06-25-2006 10:18 AM - edited 02-21-2020 02:29 PM
hello there,
i'm trying to set up a site-to-site VPN between two routers (3825 and 1751), connected throiugh a point-to-point Frame Relay.
i've tried to set it upo thorugh CLI and SDM and the VPN is not working.
Do u have a configuration example to set up a Site-to-Site VPN using SDM and CLI
regards
Fady
06-25-2006 11:16 AM
Hi Fadi,
I think the following document will help you, and i prefer to work using CLI. anyway, if you have any questions please ask!
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080194650.shtml
plz. rate if it does.
Thanks
Abd Alqader
06-26-2006 10:10 AM
Dear Abd Alqader,
Actually i'm facing difficuty in bringing the VPN up.
It supposed to be straight forward. i have Point-to_point Frame Relay that Link the head Office to the Branches (Hub and Spoke)
I'm trying to set up the VPN between Accra Office and the Head Office and it's not working.
Everything looks fine in the config, but no SA are formed especially the ISAKMP.
i've attached the config for both routers and the Diagram. please take a quick look and advice.
thanks
Fady
06-26-2006 10:19 AM
Hi,
Is it cut and paste problem or are you missing ACL 110
This is on you FR interface but I cant see this ACL in your config.
ip access-group 110 in
06-27-2006 09:39 AM
Hi,
actually it's there in the configuration and it's attached to the interface s0/0.4 and s0/0/0.4 pn the Branch and the Head Office respectively.
Do you mean that this ACL should be attached to the physical interface (S0/0;S0/0/0)??? coz i don't think so.
please advice.
regards
Fady
06-27-2006 10:41 AM
Hi,
I see the ACL 110 is apply to the sub interface. I just dont see the implementation of the ACL in your config.
There is no "access-list 110 permit *****" in there. If it's not defined, it's like a deny any any.
06-29-2006 06:43 AM
I don't agree with this statement- "There is no "access-list 110 permit *****" in there. If it's not defined, it's like a deny any any."
If there is "ip access-group 110 in" on an interface and there is no acl 110, then all traffic will be permitted.
Can you please paste the following debug info:
debug cry isa
debug cry ipsec
as you initiate VPN traffic.
06-30-2006 10:33 AM
Hi Abdl Kader,
Thank you for your help, i've created the access-list 110 but i'm having wired thing.
The VPN will only work if i put permit any any on access-list 140 and 110, which is not supposed to work this way especially if i want to plan for split tunneling in the branches.
can you please take a look at my config.
thank u
Fady
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: