 1

duplex auto

speed auto

crypto map CMAP

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

router ospf 1

router-id 1.1.1.1

log-adjacency-changes

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

access-list 120 permit ip host 1.1.1.1 host 2.2.2.2

!

control-plane

!

gatekeeper

shutdown

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

stopbits 1

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

stopbits 1

line vty 0 4

login

!

end

For R8

=====

hostname R8

!

boot-start-marker

boot-end-marker

!

no aaa new-model

no ip icmp rate-limit unreachable

!

ip cef

no ip domain lookup

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

ip tcp synwait-time 5

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco123 address 10.1.12.1

!

crypto ipsec transform-set TEST esp-3des esp-md5-hmac

!

crypto map CMAP 10 ipsec-isakmp

set peer 10.1.12.1

set transform-set TEST

match address 120

!

interface Loopback0

ip address 2.2.2.2 255.255.255.255

!

interface FastEthernet0/0

ip address 10.1.12.2 255.255.255.0

ip ospf 1 area 1

duplex auto

speed auto

crypto map CMAP

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

router ospf 1

router-id 2.2.2.2

log-adjacency-changes

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

access-list 120 permit ip host 2.2.2.2 host 1.1.1.1

!

control-plane

!

gatekeeper

shutdown

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

stopbits 1

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

stopbits 1

line vty 0 4

login

!

end

jshojayi · ‎02-05-2014

Unless I missed it, R7 doesn't have a key defined. That would cause Phase 1 to fail too.

Thank you.

Joe