Re: site to site vpn ipsec tunnel pc1 ping to pc2 not work

pcfreak49 · ‎01-07-2011

I have a problem with my site IPSEC VPN tunnel to first I want to ping PC1 and PC2 that does not work how can you fix this?

Federico Coto Fajardo · ‎01-07-2011

Hi,

You need to make sure that the tunnel is up as a first step.

To check phase one use the command show crypto isakmp sa

To check phase two use the command show crypto ipsec sa

Phase one should show MM_ACTIVE or QM_IDLE

Phase two should show packets incrementing for encrypting and decrypting (when sending traffic through the tunnel).

If the tunnel is not up, we need to focus on that.

If the tunnel is up, then we focus on why traffic is not flowing through the tunnel.

Could be because of NAT or routing normally.

Do you have overlapping networks?

Are you doing NAT?

Is the IPsec between routers/ASAs?

Was it working?

Please provide more insight.

Federico.

pcfreak49 · ‎01-07-2011

oke de tunnel is up

dst src state conn-id status
94.227.156.40 94.227.156.12 QM_IDLE 2001 ACTIVE

R1 local 10.10.10.0
R2 local 20.20.20.0

Federico Coto Fajardo · ‎01-07-2011

That's phase 1.

What about phase 2?

Federico.

cadet alain · ‎01-08-2011

Hi Federico,

QM_IDLE

that's phase 2 indeed!

Regards.

Alain.

Don't forget to rate helpful posts.

cadet alain · ‎01-08-2011

Can you post output of:

-sh crypto map

- sh access-list

on both routers

Regards.

Alain.

Don't forget to rate helpful posts.

pcfreak49 · ‎01-08-2011

R2

crypto isakmp policy 10000
ENCR aes 256
authentication pre-share
Group 16
lifetime 86399
crypto isakmp key cisco123 address 94,227,156,164
!
crypto ipsec security-association lifetime seconds 86399
!
crypto ipsec transform-set 10000 ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map ipsec-isakmp R2.CMAP 10000
set peer 94,227,156,164
set security-association lifetime seconds 86400
set transform-set 10000
set pfs group16
match address 100
qos pre-classify

access-list 100 permit ip 94.227.156.0 0.0.3.255 94.227.156.0 0.0.3.255

R1

crypto isakmp policy 10000
ENCR aes 256
authentication pre-share
Group 16
lifetime 86399
crypto isakmp key cisco123 address 94.227.156.50
!
crypto ipsec security-association lifetime seconds 86399
!
crypto ipsec transform-set 10000 ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map ipsec-isakmp R1.CMAP 10000
set peer 94.227.156.50
set security-association lifetime seconds 86400
set transform-set 10000
set pfs group16
match address 100
qos pre-classify

access-list 100 permit ip 94.227.156.0 0.0.3.255 94.227.156.0 0.0.3.255

Didier1966 · ‎01-08-2011

Hello,

I am really new in this CISCO WORLD , I spend some nights reading and browsing the net , and I have also had what you have.

Instead of copy past it again just take a look to my THREAD :

https://supportforums.cisco.com/thread/2060993?tstart=0

Hope this help

PS : Do not forget to rate me if it is useful

Best Regards,

Didier

cadet alain · ‎01-08-2011

Hi,

access-list 100 permit ip 94.227.156.0 0.0.3.255 94.227.156.0 0.0.3.255

this is to match the p2p link betwen vpn peers and so it doesn't match your PCs behind each router.

you muste use the subnets of your PCs and don't forget to mirror on other side.

Regards.

Alain.

Don't forget to rate helpful posts.

Jigar Dave · ‎01-08-2011

Hello pcfreak49

from the configuration provided by you, I can see that your both PC are in different range i.e one is .50 and other is .164, what my suggestion is you change and modify your interesting traffic by dividing it in /25 subnet like as below

for R1
access-list 100 permit ip 94.227.156.129 0.0.0.127 94.227.156.0 0.0.0.127

for R2
access-list 100 permit ip 94.227.156.0 0.0.0.127 94.227.156.129 0.0.0.127

one point to note: your R2 configuration is

crypto isakmp key cisco123 address 94,227,156,164
!

why you have used , instead of . for IP address.

hope this helps

Jigar

pcfreak49 · ‎01-21-2011

I did but does not

Who can help me now to really

mvg

cadet alain · ‎01-21-2011

Hi,

Did you try changing this ACL?

you must put the subnets of your 2 PCs and don't forget to not nat this traffic.

access-list 100 permit ip 94.227.156.0 0.0.3.255 94.227.156.0 0.0.3.255

this is to match the p2p link betwen vpn peers and so it doesn't match your PCs behind each router.

you muste use the subnets of your PCs and don't forget to mirror on other side.

Regards.

Alain.

Don't forget to rate helpful posts.

pcfreak49 · ‎01-21-2011

you can show what you mean percies because I do not get it

cadet alain · ‎01-21-2011

Hi,

you want to pass traffic from LAN to LAN into VPN tunnel? then in your crypto map your crypto ACL must reference these LANs and on the other

peer you must mirror( src becomes dst and inversely) this ACL.

Is it clearer now?

Regards

Alain.

Don't forget to rate helpful posts.

pcfreak49 · ‎01-25-2011

These are the current running-config of the two routers but ping still does not

Who can help me please