07-04-2021 12:08 AM - edited 07-04-2021 12:22 AM
I am having cisco router C841M-4X/K9
License Information for 'c800m'
License Level: advipservices Type: Permanent
Next reboot license Level: advipservices
I am configuring site to site IPSEC VPN with my ISP (MY ISP is not available at my branch location so I am establishing tunnel with my ISP using local ILL link). ISP is having juniper router and am using Cisco router. I have configgure all the parameter given by ISP but still my tunnel is not coming up. I contacted with ISP but he is not helping me saying your side have wrong config and it is your responsibility to config correctly.
I am giving you ISP as well as my side config detail. kindly check and let me know what mistak is my side or what else I can configure which match to ISP configuration.
Configuration ISP END (According to config look like Juniper Device)
Phase 1:
**********
# sh vpn ipsec phase1-interface "ALL-BYE"
config vpn ipsec phase1-interface
edit "ALL-BYE"
set type dynamic
set interface "ALL-INT-834"
set local-gw 220.37.74.241
set keylife 28800
set peertype any
set proposal 3des-md5
set dpd on-idle
set dhgrp 5
set net-device enable
set psksecret ENC M0hQ1rPZQCxPTsKCfvkMXyOzkpfi70guPM4Q5MwBQdD5DqcUCtEvx+2ttcyvlUfy0akwX
set distance 1
set dpd-retryinterval 5
next
end
Phase 2:
************
# sh vpn ipsec phase2-interface | grep -f 4874660218
config vpn ipsec phase2-interface
edit "4874660218" <---
set phase1name "ALL-BYE"
set proposal 3des-sha1
set pfs disable
set keylifeseconds 1800
set dst-subnet 10.103.35.0 255.255.255.0
next
edit "4874660218-L" <---
set phase1name "ALL-BYE"
set proposal 3des-sha1
set pfs disable
set keylifeseconds 1800
set dst-subnet 10.106.36.0 255.255.255.0
next
end
Preshared key:
*********************
CoMe@RFT
=====================================================================================
My End IPSEC config on Cisco Router
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 5
lifetime 28800
crypto isakmp key CoMe@RFT address 220.37.74.241
!
!
crypto ipsec transform-set ALL-BYE esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map ALL-BYE 1 ipsec-isakmp
description ###Sify IPSEC###
set peer 220.37.74.241
set transform-set ALL-BYE
match address 105
!
!
interface GigabitEthernet0/1
ip address 105.66.20.2 255.255.255.224
crypto map ALL-BYE
!
access-list 105 permit ip 10.103.35.0 0.0.0.255 any
access-list 105 permit ip 10.103.36.0 0.0.0.255 any
Please find attachment for Below command outputshow crypto isakmp sa
show crypto ipsec sa
show crypto engine connection active
show crypto isakmp policy
show crypto map
sh crypto ipsec sa | i pkts
sh crypto session
07-04-2021 12:33 AM
- Check this example configuration , you may find hints :
M.
07-04-2021 12:49 AM
Thankyou Marce but already I have reffered this document but no luck. Thats why I have given ISP configuration and my end Config
07-04-2021 12:36 AM
Are you sure your crypto ACL (105) is correct? You've not specified the specific destination networks, unless your intention is to tunnel "any" traffic via the Juniper. If your ACLs are mismatched, then you'll fail to establish a tunnel.
Turn on isakmp debugs, generate traffic and provide the debug outputs here for review.
07-04-2021 01:33 AM - edited 07-04-2021 01:49 AM
Thank You Rob for quicj responce.
Thanks you Rob, You mean to say my ACL should match with ACL configured at ISP end or it should be like specific IP like as below
access-list 108 permit ip 10.103.35.0 0.0.0.255 host 220.37.74.241
access-list 108 permit ip 10.103.36.0 0.0.0.255 host 220.37.74.241
There is no loggenerating by debug command.
Cisco_Router#debug crypto ipsec
Crypto IPSEC debugging is on
Cisco_Router#debug crypto is
Cisco_Router#debug crypto isakmp
Crypto ISAKMP debugging is on
07-04-2021 01:48 AM
@vyas.2020 Your ACL needs to mirror the ACL on the ISP Juniper firewall. The ACL is used to define the interesting traffic that should be encrypted and sent over the VPN tunnel, if they are mismatched the VPN will fail to establish.
You need to generate traffic from the source network defined in the ACL, only then willl debugs be generated.
07-04-2021 01:58 AM
Ok Rob, I got your point. I will contact to ISP and verify with my ACL.
I will update result here once done
07-04-2021 02:40 AM
Just looking into your configuration you should not be using the Phase 1 and Phase 2 with 3DES. these vaules are legacy and shoule stay away from using them. have a look at this link
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide