Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4076
Views
0
Helpful
6
Replies

The peer must be routed through the crypto map interface?

Go to solution
PiotrKowalczyk
Level 1
Level 1

‎04-12-2012 09:04 AM

Hi,

I have problem with VPN point to point on my Cisco 877 router and just wander if somebody could help me. I tried to set it using CCP wizard as well as console but without any success. Basically when I test tunnel I’m getting errors:

“The peer must be routed through the crypto map interface. The following peer(s) do not have a routing entry in the routing table. 1) aaa.aaa.aaa.aaa”

and

“The tunnel traffic destination must be routed through the crypto map interface. The following destination(s) does not have a routing entry in the routing table. 1) 192.168.1.0”

Could you advise me please?

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname AMS

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

!

!

!

aaa session-id common

memory-size iomem 10

!

ip source-route

!

!

ip dhcp excluded-address 192.168.18.1 192.168.18.69

ip dhcp excluded-address 192.168.18.201 192.168.18.254

!

ip dhcp pool ccp-pool

   import all

   network 10.10.11.0 255.255.255.0

   default-router 10.10.11.1

   dns-server 8.8.8.8 8.8.4.4

   lease 0 2

!

ip dhcp pool ccp-pool1

   network 192.168.18.0 255.255.255.0

   dns-server 8.8.8.8 8.8.4.4

   default-router 192.168.18.1

!

!

ip cef

ip domain name xxx.local

ip name-server 8.8.8.8

ip name-server 8.8.4.4

no ipv6 cef

!

!

license udi pid CISCO887-K9 sn FCZ152990H2

!

!

username uuuuu privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxx.

!

!

!

class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

match access-group 104

class-map type inspect match-any SDM_HTTPS

match access-group name SDM_HTTPS

class-map type inspect match-any SDM_SSH

match access-group name SDM_SSH

class-map type inspect match-any SDM_SHELL

match access-group name SDM_SHELL

class-map type inspect match-any sdm-cls-access

match class-map SDM_HTTPS

match class-map SDM_SSH

match class-map SDM_SHELL

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any CCP_PPTP

match class-map SDM_GRE

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_VPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_VPN_PT

match access-group 103

match class-map SDM_VPN_TRAFFIC

class-map type inspect match-any ccp-cls-insp-traffic

match protocol pptp

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-all sdm-access

match class-map sdm-cls-access

match access-group 101

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

inspect

class class-default

pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

drop log

class type inspect ccp-protocol-http

inspect

class type inspect ccp-insp-traffic

inspect

class type inspect ccp-sip-inspect

inspect

class type inspect ccp-h323-inspect

inspect

class type inspect ccp-h323annexe-inspect

inspect

class type inspect ccp-h225ras-inspect

inspect

class type inspect ccp-h323nxg-inspect

inspect

class type inspect ccp-skinny-inspect

inspect

class class-default

drop

policy-map type inspect ccp-permit

class type inspect SDM_VPN_PT

pass

class type inspect sdm-access

inspect

class class-default

drop

policy-map type inspect ccp-pol-outToIn

class type inspect CCP_PPTP

pass

class type inspect sdm-cls-VPNOutsideToInside-1

inspect

class class-default

drop log

!

zone security in-zone

zone security out-zone

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone

service-policy type inspect ccp-pol-outToIn

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key zzzzzzzzz address aaa.aaa.aaa.aaa

!

!

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel toaaa.aaa.aaa.aaa

set peer aaa.aaa.aaa.aaa

set transform-set ESP-3DES-MD5

match address 102

!

!

!

!

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

!

interface FastEthernet0

switchport access vlan 100

!

interface FastEthernet1

!

interface FastEthernet2

switchport access vlan 200

!

interface FastEthernet3

switchport access vlan 200

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$

ip address 10.10.11.1 255.255.255.0

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1452

!

interface Vlan100

description $FW_OUTSIDE$

ip address bbb.bbb.bbb.bbb 255.255.255.0

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

crypto map SDM_CMAP_1

!

interface Vlan200

description $FW_INSIDE$

ip address 192.168.18.1 255.255.255.0

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip flow-export source Vlan100

ip flow-export version 5

ip flow-export destination 10.10.11.45 2055

!

ip nat inside source route-map SDM_RMAP_1 interface Vlan100 overload

ip route 0.0.0.0 0.0.0.0 Vlan100 bbb.bbb.bbb.bbb permanent

!

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

ip access-list extended SDM_HTTPS

remark CCP_ACL Category=1

permit tcp any any eq 443

ip access-list extended SDM_SHELL

remark CCP_ACL Category=1

permit tcp any any eq cmd

ip access-list extended SDM_SSH

remark CCP_ACL Category=1

permit tcp any any eq 22

!

access-list 2 remark CCP_ACL Category=2

access-list 2 permit 10.10.11.0 0.0.0.255

access-list 2 permit 192.168.18.0 0.0.0.255

access-list 23 permit 10.10.11.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip bbb.bbb.bbb.0 0.0.0.255 any

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip any any

access-list 102 remark CCP_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 10.10.11.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 103 remark CCP_ACL Category=128

access-list 103 permit ip host aaa.aaa.aaa.aaa any

access-list 104 remark CCP_ACL Category=0

access-list 104 permit ip 192.168.1.0 0.0.0.255 10.10.11.0 0.0.0.255

access-list 105 remark CCP_ACL Category=2

access-list 105 remark IPSec Rule

access-list 105 deny   ip 10.10.11.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 105 permit ip 192.168.18.0 0.0.0.255 any

access-list 105 permit ip 10.10.11.0 0.0.0.255 any

no cdp run

!

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 105

!

snmp-server community public RO

snmp-server location 10.10.11.45

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

access-class 23 in

transport input telnet ssh

!

scheduler max-task-time 5000

end

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-12-2012 09:40 AM

Hi,

I'm not really familiar with the router VPN setups.

The error messages just seem to point to that you are lacking routes? Yet you have a default route configured.

Have you still tried to add routes for both the VPN peer IP address and the remote LAN network pointing towards your outside interface?

I assume the bbb.bbb.bbb.bbb in the default route isnt the same IP address as the bbb.bbb.bbb.bbb in your outside interface?

- Jouni

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-12-2012 09:40 AM

Hi,

I'm not really familiar with the router VPN setups.

The error messages just seem to point to that you are lacking routes? Yet you have a default route configured.

Have you still tried to add routes for both the VPN peer IP address and the remote LAN network pointing towards your outside interface?

I assume the bbb.bbb.bbb.bbb in the default route isnt the same IP address as the bbb.bbb.bbb.bbb in your outside interface?

- Jouni

0 Helpful

Go to solution
PiotrKowalczyk
Level 1
Level 1
In response to Jouni Forss

‎04-12-2012 10:26 AM

Jouni,

Thank you for your reply.

Answering for your questions:

“The error messages just seem to point to that you are lacking routes? Yet you have a default route configured.”

But what kind of routing? I set many VPNS and never had to configure routing so a little bit confused this time. Maybe the problem is because I have two internal zones?

“Have you still tried to add routes for both the VPN peer IP address and the remote LAN network pointing towards your outside interface?”

I’ve tried but it hasn’t fixed my VPN, however the error was replaced – remote host is unavailable (or something similar).

“I assume the bbb.bbb.bbb.bbb in the default route isnt the same IP address as the bbb.bbb.bbb.bbb in your outside interface?”

You are right, it is not the same and is correct as internet works fine.

Once again, thank you for your reply.

0 Helpful

Go to solution
PiotrKowalczyk
Level 1
Level 1
In response to PiotrKowalczyk

‎04-13-2012 01:31 AM

Finally I found where problem is, it was just wrong external per IP address – the error message was confusing.

0 Helpful

Go to solution
Raul Frenken
Level 1
Level 1
In response to PiotrKowalczyk

‎04-18-2012 12:38 PM

Hi Piotr Kowalczyk ,

I have the same issue

“The peer must be routed through the crypto map interface. The following peer(s) do not have a routing entry in the routing table. 1) aaa.aaa.aaa.aaa”

and

“The tunnel traffic destination must be routed through the crypto map interface. The following destination(s) does not have a routing entry in the routing table. 1) 192.168.1.0”

Can tell me exact what your sollution was?

Mega thx,

Regards,

Raúl

0 Helpful

Go to solution
PiotrKowalczyk
Level 1
Level 1
In response to PiotrKowalczyk

‎04-19-2012 12:56 AM

Hi Raul,

In my case problem was in CCP 2.6 (Cisco makes so good systems but their graphics tool is full of bugs). Basically first of all I used wrong per external – just mistake in numbers but test shows the error which makes my troubleshooting more difficult.

When I found my mistake, set proper VPN settings I still got the same error during testing which was even more confused as everything was set correctly. After couple of second tunnel started working and VPN status was shown ok.

My advice, do not trust testing tool from CCP 2.6 – it is useless.

I hope this will help.

0 Helpful

Go to solution
Raul Frenken
Level 1
Level 1
In response to PiotrKowalczyk

‎04-19-2012 05:34 AM

Hi Piotr,

I am preparing for the ccna sec exam .. I was testing with SDM.

Will configure the routers with CLI this evening, and will leave the SDM.

Regards,

Raúl

0 Helpful
Customers Also Viewed These Support Documents