Solved: VPN Site-to-Site not up tunel on one router

emkapizmak · ‎12-02-2013

Hi,

First time I try configure VPN Site-to-Site on two routers X and Y. I use cisco SDM

Router X I configure on this way http://www.tekkom.dk/mediawiki/images/e/ee/IP_sec_site-to-site_sdm.pdf

Then i create a mirror and past it on router Y. I up tunel VPN on router Y.

But I have problem with router X. When I try up Tunel i have two problems:

The peer must be routed through the crypto map interface. The following peer(s) are routed through non-crypto map interface. 1) 79.**.**.**

(79.** - it's adsress WLAN router Y)

The tunnel traffic destination must be routed through the crypto map interface. The following destination(s) are routed through non-crypto map interface. 1) 10.**.**.**

(10.**.*** - it's address LAN router Y)

Routers configuration in files.

Jon Marshall · ‎12-03-2013

Apologies for missing your reply.

You have the same crypto map applied to both the physical interface and the dialer0 interface. Can you try removing it from the dialer0 interface and retesting.

If that doesn't work can you try it in reverse ie. remove from physcial and apply to dialer0 only.

Jon

View solution in original post

Jon Marshall · ‎12-02-2013

Can you post router configs ?

Jon

emkapizmak · ‎12-02-2013

Now I add conf my routers

Jon Marshall · ‎12-02-2013

From both routers can you post -

1) "sh ip route"

2) "sh ip int br"

emkapizmak · ‎12-02-2013

This is result:

ROUTER X

router#sh ip route

Gateway of last resort is 83.*.*.*-1 to network 0.0.0.0

83.0.0.0/30 is subnetted, 1 subnets

C 83.*.*.*-2 is directly connected, FastEthernet4

172.*.*.*/24 is subnetted, 1 subnets

C 172.*.*. *is directly connected, Vlan1

S* 0.0.0.0/0 [1/0] via 83.*.*.*-1

router#sh ip int br

Any interface listed with OK? value "NO" does not have a valid configuration

Interface IP-Address OK? Method Status Prot

ocol

FastEthernet0 unassigned YES unset up down

FastEthernet1 unassigned YES unset up up

FastEthernet2 unassigned YES unset up down

FastEthernet3 unassigned YES unset up up

FastEthernet4 83.*.*.* YES NVRAM up up

Vlan1 172.*.*.*+1 YES NVRAM up up

NVI0 83.*.*.* YES unset up up

Virtual-Template2 172.*.*.*+1 YES TFTP down down

Virtual-Template1 172..*.*.*+1 YES TFTP down down

Dialer0 unassigned YES NVRAM up up

Virtual-Access1 unassigned YES unset down down

Virtual-Access2 unassigned NO TFTP down down

router#

-------------------------------------------------

ROUTER Y

router#sh ip route

Gateway of last resort is 79.*.*.*-1 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

S 10.10.*.*/32 [1/0] via 0.0.0.0, Virtual-Access3

S 10.10.*.*/32 [1/0] via 0.0.0.0, Virtual-Access2

C 10.*.*.*/24 is directly connected, Vlan1

79.0.0.0/30 is subnetted, 1 subnets

C 79.*.*.*-2 is directly connected, FastEthernet4

S* 0.0.0.0/0 [1/0] via 79.*.*.*-1

router#sh ip int br

Interface IP-Address OK? Method Status Prot

ocol

FastEthernet0 unassigned YES unset up up

FastEthernet1 unassigned YES unset up up

FastEthernet2 unassigned YES unset up up

FastEthernet3 unassigned YES unset up up

FastEthernet4 79.*.*.* YES NVRAM up up

Vlan1 10.*.*.*+1 YES NVRAM up up

NVI0 unassigned NO unset up up

Virtual-Template1 79.*.*.* YES TFTP down down

Virtual-Access1 unassigned YES unset down down

Virtual-Access2 79.*.*.* YES TFTP up up

Virtual-Access3 79.*.*.* YES TFTP up up

Emi

emkapizmak · ‎12-03-2013

I change Virtual_Template 1 and 2 on router X on his WLAN address, but it's still doesn't work...

On router Y I connecting use VPN Client.

Mabey someone can help me?

Jon Marshall · ‎12-03-2013

Apologies for missing your reply.

You have the same crypto map applied to both the physical interface and the dialer0 interface. Can you try removing it from the dialer0 interface and retesting.

If that doesn't work can you try it in reverse ie. remove from physcial and apply to dialer0 only.

Jon

emkapizmak · ‎12-03-2013

[ I clik correct answer on mistake ]

I tried it yesterday.

When I removed it on dialer0 i haven't tunell up on router Y, they can't find crypto map.

In other side when i removed on physical int I haven't tunell up on router Y, and on router X I have coment "no crypto map on physical int".

Mabey it's imortant on router Y I have firewall, but I use Firewall ACL 83.*.*.* any, wiht SDM create. When I test tunel o router Y , I have information "Firewall settingd OK"