01-16-2014 02:03 PM
Hi all
I need your help. I have 02 router cisco 892 for VPN site to site. I reconfigured the second one and they can ping public IP together.
However they cannot ping other site's internal IP address. The second one does not have certificate like the first one. I am not sure
that is the problem, because both use pre-share key. I think they do not need certificate method for VPN, am I right?
And what is the problem when I cannot reach internal network?
Thanks for your help
This is the 1st site:
Current configuration : 3903 bytes
!
! No configuration change since last restart
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname AtoB
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
no aaa new-model
!
!
!
!
crypto pki trustpoint TP-self-signed-1651087387
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1651087387
revocation-check none
rsakeypair TP-self-signed-1651087387
!
!
crypto pki certificate chain TP-self-signed-1651087387
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363531 30383733 3837301E 170D3132 30353136 31363031
31355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36353130
38373338 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B528 FD72495D E0D64EF4 A2B151C7 90B44259 1B85C7D3 8D573F85 C5860A98
1E26DCCD 7DA88812 6CE0A895 E7FDAAD0 702A784A 2E944B2E 9CEAEB91 CD83F5F0
05C67D87 AFE4E134 45CADF52 FF6FD574 E9DA75EC 5D90B8AC 96767712 03B70EC6
E8236C5B 7B640706 E700F0CC CE307B37 FA30ED11 CA47B150 5C115824 F2666446
EB5D0203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
551D1104 18301682 14545874 6F57492E 64696365 6E747261 6C2E636F 6D301F06
03551D23 04183016 8014E22C 54C27FAA 781F4281 8B2ADB89 A3611810 91BA301D
0603551D 0E041604 14E22C54 C27FAA78 1F42818B 2ADB89A3 61181091 BA300D06
092A8648 86F70D01 01040500 03818100 AE4A5C93 C82813E8 3AC6E090 34497670
B68D1309 DC4FA25D BB4211D1 55696D95 DAB45092 5F2D7391 B0D36F80 3618E3D1
F195257B 4CF873C0 14E437EB 1CD436D9 664B33D0 FFED62BC 71BE4A68 765BCA64
06DFF9E8 40EE7EAD 5452D677 F54FDBA2 5B811CE0 8D975F10 187FD672 C204F41F
32EC5DFB F47F7AD4 03ABF4AE 2CC0FD73
quit
ip source-route
!
!
!
!
ip cef
ip domain name xxxxxxxxxxxx
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO892-K9 sn FGL154924F3
!
!
username xxxxxx privilege 15 secret 5 $1$cC3.$L.CJ4QnVE19y7OUfuOg370
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxx address x.x.x.74
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel tox.x.x.74
set peer x.x.x.x
set peer x.x.x.74
set transform-set ESP-3DES-SHA
match address VPNAccessList
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
!
!
interface FastEthernet5
!
!
interface FastEthernet6
!
!
interface FastEthernet7
!
!
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
!
!
interface GigabitEthernet0
description $ETH-WAN$
ip address x.x.x.84 y.y.y.240
duplex auto
speed auto
crypto map SDM_CMAP_1
!
!
interface Vlan1
ip address x.x.0.10 255.y.y.y
!
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 0.0.0.0 0.0.0.0 x.x.x.94
!
ip access-list extended VPNAccessList
remark iucudhoa
permit ip 10.x.x.x 0.255.255.255 192.x.x.0 0.0.0.255
!
!
!
!
!
!
!
control-plane
!
!
banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
line aux 0
line vty 0
login local
transport input telnet ssh
transport output telnet ssh
line vty 1 4
login
!
scheduler max-task-time 5000
end
-----------------------------------------------------------------------------------------------------------------------------------------------------
This is 2nd site:
Current configuration : 2165 bytes
!
! Last configuration change at 21:36:14 UTC Thu Jan 16 2014 by admin
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BtoA
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
!
!
!
ip source-route
!
!
!
!
ip cef
ip domain name xxxxxxxxxx
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO892-K9 sn FGL15412386
!
!
username admin privilege 15 secret 5 $1$1vxH$mKWoPLIGv8lrAbtFHQfIr.
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxx address x.x.x.84
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to x.x.x.84 (Test line)
set peer x.x.x.84
set peer x.x.x.x
set transform-set ESP-3DES-SHA
match address VPNAccessList
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
!
interface FastEthernet0
shutdown
!
!
interface FastEthernet1
shutdown
!
!
interface FastEthernet2
shutdown
!
!
interface FastEthernet3
shutdown
!
!
interface FastEthernet4
shutdown
!
!
interface FastEthernet5
shutdown
!
!
interface FastEthernet6
shutdown
!
!
interface FastEthernet7
shutdown
!
!
interface FastEthernet8
no ip address
duplex auto
speed auto
!
!
interface GigabitEthernet0
description ETH-WAN
ip address x.x.x.74 y.y.y.248
duplex auto
speed auto
crypto map SDM_CMAP_1
!
!
interface Vlan1
no ip address
!
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 x.x.x.73
!
ip access-list extended VPNAccessList
remark for VPN
permit ip 192.x.x.0 0.0.0.255 10.x.x.0 0.255.255.255
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 5000 0
logging synchronous
login local
line aux 0
line vty 0 4
login local
transport input telnet ssh
transport output telnet ssh
line vty 5 15
login local
transport input telnet ssh
transport output telnet ssh
!
scheduler max-task-time 5000
end
01-19-2014 06:10 AM
I don't see an IP address for the LAN on "2nd site"
01-19-2014 08:54 AM
Sorry m.kafka
The IP address in the 2nd site is:
Fast Ether 8: 192.168.x.x 255.x.x.x
Do I need route for those 02 router? Because they are VPN router, I think not need, but you can correct me.
Thanks for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide