03-13-2012 08:01 AM
I have two cisco 851 and the site to site vpn isn't workin between them. When I test the tunnel I get the error that the peer cannot be contacted. I know the peer is up (I can ping both routers from a third, unrelated ip address) but the two routers can't ping each other. Here is the runnign config:
Host A:
Building configuration...
Current configuration : 3594 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Host_A
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$ePDD$ijslwDCnljz232ikk30PL/
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
!
!
dot11 syslog
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.0.1 10.10.10.99
ip dhcp excluded-address 10.10.10.201 10.10.255.254
!
ip dhcp pool vlan1
import all
network 10.10.0.0 255.255.0.0
default-router 10.10.10.1
dns-server 207.229.52.2 205.233.109.40
!
!
ip cef
ip name-server 207.229.52.2
ip name-server 205.233.109.40
!
!
!
username admin privilege 15 password 0 *Password*
username operator privilege 7 secret 5 $1$rHHQ$prD8o7Nc75TKImW5cqMn6.
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key *VPN_Password* address *Host_B External IP*
!
crypto isakmp client configuration group remote
key 1rr1can
pool SDM_POOL_1
max-users 20
netmask 255.255.0.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group remote
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to*Host_B External IP*
set peer *Host_B External IP*
set transform-set ESP-3DES-SHA2
match address 102
!
crypto ctcp port 10000
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$$ES_WAN$
ip address *Host_A External IP*255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Virtual-Template1 type tunnel
ip unnumbered Vlan1
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
ip address 10.10.10.1 255.255.0.0
ip nat inside
ip virtual-reassembly
!
ip local pool SDM_POOL_1 10.10.9.100 10.10.9.200
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 208.38.8.1
!
ip http server
no ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.0.0 0.0.255.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.10.0.0 0.0.255.255 10.12.0.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.10.0.0 0.0.255.255 10.12.0.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.10.0.0 0.0.255.255 10.12.0.0 0.0.0.255
access-list 101 permit ip 10.10.0.0 0.0.255.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.10.0.0 0.0.255.255 10.12.0.0 0.0.0.255
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
end
Host B:
Building configuration...
Current configuration : 7895 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Host_B
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$SL.z$pj3WaB1WTxiLux46ltlMo/
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone PCTime -7
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-2030943716
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2030943716
revocation-check none
rsakeypair TP-self-signed-2030943716
!
!
crypto pki certificate chain TP-self-signed-2030943716
certificate self-signed 01
30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32303330 39343337 3136301E 170D3032 30333031 30303236
30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30333039
34333731 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B3B3 AEC18433 9EED6DD5 DEB4E878 3D683095 A0930694 2F85C58E 2784CB4A
E65E2B74 5F90EE1C 63FB0FA3 DA8BC41E 3C2674F6 134BD580 46528B30 D159CD1A
BED4059A 9B2C2A3C 8D77BA73 332F3F36 16D00FFE D3133C1E DE3E2A20 B4915EFE
15ACF77A 8C899ED3 3005D8C7 E8D94157 0DD3DA2E 4B2A407E 7B77606A BCC44F64
47610203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603
551D1104 1D301B82 19436869 6E5F4879 64726F2E 796F7572 646F6D61 696E2E63
6F6D301F 0603551D 23041830 16801403 F11E4386 AE903ED8 2C5EABA2 B648B086
E2766530 1D060355 1D0E0416 041403F1 1E4386AE 903ED82C 5EABA2B6 48B086E2
7665300D 06092A86 4886F70D 01010405 00038181 007FFAA2 7ECE2321 87704128
A21B21D1 495B83AC 01FEE096 89DD6C99 8C403F1B B4367484 96F85C0A FAD6C105
41E065C0 0D8262B2 4B73F037 EDDA3CA2 2D6DA102 AADD40E3 3753B7BC 67175199
3B965188 73AC0665 3B8F6642 F4FD1FB0 500710C4 E79571A1 BF273411 0E856164
5B689A49 DC26BCC3 E63EE2C9 D2D3B50A BBFFD3FC 4C
quit
dot11 syslog
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.12.0.1 10.12.0.99
!
ip dhcp pool ccp-pool1
import all
network 10.12.0.0 255.255.255.0
default-router 10.12.0.1
dns-server 207.229.52.2 205.233.109.40
!
!
no ip bootp server
ip domain name yourdomain.com
ip name-server 207.229.52.2
ip name-server 205.223.109.40
!
!
!
username admin privilege 15 secret 5 $1$MNvU$1yVJSWWZrNNatJM4XJ8Bu/
username operator privilege 8 secret 5 $1$g2ae$PnY5XOrP1ieVux3oaGrrB1
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key *VPN Password* address *Host_A External IP*
crypto isakmp key *VPN Password* address *Testing IP*
!
crypto isakmp client configuration group remote
key l3tm31n
pool SDM_POOL_2
max-users 5
crypto isakmp profile ciscocp-ike-profile-1
match identity group remote
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to*Host_A External IP*
set peer *Host_A External IP*
set transform-set ESP-3DES-SHA6
match address 106
!
crypto ctcp port 10000
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address *Host_B External IP*255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Virtual-Template1 type tunnel
ip unnumbered Vlan1
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.12.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 10.12.0.50 10.12.0.80
ip local pool SDM_POOL_2 10.12.1.50 10.12.1.70
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 208.38.11.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.12.0.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.12.0.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.12.0.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 101 permit ip 10.12.0.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.12.0.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.12.0.0 0.0.0.255 10.10.8.0 0.0.3.255
access-list 104 remark CCP_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.12.0.0 0.0.0.255 10.0.0.0 0.0.255.255
access-list 105 remark CCP_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.12.0.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 106 remark CCP_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 10.12.0.0 0.0.0.255 10.10.0.0 0.0.255.255
no cdp run
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
03-15-2012 12:39 PM
I allowed ICMP ehco replys (pings) through the firewall but still nothing. The weird thin is that any ourside address can ping either router, but the routers can't ping each other.
03-16-2012 05:19 AM
I can't find anything wrong with the configuration. You mention a firewall in between? Check that the firewall allows ESP and UDP/500 + UDP/4500.
03-16-2012 07:12 AM
The only firewall is the one on the Cisco 851 (Host B), I'm pretty sure Host A's firewall is not configured. Shouldn't setting up the site to site via the wizard add rules to it's own firewall to make everything work?
03-16-2012 08:54 AM
I got the VPNs to connect. The problem was the ISP had to add a route on thier end so that the two external ip addresses could see each other. But Even though the VPN tunnel says it's up I can ping one router from the other router (on and computer on either network).
Edit:
I can ping the the other router or computers on the other netwrok if I am connected to the local network. But I can't ping the other router when I am connected to SSL VPN. I don't know if that is clear so here is the senerio:
I have two sites and each site has a computer that monitors the health of the network. Remote users should be able to conect via VPN (using cisco VPN client) to either site, and once they are connected to either site they should be able to see the other site Via the site to site VPN. Right now the remote users can VPN into either site but they can onyl see the computers on the site they hve VPNed into.
03-16-2012 10:17 AM
I think the problem is anyone connecting to the VPN on host A get an ip in the range on 10.10.9.x and anyone connecting to the VPN on host B gets an ip in the range of 10.12.1.x. But I don't know what rule to add to fix this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide