Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
851
Views
5
Helpful
5
Replies

Multiple L2L VPN first one works, rest acting oddly

Go to solution
vetsnowit1
Beginner
Beginner

‎05-21-2012 04:08 PM

Hi,

I am using a Cisco 1921. I have created 3 L2L VPNs. Although I can get the tunnel of all 3 up, I can in the case of one ping the LAN IP of the router, and the 2nd on from the peer subnet, but not the other way round. If any one can make sense of this that would be great.. I can see the ACL being fired,

Annoying as the first VPN is up and working fine, in both directions.. Would be really grateful of a fresh pair of eyes..

NAT blocking ACL working fine too..

Glasgow#show access-lists

Extended IP access list 101

    10 permit ip 172.16.20.0 0.0.0.255 192.168.0.0 0.0.0.255 (966 matches)

Extended IP access list 104

    10 permit ip 172.16.20.0 0.0.0.255 192.168.3.0 0.0.0.255 (3606 matches)

Extended IP access list 105

    10 permit ip 172.16.20.0 0.0.0.255 192.168.100.0 0.0.0.255 (3609 matches)

Extended IP access list 175

    10 deny ip 172.16.20.0 0.0.0.255 192.168.0.0 0.0.0.255 (2109 matches)

    20 deny ip 172.16.20.0 0.0.0.255 192.168.3.0 0.0.0.255 (3616 matches)

    30 deny ip 172.16.20.0 0.0.0.255 192.168.100.0 0.0.0.255 (3639 matches)

    40 permit ip 172.16.20.0 0.0.0.255 any (1549 matches)

Here are the snippits (sanitised) Sorry I hate reading though lazy peoples config dumps..

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key demopassword address 146.xx.xx.xx

crypto isakmp key demopassword address 212.xx.xx.xx

crypto isakmp key demopassword address 188.xx.xx.xx

!

!

crypto ipsec transform-set esp-3des-sha1 esp-3des esp-sha-hmac

!

crypto map l2l 99 ipsec-isakmp

set peer 188.xx.xx.xx

set transform-set esp-3des-sha1

match address 101

crypto map l2l 100 ipsec-isakmp

set peer 212.xx.xx.xx

set transform-set esp-3des-sha1

match address 105

crypto map l2l 101 ipsec-isakmp

set peer 146.xx.xx.xx

set transform-set esp-3des-sha1

match address 104

!

interface GigabitEthernet0/1

description WAN

ip address 213.xx.xx.xx 255.255.255.xx

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map l2l

!

ip nat inside source list 175 interface GigabitEthernet0/1 overload

!

access-list 101 permit ip 172.16.20.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 104 permit ip 172.16.20.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 105 permit ip 172.16.20.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 175 deny   ip 172.16.20.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 175 deny   ip 172.16.20.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 175 deny   ip 172.16.20.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 175 permit ip 172.16.20.0 0.0.0.255 any

Labels:
0 Helpful