10-24-2011 06:45 PM - edited 02-21-2020 05:40 PM
I'm having trouble get a VPN between a Cisco 1841 (Spoke) router and a Cisco 3825 (Hub) router working correctly. Everything (sh crypto sessions, sh crypto ipsec sa, sh crypto isakmp sa) indicates the VPN tunnel is established, but traffic refuses to pass. This leads me to think it's a routing or a NAT issue.
I'm trying to establish a IPSEC VPN between Site A (Spoke) and Site B (Hub). Site A must also have access to Site C where the servers are located.
Site A (10.1.20.X) is connected to the Internet via Comcast Broadband (int Fast0/0). Site B (10.1.0.X) is connect to the Internet via AT&T MLPPP T1s (int MULTI1). Site C (10.1.10.X, 10.1.11.x, 10.1.12.x) is connected via AT&T MPLS to Site B (int Gi0/0). Site C accesses the MLPPPT1s in site B for Internet access.
Router Configs are attached. Anyone have any ideas what I'm missing here? I'm desperate! The location is completely down - they moved before the MPLS circuits were ready and they still have a few weeks before those will go in.
I'm having trouble get a VPN between a Cisco 1841 (Spoke) router and a Cisco 3825 (Hub) router working correctly. Everything (sh crypto sessions, sh crypto ipsec sa, sh crypto isakmp sa) indicates the VPN tunnel is established, but traffic refuses to pass. This leads me to think it's a routing or a NAT issue.
I'm trying to establish a IPSEC VPN between Site A (Spoke) and Site B (Hub). Site A must also have access to Site C where the servers are located.
Site A (10.1.20.X) is connected to the Internet via Comcast Broadband (int Fast0/0). Site B (10.1.0.X) is connect to the Internet via AT&T MLPPP T1s (int MULTI1). Site C (10.1.10.X, 10.1.11.x, 10.1.12.x) is connected via AT&T MPLS to Site B (int Gi0/0). Site C accesses the MLPPPT1s in site B for Internet access.
Router Configs are attached. Anyone have any ideas what I'm missing here? I'm desperate! The location is completely down - they moved before the MPLS circuits were ready and they still have a few weeks before those will go in.
10-24-2011 08:18 PM
Hi Matt,
The most important thing about L2L VPN's is that the config has to be identical on both ends.
On site A I can see that the config is ok but on site B
--More-- ! ??? what is in here? which acl are you using for the encryption domain?
Can you try using the following encryption subnets
++++ site A
access-list 155 permit ip 10.1.20.0 0.0.0.255 10.1.0.0 0.0.0.255
++++ site B
access-list 155 permit ip 10.1.0.0 0.0.0.255 10.1.20.0 0.0.0.255
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide