Advertisement

07.03.2008 at 01:50PM PDT, ID: 23538155
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
6.8

2 Cisco 1841 IPSEC VPN tunnel not working - DSL and T1

Asked by amkbailey in Virtual Private Networking (VPN), Network Routers, IPSec Security Protocol

Tags: ,

We have 2 locations, A & B both with Cisco 1841 routers and advanced security image loaded. Location A has a T1 and is running fine. It also has a couple IPSEC tunnels already built on it working just fine also. I'm trying to add another location. Location B has an AT&T DSL modem in bridged mode and the Cisco 1841 is doing ppoe. That works fine also. I have built a simple tunnel using the SDM defaults and they should be identical except I am getting the error below when I test from Location A.

The peer 99.181.169.217 is responding but the VPN tunnel in not established. IPSec policies of this router are not matching with the IPSec policies of the peer device.

Here is the recommended solution:

1) If the IPSec policy parameters of the peer device is known then go to 'Configure->VPN->VPN Components->IPSec->IPSec Policies', select this IPSec policy, click on 'Edit' and ensure that policy parameters are correct. 2) Generate the mirror configuration from 'Configure->VPN->Site to site VPN->Edit Site to Site VPN' and match it with the peer device's IPSec policy.

Start Free Trial 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:
371:
372:
373:
374:
375:
376:
377:
378:
379:
380:
381:
382:
383:
384:
385:
386:
387:
388:
389:
390:
391:
392:
393:
394:
395:
396:
397:
398:
399:
400:
401:
402:
403:
404:
405:
406:
407:
408:
409:
410:
411:
412:
413:
414:
415:
416:
417:
418:
419:
420:
421:
422:
423:
424:
425:
426:
427:
428:
429:
430:
431:
432:
433:
434:
435:
436:

LOCATION A:
Building configuration...
 
Current configuration : 9206 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
no logging buffered
logging console critical
enable secret 5
!
aaa new-model
!
aaa authentication login default local
aaa authorization exec default local 
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.7.1 192.168.7.149
ip dhcp excluded-address 192.168.7.171 192.168.7.254
!
ip dhcp pool trenton
   import all
   network 192.168.7.0 255.255.255.0
   default-router 192.168.7.1 
   dns-server 192.168.1.7 209.253.113.18 
   lease infinite
!
no ip ips deny-action ips-interface
no ip bootp server
ip domain name
ip name-server 192.168.1.7
ip name-server 209.253.113.18
ip name-server 209.253.113.10
ip ssh time-out 60
ip ssh authentication-retries 2
vpdn enable
vpdn ip udp ignore checksum
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key xxxx address 99.181.169.217
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 2 ipsec-isakmp 
 description Tunnel to12.191.128.160
 set peer 12.191.128.160
 set transform-set ESP-3DES-MD5 
 set pfs group2
 match address vpn
crypto map SDM_CMAP_1 3 ipsec-isakmp 
 description Tunnel to209.255.4.210
 set peer 209.255.4.210
 set transform-set ESP-3DES-MD5 
 match address 104
crypto map SDM_CMAP_1 4 ipsec-isakmp 
 description Tunnel to67.36.16.103
 set peer 67.36.16.103
 set transform-set MD5 
 match address 105
crypto map SDM_CMAP_1 5 ipsec-isakmp 
 description Tunnel to70.90.41.21
 set peer 70.90.41.21
 set transform-set MD5 
 set pfs group2
 match address 106
crypto map SDM_CMAP_1 6 ipsec-isakmp 
 description Tunnel to75.56.30.86
 set peer 75.56.30.86
 set transform-set ESP-3DES-SHA 
 match address 107
crypto map SDM_CMAP_1 7 ipsec-isakmp 
 description Tunnel to99.181.169.217
 set peer 99.181.169.217
 set transform-set ESP-3DES-SHA1 
 match address 108
!
interface FastEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$$ETH-LAN$
 ip address 192.168.7.1 255.255.255.0
 no ip redirects
 no ip unreachables
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
!
interface FastEthernet0/1
 description $ETH-LAN$
 ip address 209.254.255.146 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1300
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
 crypto map SDM_CMAP_1
!
interface Serial0/0/0
 description $ES_WAN$$FW_OUTSIDE$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
!
interface Virtual-Template1 
 ip unnumbered FastEthernet0/0
 peer default ip address pool test
 no keepalive
 ppp encrypt mppe auto
 ppp authentication pap chap ms-chap
!
ip local pool test 192.168.7.226 192.168.7.229
ip classless
ip route 0.0.0.0 0.0.0.0 209.254.255.145 permanent
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_3 interface FastEthernet0/1 overload
!
ip access-list extended acl_vpn2
 remark SDM_ACL Category=16
 permit ip 192.168.7.0 0.0.0.255 any
ip access-list extended vpn
 remark SDM_ACL Category=4
 permit ip host 192.168.7.59 host 172.24.3.132
 permit ip host 192.168.7.60 host 172.24.3.132
!
logging trap debugging
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.7.0 0.0.0.255
access-list 2 remark INSIDE_IF=FastEthernet0/0
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.7.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.7.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 remark SDM_ACL Category=2
access-list 102 remark IPSec Rule
access-list 102 deny   ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 102 remark IPSec Rule
access-list 102 deny   ip 192.168.7.0 0.0.0.255 any
access-list 102 remark IPSec Rule
access-list 102 deny   ip 192.168.7.0 0.0.0.255 192.168.174.0 0.0.0.255
access-list 102 remark IPSec Rule
access-list 102 deny   ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 remark IPSec Rule
access-list 102 deny   ip 192.168.7.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 remark IPSec Rule
access-list 102 deny   ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny   ip host 192.168.7.60 host 172.24.3.132
access-list 102 deny   ip host 192.168.7.59 host 172.24.3.132
access-list 102 permit ip 192.168.7.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=2
access-list 103 permit ip 192.168.7.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.7.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 106 remark SDM_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.7.0 0.0.0.255 any
access-list 107 remark SDM_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.7.0 0.0.0.255 192.168.174.0 0.0.0.255
access-list 108 remark SDM_ACL Category=4
access-list 108 remark IPSec Rule
access-list 108 permit ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
route-map SDM_RMAP_2 permit 1
 match ip address 103
!
route-map SDM_RMAP_3 permit 1
 match ip address 102
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 transport input telnet
line vty 5 15
 transport input telnet ssh
!
scheduler allocate 4000 1000
end
 
 
 
LOCATION B:
 
Building configuration...
 
Current configuration : 5078 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname trenton2
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
no logging buffered
logging console critical
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1 192.168.10.99
ip dhcp excluded-address 192.168.10.201 192.168.10.254
!
ip dhcp pool dhcp
   import all
   network 192.168.10.0 255.255.255.0
   dns-server 68.94.156.1 68.94.157.1 
   default-router 192.168.10.1 
   lease infinite
!
no ip ips deny-action ips-interface
no ip bootp server
ip domain name yourdomain.com
ip name-server 68.94.156.1
ip name-server 68.94.157.1
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key xxxx address 209.254.255.146
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to209.254.255.146
 set peer 209.254.255.146
 set transform-set ESP-3DES-SHA1 
 match address 100
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
 ip address 192.168.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $FW_OUTSIDE$$ETH-WAN$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 duplex auto
 speed auto
 pppoe enable
 pppoe-client dial-pool-number 1
 no mop enabled
!
interface Serial0/0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
!
interface Dialer0
 ip address 99.181.169.217 255.255.255.248
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname xxxx
 ppp chap password 7 xxxx
 ppp pap sent-username xxxx
 crypto map SDM_CMAP_1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
ip access-list extended acl_vpn2
 remark SDM_ACL Category=16
 permit ip 192.168.10.0 0.0.0.255 any
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.10.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
control-plane
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 4000 1000
end
[+][-]07.04.2008 at 11:53AM PDT, ID: 21934387

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.07.2008 at 06:29AM PDT, ID: 21944790

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]07.07.2008 at 06:38AM PDT, ID: 21944873

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.07.2008 at 06:43AM PDT, ID: 21944907

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]07.07.2008 at 07:06AM PDT, ID: 21945120

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.07.2008 at 07:21AM PDT, ID: 21945244

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]07.07.2008 at 09:26AM PDT, ID: 21946439

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.07.2008 at 09:33AM PDT, ID: 21946487

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]07.07.2008 at 10:00AM PDT, ID: 21946704

Assisted solutions are selected by the member who asked the question as a comment that contributed to their question's solution.

Start your 7-day free trial to view this Assisted Solution or ask the Experts your question.

 
[+][-]07.16.2008 at 10:44AM PDT, ID: 22018304

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Virtual Private Networking (VPN), Network Routers, IPSec Security Protocol
Tags: Cisco, 1841
Sign Up Now!
Solution Provided By: amkbailey
Participating Experts: 1
Solution Grade: A
 
 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628