05-14-2004 08:24 AM
Dear all
I am trying to build a VPN between a checkpoint and Cisco 837 and while I can ping the ip address allocated to the dialer interface of the DSL router(Cisco 837), this router does not raise the VPN or start communication on ISAKMP port. Am I missing something in the config ?
Current configuration : 2982 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname hp-gw
!
enable secret xxxxx
!
username XX password 0 XXXXXXXXXXX
no aaa new-model
ip subnet-zero
ip domain name rwdi.com
ip name-server 159.x.x.6
ip name-server 159.x.x.17
!
!
ip inspect name lanaccess tcp
ip inspect name lanaccess udp
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 11
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxx address 193.x.x.97
!
!
crypto ipsec transform-set galileo esp-3des esp-md5-hmac
!
crypto map nolan 11 ipsec-isakmp
set peer 193.120.131.97
set transform-set galileo
set pfs group2
match address 120
!
!
!
!
interface Ethernet0
description this is the local address of the network.
ip address 172.16.x.x.x.255.0
ip access-group 100 in
ip nat inside
ip inspect lanaccess in
no ip route-cache
ip tcp adjust-mss 1452
ip policy route-map vpn
no ip mroute-cache
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer0
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
dialer remote-name redback
dialer-group 1
ppp authentication chap callin
ppp chap hostname hpgalway1
ppp chap password 0 galway1
crypto map nolan
!
interface Dialer1
no ip address
!
ip nat inside source route-map vpn interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
no ip http secure-server
!
access-list 100 permit ip 172.x.x.x.0.0.255 any
access-list 100 permit ip 10.10.0.0 0.0.255.255 any
access-list 100 permit icmp any any
access-list 120 permit ip 172.16.1.0 0.0.0.255 x.x.x.0 0.0.0.255
access-list 130 deny ip 172.16.1.0 0.0.0.255 x.x.x.0 0.0.0.255
access-list 130 permit ip 172.16.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map vpn permit 10
match ip address 130
!
!
line con 0
exec-timeout 120 0
password XXXXXXXXXXXX
login local
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 120 0
password XXXXXXXXXXXX
login
length 0
transport input telnet ssh
!
05-16-2004 10:02 PM
Can't see exactly what IOS version you're running, but try adding the crypto map onto the physical interface as well:
int atm0
crypto map nolan
05-17-2004 01:53 AM
Hiya,
Ta for that but seeing as NAT is also involved, I added the Natt'd external subnet to access-list 120 which allowed the traffic to be encrypted, also had to add the pfs group 2 to the transform-set. So, far looks good
ta
mary
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: