02-23-2014 06:43 PM - edited 02-21-2020 07:31 PM
Hi all,
Can someone help verify what is wrong with the config below for point to point vpn:
hostname B5_NP_RTR
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
no ip domain lookup
ip domain name lab.local
!!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key 6 uccmskey address 192.168.207.97
crypto isakmp keepalive 90
!
!
crypto ipsec transform-set to_PC esp-aes 256
crypto ipsec df-bit clear
!
crypto map NP_PC local-address FastEthernet0/0
crypto map NP_PC 10 ipsec-isakmp
set peer 192.168.207.97
set transform-set to_PC
match address 101
!
interface Tunnel3
ip address 172.16.0.17 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
tunnel source 192.168.207.98
tunnel destination 192.168.207.97
!
interface FastEthernet0/0
description Link to PC
ip address 192.168.207.98 255.255.255.252
duplex auto
speed auto
crypto map NP_PC
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 172.16.0.18
!
!
no ip http server
no ip http secure-server
!
access-list 101 permit ip any any
!
control-plane!
!
!line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
hostname L5_PC_RTR
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip domain name lab.local
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key 6 uccmskey address 192.168.207.98
crypto isakmp keepalive 90
!
!
crypto ipsec transform-set to_NPPK esp-aes 256
crypto ipsec df-bit clear
!
crypto map PC_NP local-address FastEthernet0/0
crypto map PC_NP 10 ipsec-isakmp
set peer 192.168.207.98
set transform-set to_NP
match address 101
!
interface Tunnel3
ip address 172.16.0.18 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
tunnel source 192.168.207.97
tunnel destination 192.168.207.98
!
interface FastEthernet0/0
description Link to NP
ip address 192.168.207.97 255.255.255.252
duplex auto
speed auto
crypto map PC_NP
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
!
no ip http server
no ip http secure-server
!
access-list 101 permit ip any any
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
02-23-2014 08:47 PM
Looking at what you're trying to do, I think using a VTI would be a more streamlined configuration. It's also a little bit easier to configure. We use VTI to connect to remote locations and pass routing protocols thru it. That's highly recommended by Cisco also.
02-24-2014 10:16 AM
While I agree that this situation could be done with VTI and that VTI does have some advantages, that does not address the main question in the original post which is why the tunnel is not working.
I will start by observing that Cisco warns the crypto maps using access lists with permit ip any any can cause problems. So the original poster would be well advised to change that part of the configuration. In this situation all the access list needs to do is permit gre host 192.168.207.97 host 192.168.207.98
But I believe that this is not the major problem. The major problem is that for the tunnel to work there must be interesting traffic to send through the tunnel. The router has only a single physical interface that has an IP address and that has a /30 mask. So where will traffic come from that will go through the tunnel and cause the tunnel to work?
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide