Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1156
Views
0
Helpful
1
Replies

IPSEC VPN Issues - can't get traffic to pass

mwalkertx320
Level 1
Level 1

‎10-24-2011 06:45 PM - edited ‎02-21-2020 05:40 PM

I'm having trouble get a VPN between a Cisco 1841 (Spoke) router and a Cisco 3825 (Hub) router working correctly. Everything (sh crypto sessions, sh crypto ipsec sa, sh crypto isakmp sa) indicates the VPN tunnel is established, but traffic refuses to pass. This leads me to think it's a routing or a NAT issue.

I'm trying to establish a IPSEC VPN between Site A (Spoke) and Site B (Hub). Site A must also have access to Site C where the servers are located.

Site A (10.1.20.X) is connected to the Internet via Comcast Broadband (int Fast0/0). Site B (10.1.0.X) is connect to the Internet via AT&T MLPPP T1s (int MULTI1). Site C (10.1.10.X, 10.1.11.x, 10.1.12.x) is connected via AT&T MPLS to Site B (int Gi0/0). Site C accesses the MLPPPT1s in site B for Internet access.

Router Configs are attached. Anyone have any ideas what I'm missing here? I'm desperate! The location is completely down - they moved before the MPLS circuits were ready and they still have a few weeks before those will go in.

I'm having trouble get a VPN between a Cisco 1841 (Spoke) router and a Cisco 3825 (Hub) router working correctly. Everything (sh crypto sessions, sh crypto ipsec sa, sh crypto isakmp sa) indicates the VPN tunnel is established, but traffic refuses to pass. This leads me to think it's a routing or a NAT issue.

I'm trying to establish a IPSEC VPN between Site A (Spoke) and Site B (Hub). Site A must also have access to Site C where the servers are located.

Site A (10.1.20.X) is connected to the Internet via Comcast Broadband (int Fast0/0). Site B (10.1.0.X) is connect to the Internet via AT&T MLPPP T1s (int MULTI1). Site C (10.1.10.X, 10.1.11.x, 10.1.12.x) is connected via AT&T MPLS to Site B (int Gi0/0). Site C accesses the MLPPPT1s in site B for Internet access.

Router Configs are attached. Anyone have any ideas what I'm missing here? I'm desperate! The location is completely down - they moved before the MPLS circuits were ready and they still have a few weeks before those will go in.

Labels:
115948-Site-A.txt.zip
115947-Site-B.txt.zip
0 Helpful
1 Reply 1

Kishore Chennupati
Level 7
Level 7

‎10-24-2011 08:18 PM

Hi Matt,

The most important thing about L2L VPN's is that the config has to be identical on both ends.

On site A I can see that the config is ok but on site B

--More--                           !   ??? what is in here? which acl are you using for the encryption domain?

Can you try using the following encryption subnets

     ++++ site A

access-list 155 permit ip 10.1.20.0 0.0.0.255 10.1.0.0 0.0.0.255

++++ site B

access-list 155 permit ip 10.1.0.0 0.0.0.255 10.1.20.0 0.0.0.255

HTH

0 Helpful
Customers Also Viewed These Support Documents