Site to site VPN not working between two 851s

jsandau · ‎03-13-2012

I have two cisco 851 and the site to site vpn isn't workin between them. When I test the tunnel I get the error that the peer cannot be contacted. I know the peer is up (I can ping both routers from a third, unrelated ip address) but the two routers can't ping each other. Here is the runnign config:

Host A:

Building configuration...

Current configuration : 3594 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Host_A

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable secret 5 $1$ePDD$ijslwDCnljz232ikk30PL/

!

aaa new-model

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

aaa session-id common

!

dot11 syslog

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.0.1 10.10.10.99

ip dhcp excluded-address 10.10.10.201 10.10.255.254

!

ip dhcp pool vlan1

import all

network 10.10.0.0 255.255.0.0

default-router 10.10.10.1

dns-server 207.229.52.2 205.233.109.40

!

ip cef

ip name-server 207.229.52.2

ip name-server 205.233.109.40

!

username admin privilege 15 password 0 *Password*

username operator privilege 7 secret 5 $1$rHHQ$prD8o7Nc75TKImW5cqMn6.

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key *VPN_Password* address *Host_B External IP*

!

crypto isakmp client configuration group remote

key 1rr1can

pool SDM_POOL_1

max-users 20

netmask 255.255.0.0

crypto isakmp profile ciscocp-ike-profile-1

match identity group remote

client authentication list ciscocp_vpn_xauth_ml_1

isakmp authorization list ciscocp_vpn_group_ml_1

client configuration address respond

virtual-template 1

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to*Host_B External IP*

set peer *Host_B External IP*

set transform-set ESP-3DES-SHA2

match address 102

!

crypto ctcp port 10000

archive

log config

hidekeys

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$

ip address *Host_B External IP*255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface Virtual-Template1 type tunnel

ip unnumbered Vlan1

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 10.12.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1452

!

ip local pool SDM_POOL_1 10.12.0.50 10.12.0.80

ip local pool SDM_POOL_2 10.12.1.50 10.12.1.70

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 208.38.11.1

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.12.0.0 0.0.0.255

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.12.0.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 101 remark CCP_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny ip 10.12.0.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 101 permit ip 10.12.0.0 0.0.0.255 any

access-list 102 remark CCP_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 10.12.0.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 103 remark CCP_ACL Category=4

access-list 103 remark IPSec Rule

access-list 103 permit ip 10.12.0.0 0.0.0.255 10.10.8.0 0.0.3.255

access-list 104 remark CCP_ACL Category=4

access-list 104 remark IPSec Rule

access-list 104 permit ip 10.12.0.0 0.0.0.255 10.0.0.0 0.0.255.255

access-list 105 remark CCP_ACL Category=4

access-list 105 remark IPSec Rule

access-list 105 permit ip 10.12.0.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 106 remark CCP_ACL Category=4

access-list 106 remark IPSec Rule

access-list 106 permit ip 10.12.0.0 0.0.0.255 10.10.0.0 0.0.255.255

no cdp run

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you

want to use.

-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

no modem enable

transport output telnet

line aux 0

transport output telnet

line vty 0 4

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

jsandau · ‎03-15-2012

I allowed ICMP ehco replys (pings) through the firewall but still nothing. The weird thin is that any ourside address can ping either router, but the routers can't ping each other.

Erik Ingeberg · ‎03-16-2012

I can't find anything wrong with the configuration. You mention a firewall in between? Check that the firewall allows ESP and UDP/500 + UDP/4500.

jsandau · ‎03-16-2012

The only firewall is the one on the Cisco 851 (Host B), I'm pretty sure Host A's firewall is not configured. Shouldn't setting up the site to site via the wizard add rules to it's own firewall to make everything work?

jsandau · ‎03-16-2012

I got the VPNs to connect. The problem was the ISP had to add a route on thier end so that the two external ip addresses could see each other. But Even though the VPN tunnel says it's up I can ping one router from the other router (on and computer on either network).

Edit:

I can ping the the other router or computers on the other netwrok if I am connected to the local network. But I can't ping the other router when I am connected to SSL VPN. I don't know if that is clear so here is the senerio:

I have two sites and each site has a computer that monitors the health of the network. Remote users should be able to conect via VPN (using cisco VPN client) to either site, and once they are connected to either site they should be able to see the other site Via the site to site VPN. Right now the remote users can VPN into either site but they can onyl see the computers on the site they hve VPNed into.

jsandau · ‎03-16-2012

I think the problem is anyone connecting to the VPN on host A get an ip in the range on 10.10.9.x and anyone connecting to the VPN on host B gets an ip in the range of 10.12.1.x. But I don't know what rule to add to fix this.