Solved: Site to Site IPsec tunnel not working

cm6043 · ‎09-25-2012

Hi all,

I need to set the ipsec from HK to Seoul. However there is some problem in the config. When I put cypto map into the WAN interface, the WAN ip cannot be ping. Please find the following config for your reference. Could anyone tell what the problem is, thank you ?

!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
!
!
!
no ip source-route
!
!
!
!
ip cef
no ip bootp server
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated

!
!
object-group network HK
192.168.130.0 255.255.255.0
192.168.160.0 255.255.255.0
192.168.180.0 255.255.255.0
!
object-group network Seoul
192.168.100.0 255.255.255.0
192.168.101.0 255.255.255.0

!

!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key MBK@135 address 203.26.191.11

!
!
crypto ipsec transform-set IPSEC-VPN esp-3des esp-md5-hmac
!
crypto map HK-VPN 10 ipsec-isakmp
description HK_to_Seoul
set peer 203.26.191.11
set transform-set IPSEC-VPN
set pfs group2
match address HK-IPSec-Seoul

!
!
!
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
!
!
interface FastEthernet5
!
!
interface FastEthernet6
!
!
interface FastEthernet7
!
!
interface FastEthernet8
description $$$ To Internet-C2960-SW port 2 $$$
ip address 134.15.16.13 255.255.255.224
ip virtual-reassembly
duplex full
speed 100
crypto map HK-VPN <--------------------------------------------- when I put this command, I cannot from router to internet !!!!!!!
!
!
interface GigabitEthernet0
description description $$$ VLAN 130 to DC LAN $$$
ip address 192.168.130.4 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Vlan1
no ip address
!
!
interface Async1
no ip address
encapsulation slip
!
!
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 134.15.16.14

!
ip access-list extended HK-IPSec-Seoul
permit ip object-group HK object-group Seoul

!
no cdp run

!
!
!
!
!
!
control-plane
!
!
!
line con 0
login local
line 1
login local
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login local
line vty 0 4
login local
!
scheduler max-task-time 5000
end

--------------------------------------------------------

Regards
Leung Che Man

Harish Balakrishnan · ‎09-26-2012

Hello Leung

which version of IOS you are using. I believe the problem is with the ACL you are using. Can you try a normal numbered extended acl wihtout object group to match your VPN traffic and let me know the results

Please rate all helpful posts

Harish.

View solution in original post

Harish Balakrishnan · ‎09-26-2012

Hello Leung

which version of IOS you are using. I believe the problem is with the ACL you are using. Can you try a normal numbered extended acl wihtout object group to match your VPN traffic and let me know the results

Please rate all helpful posts

Harish.

cm6043 · ‎09-27-2012

Thanks Harish,

I can add now after I change the object group to normal acl. Please find the ios as below.

c890-universalk9-mz.150-1.M7.bin

Although the ipsec tunnel is not up now, I will check with the remote end.

Regards
Leung Che Man

Harish Balakrishnan · ‎09-27-2012

Good news.. 15.0 doesnt work properly with object group in case of VPN

regards

Harish.