Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1219
Views
0
Helpful
4
Replies

L2L VPN Issue Using Cisco Routers

Go to solution
jeff6strings
Level 1
Level 1

‎09-10-2011 06:38 AM

I can successfully setup a L2L IPSec VPN  between two ASAs but using a similar configuration on Cisco routers I  can't establish a tunnel to ping the local LAN interface of each other  but the two routers, NY and Burlington, can ping each others' WAN  interface. Below is the config from both routers and a show version; I attached the full config files and screen shot of the topology.
I appreciate any help.
Jeff

NY F0/0 - ISP - F0/0 Burlington

Show version

Cisco IOS Software, 3600 Software (C3640-IK9S-M), Version 12.4(25d), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Wed 18-Aug-10 06:59 by prod_rel_team

ROM: ROMMON Emulation Microcode
ROM: 3600 Software (C3640-IK9S-M), Version 12.4(25d), RELEASE SOFTWARE (fc1)

NY uptime is 0 minutes
System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19
System image file is "tftp://255.255.255.255/unknown"

Cisco 3640 (R4700) processor (revision 0xFF) with 124928K/6144K bytes of memory.
Processor board ID FF1045C5
R4700 CPU at 100MHz, Implementation 33, Rev 1.2
2 FastEthernet interfaces
DRAM configuration is 64 bits wide with parity enabled.
125K bytes of NVRAM.
8192K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

NY Router

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key ThisIsAWeekKey address 172.16.2.2
!
!
crypto ipsec transform-set L2L esp-aes 256 esp-sha-hmac
!
crypto map Burlington 1 ipsec-isakmp
set peer 172.16.2.2
set transform-set L2L
match address Burlington-NW
!
!
interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.252
duplex auto
speed auto
crypto map Burlington
!
interface FastEthernet1/0
ip address 10.0.1.1 255.255.255.0
duplex auto
speed auto
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.1.1
!
!
ip access-list extended Burlington-NW
permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255

Burlington Router

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key ThisIsAWeekKey address 172.16.1.2
!
!
crypto ipsec transform-set L2L esp-aes 256 esp-sha-hmac
!
crypto map NY 1 ipsec-isakmp
set peer 172.16.1.2
set transform-set L2L
match address NY-NW
!
!
interface FastEthernet0/0
ip address 172.16.2.2 255.255.255.252
duplex auto
speed auto
crypto map NY
!
interface FastEthernet1/0
ip address 10.0.2.1 255.255.255.0
duplex auto
speed auto
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.2.1
!
!
ip access-list extended NY-NW
permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

Labels:
113411-Burlington.cfg.zip
34 KB
113445-NY.cfg.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to jeff6strings

‎09-12-2011 02:25 PM

No problem, we do learn everyday

Please kindly mark the post as answered so others can also learn from your post. Thank you.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
jeff6strings
Level 1
Level 1

‎09-11-2011 11:14 AM

UPDATE:

I followed a few labs or examples such as the one below and I get the same results.

http://www.cisco.com/en/US/products/hw/routers/ps221/products_configuration_example09186a008073e078.shtml

When powering on the routers I see the message:

CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

I changed IOS versions and received the same results.

Using Wireshark I captured traffic from one of the routers when pinging the other network and the pings go out the router and are not encrypted and fail.

A debug of crypto isakmp and ipsec provide no output on both routers and I checked to make sure monitor was on in the console session I'm in.

Still at a loss. Again thanks for any input.

Jeff

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to jeff6strings

‎09-12-2011 12:32 AM

Config looks OK to me.

When you try to ping between the 2 LANs, can you please share the output of:

show cry isa sa

show cry ipsec sa

If you change the encryption to 3DES, does it make any difference?

0 Helpful

Go to solution
jeff6strings
Level 1
Level 1
In response to Jennifer Halim

‎09-12-2011 10:56 AM

I was able to resolve the problem as with the ASA network I had workstations to work with and for the router lab I don't. I was pinging from the console of the routers and realized this may be a problem since some of the examples they were testing from a workstation or when doing a ping specifying a loopback address as the source which is in the access list. I setup a workstation behind one of the routers and I was able to ping the other network and establish the IPsec connection. Very embarrassing.

Thank you,

Jeff 

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to jeff6strings

‎09-12-2011 02:25 PM

No problem, we do learn everyday

Please kindly mark the post as answered so others can also learn from your post. Thank you.

0 Helpful
Customers Also Viewed These Support Documents