Advertisement

07.02.2008 at 12:34PM PDT, ID: 23534789
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
6.4

Cisco 1700 IPSec Connection Problems

Asked by Swarley in Virtual Private Networking (VPN), Network Routers

Tags: , ,

I currently have a VPN that is hub and spoke.  All of the remote offices connect to HQ and everything is working well.  Recently I have been trying to convert to a partial mesh by setting up VPN connections between the remote offices.  I have 2 offices that are able to connect to each other.  For some reason 2 other offices aren't able to connect to one of the two that has already established connection to the previous.  Sound confusing?  I also have a link to a pic with a simple layout and the connections that don't work.  I also have the configs to post as well.

Here is a link to the layout:
http://i316.photobucket.com/albums/mm354/Swarl3y/Layout.jpg

This configs are in the code snippet.

Also note that when I run "#show crypto isakmp sa" I can see the tunnel established but no traffic will go across.

The trouble connections are from Remote 30 to Remote 35 and Remote 37 to Remote 35

Remote 32 to Remote 35 works.Start Free Trial 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:
371:
372:
373:
374:
375:
376:
377:
378:
379:
380:
381:
382:
383:
384:
385:
386:
387:
388:
389:
390:
391:
392:
393:
394:
395:
396:
397:
398:
399:
400:
401:
402:
403:
404:
405:
406:
407:
408:
409:
410:
411:
412:
413:
414:
415:
416:
417:
418:
419:
420:
421:
422:
423:
424:
425:
426:
427:
428:
429:
430:
431:
432:
433:
434:
435:
436:
437:
438:
439:
440:
441:
442:
443:
444:
445:
446:
447:
448:
449:
450:
451:
452:
453:
454:
455:
456:
457:
458:
459:
460:
461:
462:
463:
464:
465:
466:
467:
468:
469:
470:
471:
472:
473:
474:
475:
476:
477:
478:
479:
480:
481:
482:
483:
484:
485:
486:
487:
488:
489:
490:
491:
492:
493:
494:
495:
496:
497:

Remote 30:
 
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Remote30
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
logging monitor informational
!
memory-size iomem 25
clock timezone PDT -8
clock summer-time PDT recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip source-route
!
!
!
ip cef
ip audit po max-events 100
!
!
!
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ************** address 76.xxx.xxx.xxx
crypto isakmp key ************** address 72.xxx.xxx.xxx
!
!
crypto ipsec transform-set HQ esp-3des esp-sha-hmac 
crypto ipsec transform-set Remote35 esp-3des esp-sha-hmac 
!
crypto map CISCO 1 ipsec-isakmp
 set peer 76.xxx.xxx.xxx
 set transform-set HQ 
 match address 100
crypto map CISCO 2 ipsec-isakmp 
 set peer 72.xxx.xxx.xxx
 set transform-set Remote35 
 match address 110
!
!
!
interface Tunnel0
 ip address 172.29.0.10 255.255.255.252
 ip ospf network broadcast
 tunnel source 172.29.30.1
 tunnel destination 172.29.1.7
!
interface Tunnel1
 ip address 172.29.0.14 255.255.255.252
 ip ospf network broadcast
 tunnel source 172.29.30.1
 tunnel destination 172.29.1.8
!
interface Ethernet0
 ip address 64.xxx.xxx.xxx 255.255.255.248
 ip nat outside
 full-duplex
 crypto map CISCO
!
interface FastEthernet0
 description $ETH-LAN$
 ip address 172.29.30.1 255.255.255.0
 ip nat inside
 speed auto
 full-duplex
!
router ospf 1
 log-adjacency-changes
 redistribute connected subnets
 passive-interface Ethernet0
 network 172.25.0.0 0.0.15.255 area 0
 network 172.29.0.0 0.0.63.255 area 0
 network 192.168.0.0 0.0.255.255 area 0
!
ip nat inside source route-map ROUTEMAP interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 64.xxx.xxx.xxx
ip route 172.29.1.7 255.255.255.255 64.xxx.xxx.xxx
ip route 172.29.1.8 255.255.255.255 64.xxx.xxx.xxx
ip route 172.29.35.0 255.255.255.0 64.xxx.xxx.xxx
no ip http server
no ip http secure-server
!
!
access-list 100 permit ip 172.29.30.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 172.29.30.0 0.0.0.255 172.25.0.0 0.0.15.255
access-list 100 permit ip 172.29.30.0 0.0.0.255 172.29.0.0 0.0.31.255
access-list 103 deny   ip 172.29.30.0 0.0.0.255 172.29.0.0 0.0.63.255
access-list 103 deny   ip 172.29.30.0 0.0.0.255 172.25.0.0 0.0.15.255
access-list 103 deny   ip 172.29.30.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 103 permit ip 172.29.30.0 0.0.0.255 any
access-list 110 permit ip 172.29.30.0 0.0.0.255 172.29.35.0 0.0.0.255
!
route-map ROUTEMAP permit 1
 match ip address 103
!
!
!
line con 0
line aux 0
line vty 0 4
 login local
!
end
 
 
Remote 37:
 
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Remote37
!
boot-start-marker
boot-end-marker
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
ip cef
ip audit po max-events 100
!
!
!
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key *************** address 76.xxx.xxx.xxx
crypto isakmp key *************** address 72.xxx.xxx.xxx
!
!
crypto ipsec transform-set HQ esp-3des esp-sha-hmac 
crypto ipsec transform-set Remote35 esp-3des esp-sha-hmac 
!
crypto map CISCO 1 ipsec-isakmp 
 set peer 76.xxx.xxx.xxx
 set transform-set HQ 
 match address 100
crypto map CISCO 2 ipsec-isakmp 
 set peer 72.xxx.xxx.xxx
 set transform-set Remote35
 match address 110
!
!
!
interface Tunnel0
 ip address 172.29.0.66 255.255.255.252
 ip ospf network broadcast
 tunnel source 172.29.37.1
 tunnel destination 172.29.1.7
!
interface Tunnel1
 ip address 172.29.0.70 255.255.255.252
 ip ospf network broadcast
 tunnel source 172.29.37.1
 tunnel destination 172.29.1.8
!
interface Ethernet0
 ip address 99.xxx.xxx.xxx 255.255.255.248
 ip nat outside
 full-duplex
 crypto map CISCO
!
interface FastEthernet0
 ip address 172.29.37.1 255.255.255.0
 ip nat inside
 speed auto
!
router ospf 1
 log-adjacency-changes
 redistribute connected subnets
 passive-interface Ethernet0
 network 172.25.0.0 0.0.15.255 area 0
 network 172.29.0.0 0.0.63.255 area 0
 network 192.168.0.0 0.0.255.255 area 0
!
ip nat inside source route-map ROUTEMAP interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 99.xxx.xxx.xxx
ip route 172.29.1.7 255.255.255.255 99.xxx.xxx.xxx
ip route 172.29.1.8 255.255.255.255 99.xxx.xxx.xxx
ip route 172.29.35.0 255.255.255.0 99.xxx.xxx.xxx
no ip http server
no ip http secure-server
!
!
access-list 100 permit ip 172.29.37.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 172.29.37.0 0.0.0.255 172.25.0.0 0.0.15.255
access-list 100 permit ip 172.29.37.0 0.0.0.255 172.29.0.0 0.0.63.255
access-list 100 deny   ip any any
access-list 103 deny   ip 172.29.37.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 103 deny   ip 172.29.37.0 0.0.0.255 172.25.0.0 0.0.15.255
access-list 103 deny   ip 172.29.37.0 0.0.0.255 172.29.0.0 0.0.63.255
access-list 103 permit ip 172.29.37.0 0.0.0.255 any
access-list 110 permit ip 172.29.37.0 0.0.0.255 172.29.35.0 0.0.0.255
!
route-map ROUTEMAP permit 1
 match ip address 103
!
!
!
line con 0
line aux 0
line vty 0 4
 login local
!
end
 
 
Remote 32:
 
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Remote32
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 25
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
ip cef
ip audit po max-events 100
!
!
!
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ************** address 76.xxx.xxx.xxx
crypto isakmp key ************** address 72.xxx.xxx.xxx
!
!
crypto ipsec transform-set HQ esp-3des esp-sha-hmac 
crypto ipsec transform-set Remote35 esp-3des esp-sha-hmac 
!
crypto map CISCO 1 ipsec-isakmp 
 set peer 76.xxx.xxx.xxx
 set transform-set HQ 
 match address 100
crypto map CISCO 2 ipsec-isakmp 
 set peer 72.xxx.xxx.xxx
 set transform-set Remote35 
 match address 110
!
!
!
interface Tunnel0
 ip address 172.29.0.25 255.255.255.252
 ip ospf network broadcast
 tunnel source 172.29.32.1
 tunnel destination 172.29.1.7
 tunnel mode ipip
!
interface Tunnel1
 ip address 172.29.0.29 255.255.255.252
 ip ospf network broadcast
 tunnel source 172.29.32.1
 tunnel destination 172.29.1.8
 tunnel mode ipip
!
interface Ethernet0
 ip address 76.xxx.xxx.xxx 255.255.255.252
 ip nat outside
 full-duplex
 crypto map CISCO
!
interface FastEthernet0
 description Inside LAN INTERFACE
 ip address 172.29.32.1 255.255.255.0
 ip nat inside
 speed auto
!
router ospf 1
 log-adjacency-changes
 redistribute connected subnets
 passive-interface Ethernet0
 network 172.25.0.0 0.0.15.255 area 0
 network 172.29.0.0 0.0.31.255 area 0
 network 192.168.0.0 0.0.255.255 area 0
!
ip nat inside source route-map ROUTEMAP interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 76.xxx.xxx.xxx
ip route 172.29.1.7 255.255.255.255 76.xxx.xxx.xxx
ip route 172.29.1.8 255.255.255.255 76.xxx.xxx.xxx
ip route 172.29.35.0 255.255.255.0 76.xxx.xxx.xxx
no ip http server
no ip http secure-server
!
!
access-list 100 permit ip 172.29.32.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 172.29.32.0 0.0.0.255 172.25.0.0 0.0.15.255
access-list 100 permit ip 172.29.32.0 0.0.0.255 172.29.0.0 0.0.31.255
access-list 100 deny   ip any any
access-list 103 deny   ip 172.29.32.0 0.0.0.255 172.29.0.0 0.0.63.255
access-list 103 deny   ip 172.29.32.0 0.0.0.255 172.25.0.0 0.0.15.255
access-list 103 deny   ip 172.29.32.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 103 deny   ip 172.29.32.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 103 deny   ip 172.29.32.0 0.0.0.255 192.168.99.0 0.0.0.255
access-list 103 permit ip 172.29.32.0 0.0.0.255 any
access-list 110 permit ip 172.29.32.0 0.0.0.255 172.29.35.0 0.0.0.255
!
route-map ROUTEMAP permit 1
 match ip address 103
!
!
!
line con 0
line aux 0
line vty 0 4
 login local
!
end
 
 
Remote 35:
 
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Remote35
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 25
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
ip cef
ip audit po max-events 100
!
!
!
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key letmein address 76.xxx.xxx.xxx
crypto isakmp key letmein address 76.xxx.xxx.xxx
crypto isakmp key letmein address 64.xxx.xxx.xxx
crypto isakmp key letmein address 99.xxx.xxx.xxx
!
!
crypto ipsec transform-set HQ esp-3des esp-sha-hmac 
crypto ipsec transform-set Remote32 esp-3des esp-sha-hmac 
crypto ipsec transform-set Remote30 esp-3des esp-sha-hmac 
crypto ipsec transform-set Remote37 esp-3des esp-sha-hmac 
!
crypto map CISCO 1 ipsec-isakmp 
 set peer 76.xxx.xxx.xxx
 set transform-set HQ 
 match address 100
crypto map CISCO 2 ipsec-isakmp 
 set peer 76.xxx.xxx.xxx
 set transform-set Remote32 
 match address 120
crypto map CISCO 3 ipsec-isakmp 
 set peer 64.xxx.xxx.xxx
 set transform-set Remote30 
 match address 110
crypto map CISCO 10 ipsec-isakmp 
 set peer 99.xxx.xxx.xxx
 set transform-set Remote37 
 match address 130
!
!
!
interface Tunnel0
 ip address 172.29.0.50 255.255.255.252
 ip ospf network broadcast
 tunnel source 172.29.35.1
 tunnel destination 172.29.1.7
 tunnel mode ipip
!
interface Tunnel1
 ip address 172.29.0.54 255.255.255.252
 ip ospf network broadcast
 tunnel source 172.29.35.1
 tunnel destination 172.29.1.8
 tunnel mode ipip
!
interface Ethernet0
 ip address 72.34.89.106 255.255.255.248
 ip nat outside
 full-duplex
 crypto map CISCO
!
interface FastEthernet0
 ip address 172.29.35.1 255.255.255.0
 ip nat inside
 speed auto
!
router ospf 1
 log-adjacency-changes
 redistribute connected subnets
 passive-interface Ethernet0
 network 10.0.0.0 0.0.0.255 area 0
 network 172.25.0.0 0.0.15.255 area 0
 network 172.29.0.0 0.0.63.255 area 0
 network 192.168.0.0 0.0.255.255 area 0
!
ip nat inside source route-map ROUTEMAP interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 72.xxx.xxx.xxx
ip route 172.29.1.7 255.255.255.255 72.xxx.xxx.xxx
ip route 172.29.1.8 255.255.255.255 72.xxx.xxx.xxx
ip route 172.29.30.0 255.255.255.0 72.xxx.xxx.xxx
ip route 172.29.32.0 255.255.255.0 72.xxx.xxx.xxx
ip route 172.29.37.0 255.255.255.0 72.xxx.xxx.xxx
no ip http server
no ip http secure-server
!
!
access-list 100 permit ip 172.29.35.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 172.29.35.0 0.0.0.255 172.25.0.0 0.0.15.255
access-list 100 permit ip 172.29.35.0 0.0.0.255 172.29.0.0 0.0.31.255
access-list 100 deny   ip any any
access-list 103 deny   ip 172.29.35.0 0.0.0.255 172.29.0.0 0.0.63.255
access-list 103 deny   ip 172.29.35.0 0.0.0.255 172.25.0.0 0.0.15.255
access-list 103 deny   ip 172.29.35.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 103 deny   ip 172.29.35.0 0.0.0.255 192.168.99.0 0.0.0.255
access-list 103 deny   ip 172.29.35.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 103 permit ip 172.29.35.0 0.0.0.255 any
access-list 110 permit ip 172.29.35.0 0.0.0.255 172.29.30.0 0.0.0.255
access-list 120 permit ip 172.29.35.0 0.0.0.255 172.29.32.0 0.0.0.255
access-list 130 permit ip 172.29.35.0 0.0.0.255 172.29.37.0 0.0.0.255
!
route-map ROUTEMAP permit 1
 match ip address 103
!
!
!
line con 0
line aux 0
line vty 0 4
 login local
!
end
[+][-]07.07.2008 at 03:37PM PDT, ID: 21949225

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Virtual Private Networking (VPN), Network Routers
Tags: Cisco, 1700 Series, 1721 Router
Sign Up Now!
Solution Provided By: Swarley
Participating Experts: 0
Solution Grade: A
 
 
 
Loading Advertisement...
20080924-EE-VQP-39 / EE_QW_2_20070628