03-10-2016 02:28 AM
Hi,
Trying to sort out a configuration issue, but don't have boatloads of experience to sort it out.
The tunnel seems to come up, but I get "output crypto map check failed" when trying to ping a remote host.
Pretty simple site-to-site, here is a scrubbed configuration:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
enable password Password1
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip cef
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-565821720
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-565821720
revocation-check none
rsakeypair TP-self-signed-565541720
!
!
crypto pki certificate chain TP-self-signed-565541720
certificate self-signed 01
quit
!
!
class-map match-all SiteA-2_OUT
match access-group name SiteA-2_OUT
class-map match-all SiteA-2_IN
match access-group name SiteA-2_IN
!
!
crypto keyring SiteA-2
pre-shared-key address 123.123.123.123 key 9P5q9154&ES485Rrq9154&E
crypto logging session
!
crypto isakmp policy 40
encr 3des
authentication pre-share
group 2
crypto isakmp profile SiteA-2
keyring SiteA-2
match identity address 123.123.123.123 255.255.255.255
keepalive 10 retry 2
!
!
crypto ipsec transform-set SiteA-2 esp-aes 256 esp-sha-hmac
!
crypto map VPN 160 ipsec-isakmp
set peer 123.123.123.123
set security-association lifetime kilobytes 1280000
set security-association lifetime seconds 86400
set transform-set SiteA-2
set isakmp-profile SiteA-2
match address SiteA-2_ACCESSLIST
reverse-route static
!
!
!
interface FastEthernet0/0
description LAN_AMI_PLL
ip address 111.222.111.222 255.255.252.0
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description OUTSIDE_INTERNET1
ip address 222.222.222.222 255.255.255.240
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN
!
ip default-gateway 222.222.222.129
ip route 0.0.0.0 0.0.0.0 222.222.222.129
ip route 172.29.10.0 255.255.255.0 172.29.0.1
!
no ip http server
ip http secure-server
!
ip access-list extended SiteA-2_ACCESSLIST
permit ip any host 10.140.0.20
permit ip any host 10.140.0.21
ip access-list extended SiteA-2_IN
permit ip host 123.123.123.123 any
ip access-list extended SiteA-2_OUT
ip access-list extended VPN_IN
permit udp any any
permit ahp any any
permit esp any any
permit icmp any any
permit ip any any
ip access-list extended VPN_OUT
permit udp any any
permit ahp any any
permit esp any any
permit icmp any any
permit ip any any
!
access-list 1 permit 172.29.0.0 0.0.3.255
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password SiteA2
login
!
end
05-11-2016 02:49 PM
Still having the issue, but I have determined that is our partner's end and we are waiting on them to make some changes so that we can test it.
I will update this thread once we get closure.
Thanks,
05-11-2016 10:35 PM
Hi,
I do think its the other end as well.
03-28-2016 10:50 AM
Hi Aditya,
Have you had a chance to review my latest config?
Thanks,
03-10-2016 04:15 AM
Hi,
The interface for which you use the overload keyword should be the internet facing interface.
It should resolve your issue.
Regards,
Aditya
Please rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide