teepee2
asked on
Cisco 1720 VPN (t1) to Cisco 1720 VPN (DSL)
Hello people,
I am kind of stuck here... We have to offices that both have cisco1720 routers. I have gone in and configured crypto for the VPN but I cant get the two sites to talk to each other. How can i check what the problem is (as far as logs, etc). Here is the configuration of my routers:
Cisco 1720 (T1)
version 12.2
service telnet-zeroidle
service timestamps debug datetime
service timestamps log datetime
service password-encryption
no service dhcp
hostname rt1
memory-size iomem 20
clock timezone EST -5
ip subnet-zero
crypto isakmp policy 1
authentication pre-share
lifetime 28800
crypto isakmp key cisco123 address 2.2.2.2
crypto ipsec transform-set svipsec esp-des esp-md5-hmac
crypto map svisakmp 1 ipsec-isakmp
set peer 2.2.2.2
set transform-set svipsec
match address 186
interface Loopback0
ip address 1.1.1.1 255.255.255.248
crypto map svisakmp
interface FastEthernet0
ip address 192.168.152.20 255.255.255.0
ip accounting output-packets
ip nat inside
ip route-cache policy
speed auto
no cdp enable
interface Serial0
ip address xx.xx.xx.xx 255.255.255.252
ip accounting output-packets
ip nat outside
encapsulation ppp
no fair-queue
service-module t1 timeslots 1-24
no cdp enable
crypto map svisakmp
ip nat pool svaddr xx.xx.xx.27 xx.xx.xx.30 netmask 255.255.255.248
ip nat inside source list 1 pool svaddr overload
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx
ip route 192.168.151.0 255.255.255.0 Loopback0
no ip http server
logging trap debugging
access-list 102 permit ip 192.168.152.0 0.0.0.255 192.168.151.0 0.0.0.255
access-list 186 permit ip 192.168.152.0 0.0.0.255 192.168.151.0 0.0.0.255
access-list 186 permit ip 192.168.151.0 0.0.0.255 192.168.152.0 0.0.0.255
access-list 186 deny ip 192.168.152.0 0.0.0.255 any
access-list 186 deny ip 192.168.151.0 0.0.0.255 any
no cdp run
route-map nonat permit 20
match ip address 102
Cisco 1720 (DSL)
version 12.2
service timestamps debug datetime
service timestamps log datetime
service password-encryption
no service dhcp
hostname rt2
logging buffered 4096 debugging
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip domain-lookup
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
crypto isakmp policy 1
authentication pre-share
lifetime 28800
crypto isakmp key cisco123 address 1.1.1.1
crypto ipsec transform-set svipsec esp-des esp-md5-hmac
crypto map svisakmp 1 ipsec-isakmp
set peer 1.1.1.1
set transform-set svipsec
match address 186
interface Ethernet0
ip address 2.2.2.2 255.255.255.248
ip nat outside
half-duplex
no cdp enable
crypto map svisakmp
!
interface FastEthernet0
ip address 192.168.151.101 255.255.255.0 secondary
ip address 192.168.151.1 255.255.255.0
ip accounting output-packets
ip nat inside
ip route-cache policy
speed auto
priority-group 1
no cdp enable
ip nat inside source list 1 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx
no ip http server
access-list 186 permit ip 192.168.152.0 0.0.0.255 192.168.151.0 0.0.0.255
access-list 186 permit ip 192.168.151.0 0.0.0.255 192.168.152.0 0.0.0.255
access-list 186 deny ip 192.168.152.0 0.0.0.255 any
access-list 186 deny ip 192.168.151.0 0.0.0.255 any
no cdp run
Thank you guys in advance for your help!!
I am kind of stuck here... We have to offices that both have cisco1720 routers. I have gone in and configured crypto for the VPN but I cant get the two sites to talk to each other. How can i check what the problem is (as far as logs, etc). Here is the configuration of my routers:
Cisco 1720 (T1)
version 12.2
service telnet-zeroidle
service timestamps debug datetime
service timestamps log datetime
service password-encryption
no service dhcp
hostname rt1
memory-size iomem 20
clock timezone EST -5
ip subnet-zero
crypto isakmp policy 1
authentication pre-share
lifetime 28800
crypto isakmp key cisco123 address 2.2.2.2
crypto ipsec transform-set svipsec esp-des esp-md5-hmac
crypto map svisakmp 1 ipsec-isakmp
set peer 2.2.2.2
set transform-set svipsec
match address 186
interface Loopback0
ip address 1.1.1.1 255.255.255.248
crypto map svisakmp
interface FastEthernet0
ip address 192.168.152.20 255.255.255.0
ip accounting output-packets
ip nat inside
ip route-cache policy
speed auto
no cdp enable
interface Serial0
ip address xx.xx.xx.xx 255.255.255.252
ip accounting output-packets
ip nat outside
encapsulation ppp
no fair-queue
service-module t1 timeslots 1-24
no cdp enable
crypto map svisakmp
ip nat pool svaddr xx.xx.xx.27 xx.xx.xx.30 netmask 255.255.255.248
ip nat inside source list 1 pool svaddr overload
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx
ip route 192.168.151.0 255.255.255.0 Loopback0
no ip http server
logging trap debugging
access-list 102 permit ip 192.168.152.0 0.0.0.255 192.168.151.0 0.0.0.255
access-list 186 permit ip 192.168.152.0 0.0.0.255 192.168.151.0 0.0.0.255
access-list 186 permit ip 192.168.151.0 0.0.0.255 192.168.152.0 0.0.0.255
access-list 186 deny ip 192.168.152.0 0.0.0.255 any
access-list 186 deny ip 192.168.151.0 0.0.0.255 any
no cdp run
route-map nonat permit 20
match ip address 102
Cisco 1720 (DSL)
version 12.2
service timestamps debug datetime
service timestamps log datetime
service password-encryption
no service dhcp
hostname rt2
logging buffered 4096 debugging
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip domain-lookup
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
crypto isakmp policy 1
authentication pre-share
lifetime 28800
crypto isakmp key cisco123 address 1.1.1.1
crypto ipsec transform-set svipsec esp-des esp-md5-hmac
crypto map svisakmp 1 ipsec-isakmp
set peer 1.1.1.1
set transform-set svipsec
match address 186
interface Ethernet0
ip address 2.2.2.2 255.255.255.248
ip nat outside
half-duplex
no cdp enable
crypto map svisakmp
!
interface FastEthernet0
ip address 192.168.151.101 255.255.255.0 secondary
ip address 192.168.151.1 255.255.255.0
ip accounting output-packets
ip nat inside
ip route-cache policy
speed auto
priority-group 1
no cdp enable
ip nat inside source list 1 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx
no ip http server
access-list 186 permit ip 192.168.152.0 0.0.0.255 192.168.151.0 0.0.0.255
access-list 186 permit ip 192.168.151.0 0.0.0.255 192.168.152.0 0.0.0.255
access-list 186 deny ip 192.168.152.0 0.0.0.255 any
access-list 186 deny ip 192.168.151.0 0.0.0.255 any
no cdp run
Thank you guys in advance for your help!!
ASKER
What interface should the crypto map be on?
I have seen another configuration in the past that has worked, that is why i followed that model
I have seen another configuration in the past that has worked, that is why i followed that model
OK, the way I would do it is to apply the crypto maps on the WAN side of thigs at either end........your loopbacks dont handle any data as such................
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
i think you should route the remote network via the T1 interface and not via loopback on the first router.....
also add a route for the 192.168.152.0 towards the next hop at ethernet0 of the 1720 with DSL.
that should work.
also add a route for the 192.168.152.0 towards the next hop at ethernet0 of the 1720 with DSL.
that should work.
ASKER
I went through and redid the config on both routers and finally got it to work
there are various debug commands..........
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t2/dt_vpn17.htm#1037269