cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1220
Views
0
Helpful
9
Replies

Simple VPN between two 871 routers

jschneiter
Beginner
Beginner

I have two model 871 routers. I know NOTHING about command line programming, so please dont provide ANY command lines. I just want to get them up and running through the GUI and be done with them. No data is going over the network. Its to join two dispatch centers and use with just voice.

I did a test setting them up to our Sonicwall no problem.

Peer IP is 71.86.224.x

Internal Peer IP is 10.10.100.0

I have permit ip 10.10.101.0 0.0.0.225 10.10.100.0 0.0.0.225

I have the exact same thing (with obvious ip differences) going to my sonicwall and it connects immediatly and is stable.

What am I missing.

I hope I dont need to mess with the routing ( I wouldnt think so since the sonicwall connection is working). Everytime I tough the routing the running config breaks and I have to go 30 minutes away to flip the unit on and off again.

This shouldnt be this difficult should it?


Building configuration...

Current configuration : 5318 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname marquette
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$EC0W$rf7Sw2K6U6927l3d5wGLs1
!
username admin-marquette privilege 15 secret 5 $1$AptJ$Cy6RPqYdZa5J9wxoggoBm1
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
ip dhcp excluded-address 10.10.101.1 10.10.101.9
ip dhcp excluded-address 10.10.101.21 10.10.101.254
!
ip dhcp pool sdm-pool1
   import all
   network 10.10.101.0 255.255.255.0
   dns-server 4.2.2.1 4.2.2.2
   default-router 10.10.101.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip name-server 4.2.2.1
ip name-server 4.2.2.2
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key sngborg41710 address 71.86.x.x

crypto isakmp key comserv address 71.98.x.x

crypto isakmp key sngborg41710 address 65.219.x.x

crypto isakmp key a4tagj95m1c address 216.56.x.x 255.255.255.224 no-xauth
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA4
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to71.98.x.x

set peer 71.98.x.x
set transform-set ESP-3DES-SHA1
match address 102
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to71.86.x.x

set peer 71.86.x.x

set transform-set ESP-3DES-SHA1
match address 103
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel to71.86.x.x
set peer 71.86.x.x

set transform-set ESP-3DES-SHA
match address 104
crypto map SDM_CMAP_1 4 ipsec-isakmp
description Tunnel to71.86.x.x
set peer 71.86.x.x
set transform-set ESP-3DES-SHA1
match address 106
!
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address 65.219.x.x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.10.101.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 65.219.x.177
ip route 10.10.100.0 255.255.255.0 71.86.x.x
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
ip access-list extended sdm_fastethernet4_out
remark SDM_ACL Category=1
permit ip any any
ip access-list extended sdm_vlan1_in
remark SDM_ACL Category=1
permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.101.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip 10.10.101.0 0.0.0.255 71.98.x.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny   ip 10.10.101.0 0.0.0.255 10.10.105.0 0.0.0.255
access-list 101 permit ip 10.10.101.0 0.0.0.255 any
access-list 102 remark MASO - PORT
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.10.101.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.10.101.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.10.101.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 106 remark SDM_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 65.219.x.0 0.0.0.255 10.10.100.0 0.0.0.255
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport preferred all
transport output telnet
line aux 0
login local
transport preferred all
transport output telnet
line vty 0 4
privilege level 15
login local
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

If you want to see the other side I can certainly provide that as well.

Thanks

Jon

9 REPLIES 9

cadet alain
Mentor
Mentor

Hi,

what are you doing to test the tunnel?

I'm sorry but there are certain things that are simpler to do with CLI or even impossible without the CLI.

Can you post results of these 2 commands while testing tunnel:

debug crypto isakmp sa

debug crypto ipsec sa

Regards.

Alain.

Don't forget to rate helpful posts.

When I say test is I setup the connection to the cisco from my sonicwall and it creates a connection and works.

I do the exact same setup on each Cisco and point them at each other, the connection wont connect.

When I telnet to one of them I do both of those commands and get: invalid input detected at ,^,marker

Hi,

Are you issuing these commands in privilege mode?

To test your tunnel there is a button in SDM.

Regards.

Alain.

Don't forget to rate helpful posts.

Again, I KNOW NOTHING about the command line. Believe me I would not have chosen ciscos if I was here when they were purchased.

The tunnel always fails cuz the connection isnt made.

Tunnel status is Down all the other options are successfull

I have yet to figure out how the debugging works.

I wish there was a dynamic log telling you everything going on and why the connection wont take place.

In my Sonicwall, it tells you exactly why the tunnel wont establish. You make those changes and tada you got it up and running.

Jon

ok,

so when you telent into router you are asked for username and password then you are directly with this prompt:hostname #

if so this is privileged mode and there you can issue these 2 commands:

debug crypto isa sa then enter

debug crypto ipsec sa then enter

then this command : terminal monitor then enter

But before issuing these you can type:

show crypto isa sa

show crypto ipsec sa

post these show commands results before issuing the debug.

Regards.

Alain.

Don't forget to rate helpful posts.

again I get the same error message

if I type debug crypto isa

I get isakmp debugging ON

when I type the monitor command I dont get any result just the next command line.

I then tried typing those two command and got the error

it seems it doesnt like the sa portion of the command

ok,

could you do sh version | inc IOS and sh crypto isa ? to see what keywords vit accepts after

For term monitor it's normal this command is used so you can see the debug while on a telnet session.

Regards.

Alain.

Don't forget to rate helpful posts.

Think of it as an opportunity to use and learn something new.

To view the log from the command line: sh log

Logging is enabled/disabled per service as mentioned above by Xavier.

Now, SDM (and CCP, SDM's replacement) does have the ability to do some VPN troubleshooting. And, unlike your Sonicwall, will actually fix the issues by itself. However, this process usually only works correctly with a sane configuration; something you don't have. In cases like this, is is often easier, and less work to use the CLI to get this working properly, even if you are less than comfortable working with it.

Follow Xavier's advice and post back the results. This is a pretty simple issue to get worked out.

Xavier Hick
Beginner
Beginner

From the configuration provided,there are several problems apparently related to trial and error approach with SDM unfortunately SDM doesn't take care of cleaning the whole config...

1) For now, the device is not Natting any traffic.

2) this statement should be removed : crypto map SDM_CMAP_1 4 ipsec-isakmp. To do this, type "no crypto map SDM_CMAP_1 4 ipsec-isakmp". You are trying to encrypt traffic from the Wan interface towards a private segment, which is never a good idea. Same goes for the statement "crypto map SDM_CMAP_1 3 ipsec-isakmp" that should be removed because it's redundant with crypto map SDM_CMAP_1 2.

3) the line "ip route 10.10.100.0 255.255.255.0 71.86.x.x" should be removed.

4) ensure you can ping from the router to the opposite router (Wan ip address to Wan ip address)

5) ensure the crypto isakmp passwords are matching on both devices (for example, that there is no space inserted at the end)

6) provide the configuration from the opposite device, enable debug crypto isakmp and debug crypto ipsec on the two routers. Initiate some traffic that should be encrypted across these two routers, then provide the 'show log' output from them. Disable then the debugs with 'undebug all'.

Cheers,

Xavier

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: