site-to-site vpn between 2 cisco 837

Hi All,

I have been tasked to create a site-to-site vpn between 2 cisco 837s but i'm encountering some problems. When I do a sh cry isa sa the result:

  f_vrf/i_vrf   dst                           src                         state               conn-id slot
                   203.100.236.82         203.125.52.242       QM_IDLE         1

My running configs are as follow:

SiteA
====

SiteA#sh run
Building configuration...

Current configuration : 1895 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SiteA
!
logging queue-limit 100
enable secret 5
!
ip subnet-zero
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.6
ip dhcp excluded-address 10.10.10.7
ip dhcp excluded-address 10.10.10.8
!
ip dhcp pool CLIENT
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 165.21.83.88 165.21.100.88
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key 0 vpnpass address xx.xx.236.82
!
!
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
!
crypto map sg837toau837 10 ipsec-isakmp
 set peer xx.xx.236.82
 set transform-set esp-3des-sha
 match address 100
!
!
!
!
interface Ethernet0
 description $ETH-LAN$$ETH-SW-LAUNCH$
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 ip address xx.xx.52.242 255.255.255.252
 ip nat outside
 pvc 8/35
  encapsulation aal5snap
 !
 crypto map sg837toau837
!
ip nat inside source route-map nonat interface ATM0.1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip http server
ip http authentication local
ip http secure-server
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 120 deny   ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 120 permit ip any host 10.10.10.1
access-list 120 permit ip 10.10.10.0 0.0.0.255 any
route-map nonat permit 10
 match ip address 120
!
!
line con 0
 no modem enable
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 password
 login
!
scheduler max-task-time 5000
!
end





Site B
====
SiteB#sh run

Building configuration...

version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SiteB
!
boot-start-marker
boot-end-marker
!
enable secret
!
no aaa new-model
!
resource manager
!
!
no ip dhcp use vrf connected
!
!
ip cef
ip name-server xx.xx.0.113
ip name-server xx.xx.129.34
no ip bootp server
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key vpnpass address xx.xx.52.242
!
!
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
!
crypto map sg837toau837 10 ipsec-isakmp
 set peer xx.xx.52.242
 set transform-set esp-3des-sha
 match address 100
!
!
!

interface Ethernet0
 ip address xx.xx.93.65 255.255.255.248
 hold-queue 100 out
!

interface Ethernet2
 no ip address
 shutdown
 hold-queue 100 out
!

interface ATM0
 description Pacific Internet ADSL line
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!

interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!

interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!

interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!

interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!

interface Dialer1
 ip address negotiated
 encapsulation ppp
 dialer pool 1
 dialer idle-timeout 0
 dialer persistent
 dialer-group 1
 ppp chap hostname
 ppp chap password 7
 crypto map sg837toau837
!
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.190.190
ip route 10.0.0.0 255.0.0.0 xx.xx.93.66
ip route 192.168.0.0 255.255.0.0 xx.xx.93.66
!
ip http server
ip http secure-server
!
!
access-list 10 permit xx.xx.129.77
access-list 10 permit xx.xx.92.4 0.0.0.3
access-list 10 permit 10.0.0.0 0.255.255.255
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 10 permit xx.x.93.64 0.0.0.7
access-list 100 permit ip 10.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 120 deny   ip 10.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 120 permit ip any host 10.0.0.1
access-list 120 permit ip 10.0.0.0 0.0.0.255 any
!
route-map nonat permit 10
 match ip address 120
!
!
control-plane
!
!
line con 0
 exec-timeout 120 0
 login local
 no modem enable
 transport preferred all
 transport output all
 stopbits 1

line aux 0
 transport preferred all
 transport output all

line vty 0 4
 access-class 10 in
 exec-timeout 0 0
 password 7
 login
 transport preferred all
 transport input all
 transport output all
!
scheduler max-task-time 5000
end

Thank you for all your help.


REX
rex68Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

plemieux72Commented:
In your "crypto isakmp key 0 vpnpass address xx.xx.236.82" entries, you are missing the keyword "no-xauth" at the end.

For site A:

no crypto isakmp key 0 vpnpass address xx.xx.236.82
crypto isakmp key 0 vpnpass address xx.xx.236.82 no-xauth

For site B:

no crypto isakmp key vpnpass address xx.xx.52.242
crypto isakmp key vpnpass address xx.xx.52.242 no-xauth

Also, what are these 2 routes for on site B?
ip route 10.0.0.0 255.0.0.0 xx.xx.93.66
ip route 192.168.0.0 255.255.0.0 xx.xx.93.66
That may be another problem...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rex68Author Commented:
hi there..

thanks for the reply..

ive added those lines but i still cant ping the other segment.

well the the routes basically routes to the public IP of the mail svr..

cheers.
plemieux72Commented:
You accepted my answer, did you get it working?
rex68Author Commented:
hi there..

yea.. able to ping from site A to site B, but not vice versa..

i've posted that separately tho..

thanks for your reply..
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.