06-02-2012 09:19 PM
Hello,
I been trying to get my cisco VPN for few days now, and haven't gotten far.. NO traffic going across the sites..
RouterB# 2801 IOS adventerprisek9-mz.124-22.YB8
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key P2P address 24.47.184.XX
!
!
crypto ipsec transform-set P2P ah-sha-hmac
!
!
!
crypto map S2S-VPN-MAP 100 ipsec-isakmp
set peer 24.47.184.XX
set transform-set P2P
match address S2S-VPN-TRAFFIC
--------------------------------------------------
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
_____________________________________
Crypto Map "S2S-VPN-MAP" 100 ipsec-isakmp
Peer = 24.47.184.XX
Extended IP access list S2S-VPN-TRAFFIC
access-list S2S-VPN-TRAFFIC permit ip 0.0.0.0 255.255.0.0 0.0.0.0 255.255.0.0
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
P2P: { ah-sha-hmac } ,
}
Interfaces using crypto map S2S-VPN-MAP:
RouterB# 2821 IOS 2800nm-advipservicesk9-mz.124-24.T1
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key P2P address 108.170.99.XX
!
!
crypto ipsec transform-set P2P ah-sha-hmac
!
!
!
crypto map S2S-VPN-MAP 100 ipsec-isakmp
set peer 108.170.99.XXX
set transform-set P2P
match address S2S-VPN-TRAFFIC
--------------------------------------------------------------------
Crypto Map "S2S-VPN-MAP" 100 ipsec-isakmp
Peer = 108.170.99.XX
Extended IP access list S2S-VPN-TRAFFIC
access-list S2S-VPN-TRAFFIC permit ip 0.0.0.0 255.255.0.0 0.0.0.0 255.255.0.0
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
P2P: { ah-sha-hmac } ,
}
Interfaces using crypto map S2S-VPN-MAP:
--------------------------------------------------------------------------
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
I have applied the crypto map on the interfaces and created ACL to allow the traffic..
I would appreciate if someone can point me on the right direction..
Solved! Go to Solution.
06-03-2012 10:47 AM
sir i am looking you router config,as i am seeing that crypto map is not bind with outiside interface,
06-03-2012 10:53 AM
Hello,
its is now:
interface FastEthernet0/0
description to ISP
ip address 108.170.99.xx 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map S2S-VPN-MAP
06-03-2012 06:13 PM
wasn't the tunnel up this morning but had no traffic flow?
i would make router B inititate the tunnel( as you run DHCP on the gig0/0 interface) make router A an answer only device for this ipsec tunnel and also set the peer of router B on router A tunnel configs as 0.0.0.0
06-03-2012 06:55 PM
Yeah it was up but nothing made it across..
I'll make the other changes..
Thx
06-03-2012 07:20 PM
Should be all good now.
Here are all the changes:
Router A:
- ACL 120 order was the other way round
- Add ACL "WANfilter2" to include ESP, UDP/500 and UDP/4500
- Apply crypto map on the external interface
Router B:
- Add default route
- Apply crypto map on the external interface
- Remove the static NAT statements
06-04-2012 01:22 AM
that's great. could I please know the sh cry ipsec sa on router b? should the local peers at both the ends match? as when i saw it this early morning, the router B had a local peer as the 192.168.1.x address as it was getting a DHCP address from the device in front of it(that was the way the ISP handed the public ip to the same).
thanks.
06-04-2012 05:04 AM
Of course here you have it:
RouterB#sh crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: S2S-VPN-MAP, local addr 192.168.1.21
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.22.100.0/255.255.255.0/0/0)
current_peer 108.170.99.74 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 192.168.1.21, remote crypto endpt.: 108.170.99.74
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.11.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.22.101.0/255.255.255.0/0/0)
current_peer 108.170.99.74 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 19
#pkts decaps: 19, #pkts decrypt: 19, #pkts verify: 19
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 192.168.1.21, remote crypto endpt.: 108.170.99.74
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
06-03-2012 07:30 PM
Jen and Mikull,
Thank you very much for your feedbacks and assistance you've provided.. I really appreciated it..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide