cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

304
Views
0
Helpful
2
Replies

vpn site to site

Hi,

Have trouble to get the vpn site to site up and running. Not sure what it is, but Phase 1 is up, but we have trouble with Phase II.  Suspect it must have something to do with nat and dialer1 interface.  Not sure whether it it's necessary to nat or not. Hope someone could give me some hints.

The router is connected to SHDLS router, and the IP address is negotiatiated through dialer1 interface and GigabitEthernet0/0.

Rgds

Geir

Cisco 29xx Config

hostname A

crypto isakmp policy 6
encr 3des
authentication pre-share
group 2

crypto isakmp key secret  address 9.x.x.x

crypto isakmp keepalive 10
!
!
crypto ipsec transform-set Router-IPSEC esp-3des esp-sha-hmac
!

crypto map A2B 6 ipsec-isakmp
description Tunnel from A to B IP address 9.x.x.x
set peer 9.x.x.x
set transform-set Router-IPSEC
match address 106
!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

no mop enabled

!

interface GigabitEthernet0/1

description PPPoE to supplier

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip virtual-reassembly in

ip tcp adjust-mss 1452

duplex auto

speed auto

no mop enabled

interface FastEthernet0/1/6
switchport access vlan 6
no ip address
duplex full

!
interface Vlan6
ip address 106.1.1.1

no ip redirects
no ip unreachables
no ip proxy-arp
no mop enabled
crypto map A2B
!
interface Dialer1
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
ip verify unicast source reachable-via rx allow-default 101
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname XYZ@PROVIDER.COM
ppp chap password 7 providerPassword
no cdp enable
!
!

i
!
access-list 106 permit ip 106.1.0.0 0.0.255.255 92.75.74.0 0.0.0.255!

Everyone's tags (1)
2 REPLIES 2
Highlighted
Cisco Employee

vpn site to site

Hello,

Please paste debugs from that router:

debug crypto ipsec

debug crypto isakmp

on IOS + paste the configuration from the second side (if this is Cisco router/firewall).

Contributor

vpn site to site

Some things seem to be mixed up:

I'd rather set outside NAT on Dialer1 and inside NAT on Vlan6.

However, crypto map is placed on Vlan6. It B site is reached via DSL/PPPoE then it should be on Dialer1.

PPPoE is bound to G0/0 but G0/1 description refers to PPPoE.

So I'm not sure which direction is which.