Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
459
Views
0
Helpful
1
Replies

VPN site to site issue

Zenzi
Level 1
Level 1

‎10-19-2017 02:47 AM - edited ‎03-12-2019 04:38 AM

I tried to setup VPN site to site but failed. The VPN tunnel couldn't be up.

 

VPN-Tunnel.jpg

 

My network diagram:

Network.png

 

Please take a look into my configuration and give me an advice.

 

VietNam Router:

 

service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
no cdp log mismatch duplex
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key XVNdcegX4fkXE6hN address 192.168.40.160  no-xauth
!
!
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
 mode tunnel
!
!
!
crypto map VPNMap 10 ipsec-isakmp
 set peer 192.168.40.160
 set transform-set ESP-AES128-SHA
 set pfs group2
 match address ACL-TunnelVietnamNetherlands
!
!
!
!
!
interface GigabitEthernet0/0
 ip address 192.168.40.150 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 media-type rj45
 crypto map VPNMap
!
interface GigabitEthernet0/1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/3
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.40.2
!
ip access-list extended ACL-TunnelVietnamNetherlands
 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
!
!
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
 transport input none
!
no scheduler allocate
!
end

Netherlands Router:

service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
no cdp log mismatch duplex
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key XVNdcegX4fkXE6hN address 192.168.40.150  no-xauth
!
!
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
 mode tunnel
!
!
!
crypto map VPNMap 10 ipsec-isakmp
 set peer 192.168.40.150
 set transform-set ESP-AES128-SHA
 set pfs group2
 match address ACL-TunnelNetherlandsVietNam
!
!
!
!
!
interface GigabitEthernet0/0
 ip address 192.168.40.160 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 ip address 20.20.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/3
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.40.2
!
ip access-list extended ACL-TunnelNetherlandsVietNam
 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
!
!
!
access-list 100 permit ip 20.20.20.0 0.0.0.255 any
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
 transport input none
!
no scheduler allocate
!
end

Thank you !

 

Labels:
0 Helpful
1 Reply 1

GRANT3779
Spotlight
Spotlight

‎10-19-2017 03:28 AM

One thing that stands out to me is the crypto map is missing from the Netherland routers "Outside" Interface.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents