02-22-2012 11:19 AM
Hi All,
So OK I'm stumped. I've create many s2s vpn tunnels before, but this one I just can't seem to get going. It's just a simple Site to Site VPN tunnel using preshared keys. Would appreciate it if someone, anyone could take a look at our running configs for both routers and provide a little comment. Below is the running config for both routers. Thanks!
Router 1
=======
Current configuration : 4009 bytes
!
! Last configuration change at 19:01:31 UTC Wed Feb 22 2012 by asiuser
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SJWHS-RTRSJ
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp excluded-address 192.168.200.1 192.168.200.110
ip dhcp excluded-address 192.168.200.200 192.168.200.255
!
ip dhcp pool SJWHS-POOL
network 192.168.200.0 255.255.255.0
default-router 192.168.200.1
dns-server 10.10.2.1 10.10.2.2
!
!
no ip domain lookup
ip name-server 10.10.2.1
ip name-server 10.10.2.2
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-236038042
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-236038042
revocation-check none
rsakeypair TP-self-signed-236038042
!
!
crypto pki certificate chain TP-self-signed-236038042
certificate self-signed 01
30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
8B1E638A EC
quit
license udi pid CISCO1921/K9 sn xxxxxxxxxx
!
!
!
redundancy
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key presharedkey address 112.221.44.18
!
!
crypto ipsec transform-set IPSecTransformSet1 esp-3des esp-md5-hmac
!
crypto map CryptoMap1 10 ipsec-isakmp
set peer 112.221.44.18
set transform-set IPSecTransformSet1
match address 100
!
!
!
!
!
interface GigabitEthernet0/0
ip address 192.168.200.1 255.255.255.0
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
description Wireless Bridge
ip address 172.17.1.2 255.255.255.0
duplex auto
speed auto
!
!
interface FastEthernet0/0/0
description Verizon DSL for VPN Failover
ip address 171.108.63.159 255.255.255.0
duplex auto
speed auto
crypto map CryptoMap1
!
!
!
router eigrp 88
network 172.17.1.0 0.0.0.255
network 192.168.200.0
redistribute static
passive-interface GigabitEthernet0/0
passive-interface FastEthernet0/0/0
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.17.1.1
ip route 112.221.44.18 255.255.255.255 171.108.63.1
!
access-list 100 permit ip 192.168.200.0 0.0.0.255 10.10.0.0 0.0.255.255
!
!
!
!
!
!
control-plane
!
!
!
line con 0
logging synchronous
login local
line aux 0
line vty 0 4
exec-timeout 30 0
logging synchronous
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
=======
Router 2
=======
Current configuration : 3719 bytes
!
! Last configuration change at 18:52:54 UTC Wed Feb 22 2012 by asiuser
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SJWHS-RTRHQ
!
boot-start-marker
boot-end-marker
!
logging buffered 1000000
!
no aaa new-model
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-3490164941
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3490164941
revocation-check none
rsakeypair TP-self-signed-3490164941
!
!
crypto pki certificate chain TP-self-signed-3490164941
certificate self-signed 01
30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
EA1455E2 F061AA
quit
license udi pid CISCO1921/K9 sn xxxxxxxxxx
!
!
!
redundancy
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key presharedkey address 171.108.63.159
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set IPSecTransformSet1 esp-3des esp-md5-hmac
!
crypto map CryptoMap1 10 ipsec-isakmp
set peer 171.108.63.159
set transform-set IPSecTransformSet1
match address 100
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 10.10.1.6 255.255.0.0
!
interface GigabitEthernet0/1
ip address 172.17.1.1 255.255.255.0
duplex auto
speed auto
!
!
interface FastEthernet0/0/0
ip address 112.221.44.18 255.255.255.248
duplex auto
speed auto
crypto map CryptoMap1
!
!
!
router eigrp 88
network 10.10.0.0 0.0.255.255
network 172.17.1.0 0.0.0.255
redistribute static
passive-interface GigabitEthernet0/0
passive-interface GigabitEthernet0/0.1
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 112.221.44.17
!
access-list 100 permit ip 10.10.0.0 0.0.255.255 192.168.200.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
line con 0
logging synchronous
login local
line aux 0
line vty 0 4
exec-timeout 30 0
logging synchronous
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
Solved! Go to Solution.
02-22-2012 04:38 PM
When GRE tunnel carries your private-ip range traffic, your ACL must contain point to point host address of the IPSec tunnel.
Since, both routers are running EIGRP in corporate network, let the EIGRP exchange the routes over GRE tunnel, which is a best practice, rather than pushing individual private-ip ranges going over IPSec tunnel.
Let me know, if this is what you want to.
Thanks
02-22-2012 12:04 PM
Apply this on Router1
interface Tunnel0
ip address 3.3.3.1 255.255.255.252
keepalive 3 2
tunnel source FastEthernet0/0/0
tunnel destination 112.221.44.18
exit
router eigrp 88
network 3.3.3.0 0.0.0.3
----------------------------------------------
Apply this on Router2
interface Tunnel0
ip address 3.3.3.2 255.255.255.252
keepalive 3 2
tunnel source FastEthernet0/0/0
tunnel destination 171.108.63.159
exit
router eigrp 88
network 3.3.3.0 0.0.0.3
-------------------------------------------------------------
When done, look for eigrp neighbor on network 3.3.3.0
Hope that helps.
thanks
02-22-2012 03:09 PM
Ok, what just happend here.
I'm able to ping 3.3.3.1 from Router 2 and vice versa from Router 1 to 3.3.3.2. However when I do a sh cryptpo isakmp sa I don't see a VPN tunnel. Then a show an ip route and it shows that 3.3.3.0 is going through Tunnel 0 and when I do a show ip eigrp neighbor it shows 3.3.3.0 via Tunnel0. Do I need to go back to my books and read them again? What just happend? Is my tunnel actually up and like in a state awaiting for the Fast Ethernet connection to go down?
02-22-2012 04:01 PM
Please delete your ACL 100 and recreate it as shown below and likewise you do at other end as well on Router2 and make sure you reverse the ip host on Router2.
access-list 100 permit ip host 171.108.63.159 host 112.221.44.18
That's should fix up.
Thanks
Rizwan Rafeek
02-22-2012 04:05 PM
Wait, why would I want to do that? Don't I want to specify my two networks instead?
02-22-2012 04:38 PM
When GRE tunnel carries your private-ip range traffic, your ACL must contain point to point host address of the IPSec tunnel.
Since, both routers are running EIGRP in corporate network, let the EIGRP exchange the routes over GRE tunnel, which is a best practice, rather than pushing individual private-ip ranges going over IPSec tunnel.
Let me know, if this is what you want to.
Thanks
02-23-2012 01:55 PM
Alright going to test this out tonight. I'll let you/everybody know how it goes.
02-23-2012 06:02 PM
Alright it works, but I still don't understand why the Tunnel interface is needed. I guess I just gotta study some more. Thanks anyhow!!
10-13-2015 07:30 PM
Hi-
So OK I'm stumped maybe you can help me like you did with this guy.
I've create many s2s vpn tunnels before, but this one I just can't seem to get going. It's just a simple Site to Site VPN tunnel using preshared keys. Would appreciate it if someone, anyone could take a look at our running configs for both routers and provide a little comment. Below is the running config for both routers. Thanks!
10-14-2015 01:58 AM
Please delete this post and create a new discussion, someone can help you out.
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide