04-27-2010 07:35 AM
Hi all,
first time I try to create VPN between two Cisco routers, but unsuccessfully.
I have Cisco1941 and Cisco 2811, configuration on my 1941 router are:
router#sh run
Building configuration...
Current configuration : 5601 bytes
!
! Last configuration change at 17:01:49 PCTime Tue Apr 27 2010 by admin
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
!
aaa new-model
!
!
aaa authentication login exvpnxauth local
aaa authorization network ezvpnnetwork local
!
!
aaa session-id common
!
no ipv6 cef
no ip source-route
ip cef
!
!
no ip bootp server
!
multilink bundle-name authenticated
!
!
redundancy
!
!
ip tcp synwait-time 10
ip ssh version 2
no ip rcmd domain-lookup
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key vpnpassword address 2.3.4.5
!
!
crypto ipsec transform-set STRONG esp-3des esp-sha-hmac
!
crypto map Cisco-vpn 10 ipsec-isakmp
set peer 2.3.4.5
set transform-set STRONG
set pfs group2
match address 122
!
!
interface Loopback0
ip address 20.20.20.20 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
!
!
interface GigabitEthernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 570
ip address 2.2.2.2 255.255.255.248
ip access-group 110 in
ip nat outside
ip virtual-reassembly
no cdp enable
crypto map Cisco-vpn
!
interface GigabitEthernet0/1
description internal-net
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
!
ip forward-protocol nd
!
ip nat inside source static 10.10.10.2 2.2.2.3
ip route 0.0.0.0 0.0.0.0 2.2.2.1
!
logging trap debugging
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 10 permit 10.10.10.2
access-list 10 deny any
access-list 110 permit tcp any any established
access-list 110 permit icmp any any
access-list 110 permit ip 10.10.10.0 0.0.0.255 any
access-list 110 permit tcp host 2.3.4.5 host 2.2.2.2
access-list 110 permit udp any any
access-list 110 permit gre any any
access-list 122 permit ip 10.10.10.0 0.0.0.255 10.3.0.0 0.0.255.255
!
no cdp run
!
!
!
!
!
control-plane
!
!
!
Whats is wrong in this config?
In logs I can not see any error about VPN.
Thanks.
04-27-2010 12:15 PM
Hi,
The VPN (interesting traffic) should flow between these two networks:
10.10.10.0 0.0.0.255 and 10.3.0.0 0.0.255.255
Try to send traffic between these networks and please post the output of the following two commands:
sh cry isa sa
sh cry ips sa
Federico.
04-27-2010 11:54 PM
#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
#sh cry ips sa
interface: GigabitEthernet0/0.1
Crypto map tag: vpn-test, local addr 2.2.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.3.0.0/255.255.0.0/0/0)
current_peer 2.3.4.5 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 2.3.4.5
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
04-28-2010 12:40 AM
Hi all,
I found my mistake, I forgot to allow esp from peer IP.
Now VPN is up and running
Thanks.
08-04-2019 12:55 AM
Hi;
I want to connect two branches by using Cisco 1941. can you send me working configuration .... I have internet router with static public ip address on both sides...
How to configure VPN site-to-site ... please help me sir...
08-04-2019 01:11 AM
08-04-2019 01:20 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide