07-16-2006 11:55 PM
hi, i was trying to establish a site-to-site tunnel between 2 2811 with 4 port etherswitch each.
i was able to ping to both end but tunnel sesssion is down. below is the sample configuration.
!
crypto isakmp policy 1
hash md5
authentication pre-share
group2
crypto isakmp key cisco address 58.x.50.122
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 58.x.50.122
set transform-set cisco
match address 120 ddress !
!
interface Tunnel0
bandwidth 1000
ip unnumbered Vlan10
tunnel source Vlan20
tunnel destination 58.x.50.122
!
interface FastEthernet0/1/0
switchport access vlan 10
!
interface FastEthernet0/1/1
switchport access vlan 20
!
interface Vlan10
ip address 10.0.0.10 255.255.255.192
ip pim sparse-dense-mode
!
interface Vlan20
ip address 202.x.x.73 255.255.255.252
ip pim sparse-dense-mode
crypto map cisco
!
access-list 120 permit ip host 58.x.x.122 host 202.126.139.73
access-list 120 permit gre host 58.x.x.122 host 202.126.139.73
!
ip route 0.0.0.0 0.0.0.0 165.22.248.186
ip route 58.185.x.x.255.255.255 FastEthernet0/1/1
2811#sh cryp sess
Interface: Vlan20
Session status: DOWN
Peer: 58.x.50.122 port 500
IPSEC FLOW: permit 47 host 58.x.50.122 host 202.126.139.73
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip host 58.x.50.122 host 202.126.139.73
Active SAs: 0, origin: crypto map
Any advice would be much appreciated.
07-17-2006 01:18 PM
It looks like your crypto acl is backwards. The local egress interface is first, destination address is second. Both routers likely have this problem.
access-list 120 permit gre host 202.126.139.73 host 58.185.50.122
07-18-2006 12:46 AM
Also... be careful using the Vl10 SVI as the ip unnumbered source for the tunnel. You will need at least one switchport in Vl10 always up to keep the SVI interface up; and hence the Tunnel.
Solution is to use a loopback as the ip unnumbered source interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide