Solved: site to site vpn is not going up : 1941

ak2 · ‎04-10-2019

two peers are reachable from one to another . But vpn is not working.

show crypto isakmp sa command showing empty.

Site A Router Configuation :

!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname SITEA
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
license udi pid CISCO1941/K9 sn FTX1524LN10-
license boot module c1900 technology-package securityk9
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
!
crypto isakmp key ak414 address 12.0.0.2
!
!
!
crypto ipsec transform-set vpn-set esp-aes esp-sha-hmac
!
crypto map vpn-map 10 ipsec-isakmp
set peer 12.0.0.2
set transform-set vpn-set
match address 110
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/1/0
ip address 10.0.0.1 255.255.255.0
ip nat outside
clock rate 2000000
crypto map vpn-map
!
interface Serial0/1/1
no ip address
clock rate 2000000
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 1 interface Serial0/1/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.2
!
ip flow-export version 9
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end

Site B Router Configuration:

!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname siteb
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
license udi pid CISCO1941/K9 sn FTX1524706S-
license boot module c1900 technology-package securityk9
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
!
crypto isakmp key ak414 address 10.0.0.1
!
!
!
crypto ipsec transform-set vpn-set esp-aes esp-sha-hmac
!
crypto map vpn-map 10 ipsec-isakmp
set peer 10.0.0.1
set transform-set vpn-set
match address 110
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 192.168.4.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/1/0
no ip address
clock rate 2000000
!
interface Serial0/1/1
ip address 12.0.0.2 255.255.255.0
ip nat outside
crypto map vpn-map
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 1 interface Serial0/1/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 12.0.0.1
!
ip flow-export version 9
!
!
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end

Thanks in Advance

Rob Ingram · ‎04-10-2019

Hi,
Your traffic is probably natting over the VPN. You should modify the NAT ACL on both routers, make sure the first ACE denies traffic from the local network to the remote network and then the last ACE should permit all other traffic. You should use an extended ACL.

HTH

View solution in original post

Rob Ingram · ‎04-10-2019

Hi,
Your traffic is probably natting over the VPN. You should modify the NAT ACL on both routers, make sure the first ACE denies traffic from the local network to the remote network and then the last ACE should permit all other traffic. You should use an extended ACL.

HTH

ak2 · ‎04-10-2019

Thank you so much for fast reply. After changing acl , it is sloved. Working fine.