Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1088
Views
0
Helpful
18
Replies

Site-to-Site VPN Issue (newbie)

bighiller
Level 1
Level 1

‎03-10-2016 02:28 AM

Hi,

Trying to sort out a configuration issue, but don't have boatloads of experience to sort it out.

The tunnel seems to come up, but I get "output crypto map check failed" when trying to ping a remote host.

Pretty simple site-to-site, here is a scrubbed configuration:

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
enable password Password1
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip cef
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-565821720
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-565821720
 revocation-check none
 rsakeypair TP-self-signed-565541720
!
!
crypto pki certificate chain TP-self-signed-565541720
 certificate self-signed 01
  quit
!
!
class-map match-all SiteA-2_OUT
 match access-group name SiteA-2_OUT
class-map match-all SiteA-2_IN
 match access-group name SiteA-2_IN
!
!
crypto keyring SiteA-2
  pre-shared-key address 123.123.123.123 key 9P5q9154&ES485Rrq9154&E
crypto logging session
!
crypto isakmp policy 40
 encr 3des
 authentication pre-share
 group 2
crypto isakmp profile SiteA-2
   keyring SiteA-2
   match identity address 123.123.123.123 255.255.255.255
   keepalive 10 retry 2
!
!
crypto ipsec transform-set SiteA-2 esp-aes 256 esp-sha-hmac
!
crypto map VPN 160 ipsec-isakmp
 set peer 123.123.123.123
 set security-association lifetime kilobytes 1280000
 set security-association lifetime seconds 86400
 set transform-set SiteA-2
 set isakmp-profile SiteA-2
 match address SiteA-2_ACCESSLIST
 reverse-route static
!
!
!
interface FastEthernet0/0
 description LAN_AMI_PLL
 ip address 111.222.111.222 255.255.252.0
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description OUTSIDE_INTERNET1
 ip address 222.222.222.222 255.255.255.240
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map VPN
!
ip default-gateway 222.222.222.129
ip route 0.0.0.0 0.0.0.0 222.222.222.129
ip route 172.29.10.0 255.255.255.0 172.29.0.1
!
no ip http server
ip http secure-server
!
ip access-list extended SiteA-2_ACCESSLIST
 permit ip any host 10.140.0.20
 permit ip any host 10.140.0.21
ip access-list extended SiteA-2_IN
 permit ip host 123.123.123.123 any
ip access-list extended SiteA-2_OUT
ip access-list extended VPN_IN
 permit udp any any
 permit ahp any any
 permit esp any any
 permit icmp any any
 permit ip any any
ip access-list extended VPN_OUT
 permit udp any any
 permit ahp any any
 permit esp any any
 permit icmp any any
 permit ip any any
!
access-list 1 permit 172.29.0.0 0.0.3.255
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 password SiteA2
 login
!
end

Labels:
0 Helpful
18 Replies 18

bighiller
Level 1
Level 1
In response to Borgenstrand

‎05-11-2016 02:49 PM

Still having the issue, but I have determined that is our partner's end and we are waiting on them to make some changes so that we can test it.

I will update this thread once we get closure.

Thanks,

0 Helpful

Borgenstrand
Level 1
Level 1
In response to bighiller

‎05-11-2016 10:35 PM

Hi,

I do think its the other end as well. 

0 Helpful

bighiller
Level 1
Level 1
In response to Aditya Ganjoo

‎03-28-2016 10:50 AM

Hi Aditya,

Have you had a chance to review my latest config?

Thanks,

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to bighiller

‎03-10-2016 04:15 AM

Hi,

The interface for which you use the overload keyword should be the internet facing interface.

It should resolve your issue.

Regards,

Aditya

Please rate helpful posts.

0 Helpful
Customers Also Viewed These Support Documents