• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 555
  • Last Modified:

cisco 1812 vpn to cisco 853.. can't connect together.

Creating a VPN between sites..

Two SiteS:

Main Office
      Router IP: 38.154.X.2 (255.255.255.0)
      Internal IP: 192.168.30.1 (255.255.255.0)

Branch Office:
      Router IP: 66.42.x.84 (255.255.255.0)
      Internal IP: 192.168.0.5 (255.255.255.0)

----------------------------------------------------------------------------------------------------
The Connection is as follows


CISCO 1812 Router ---> Internet ---> Netgear RP 114 DSL Router/Hub ---> CISCO 853
38.154.X.2        --->    internet      ---> 66.42.X.84                    ---> 192.168.0.5
----------------------------------------------------------------------------------------------------

I'm Trying to setup a VPN between the routers.   I'm using the Cisco SDM Router Management tool to configure the connecions.


when i test the vpn tunnel from the remote and the main office, i get the same error message on both:


Failure Reason (From Branch Office):  There is a response from the peer 38.154.X.2 but the tunnel is not up.

Recommended Action(s) (From Branch Office Router):  Ensure that the peer device is configured properly.  Generate the mirror configuratin from 'Configure->VPN->Site to site VPN->Edit Site to Site VPN' and match it with the peer configuration.

----------------------------------------------------------------------------------------------------

I have taken a look at the mirrored configuration and i still can't figure out what's going on here.




please help !


** i'll assign more points on later once i get them from other questions...
0
Eric
Asked:
Eric
  • 12
  • 8
1 Solution
 
stressedout2004Commented:
You will need to post your configuration. We need to verify the configuration.
0
 
EricAuthor Commented:
Main Office Configuration:

if you need more information, please let me know...
---------------------------------------------------------------------------------

Authorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!

User Access Verification

Username:
Username: admin
Password:

router#SHOW CONFIG
Using 5037 out of 196600 bytes
!
! Last configuration change at 11:42:19 PCTime Wed Apr 26 2006 by cisco
! NVRAM config last updated at 11:42:23 PCTime Wed Apr 26 2006 by cisco
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
!
username admin privilege 15 secret 5 $1$G/O9$yUdLrne0.1FPPUloLS3/I0
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip source-route
!
!
ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name aconet.us
ip name-server 38.9.x.2
ip name-server 39.9.x.2
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 no cdp enable
!
interface FastEthernet0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet1
 description $ES_WAN$$FW_OUTSIDE$
 ip address 38.154.x.2 255.255.255.0
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet2
 no ip address
 no cdp enable
!
interface FastEthernet3
 no ip address
 no cdp enable
!
interface FastEthernet4
 no ip address
 no cdp enable
!
interface FastEthernet5
 no ip address
 no cdp enable
!
interface FastEthernet6
 no ip address
 no cdp enable
!
interface FastEthernet7
 no ip address
 no cdp enable
!
interface FastEthernet8
 no ip address
 no cdp enable
!
interface FastEthernet9
 no ip address
 no cdp enable
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
 ip address 192.168.30.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 100 remark auto-generated by Cisco SDM Express firewall configuratio
n
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 38.154.x.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto-generated by Cisco SDM Express firewall configuratio
n
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 39.9.x.2 eq domain host 38.154.x.2
access-list 101 permit udp host 38.9.x.2 eq domain host 38.154.x.2
access-list 101 deny   ip 192.168.30.0 0.0.0.255 any
access-list 101 permit icmp any host 38.154.x.2 echo-reply
access-list 101 permit icmp any host 38.154.x.2 time-exceeded
access-list 101 permit icmp any host 38.154.x.2 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
no cdp run
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end
0
 
stressedout2004Commented:
Ok, let me make sure we are on the same page. You wanted to configure IPSEC (VPN) between 1812 and 853.
And you used the SDM to  configure the two sites. Correct?  Is the configuration you posted the most recent config?
Because  I don't see a single IPSEC command in there. It is not configured for  VPN connection at all.
I don't do much configuration using SDM, but I can give you the CLI commands you need to configure on both sides.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
EricAuthor Commented:
if you have the CLI codes readly available, i'll take them..

i'll pull the newest most recent (which that should be above) config from the router in the morning and post it here (EST HERE)...
0
 
stressedout2004Commented:
The configuration below is for the main office,  replace <password> with the actual preshared key you want. This should be the same on both sides. Now for the branch office configuration, I need to see the existing config on that site so I can give you the commands that you need.

access-list 120 deny ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 120 permit ip 192.168.30.0 0.0.0.255 any
access-list 110 permit ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.0.255


crypto isakmp policy 10
encr 3des
group 2
hash sha  
authentication pre-share
exit

crypto isakmp key <password> address 66.42.x.84


crypto ipsec transform-set 3des esp-3des esp-sha-hmac  
exit
 
crypto map vpn_main 10 ipsec-isakmp  
set peer 66.42.x.84
set transform-set 3des
match address 110
exit


interface Vlan1
no ip nat inside
exit

clear ip nat trans * --> Do this command in privilege mode, not in configuration mode

no ip nat inside source list 1 interface FastEthernet1 overload
ip nat inside source list 120 interface FastEthernet1 overload

interface Vlan1
ip nat inside
exit

interface FastEthernet1
 no ip access-group 101 in
 exit

no access-list 101

access-list 101 permit udp host 39.9.x.2 eq domain host 38.154.x.2
access-list 101 permit udp host 38.9.x.2 eq domain host 38.154.x.2
access-list 101 permit icmp any host 38.154.x.2 echo-reply
access-list 101 permit icmp any host 38.154.x.2 time-exceeded
access-list 101 permit icmp any host 38.154.x.2 unreachable
access-list 101 permit esp any host 38.154.x.2
access-list 101 permit udp any host 38.154.x.2 eq 500
access-list 101 permit udp any host 38.154.x.2 eq 4500
access-list 101 permit ip 192.168.0.0 0.0.0.0.255 192.168.30.0 0.0.0.255
access-list 101 deny ip 192.168.30.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny   ip any any

interface FastEthernet1
 ip access-group 101 in
 crypto map vpn_main
0
 
EricAuthor Commented:
Using 8548 out of 196600 bytes
!
! Last configuration change at 09:55:56 PCTime Thu May 11 2006 by admin
! NVRAM config last updated at 09:55:59 PCTime Thu May 11 2006 by admin
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name X.US
ip name-server 38.9.X.2
ip name-server 38.9.X.2
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip ips notify SDEE
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 group 2
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxx address 66.42.x.84
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to66.42.X.84
 set peer 66.42.x.84
 set transform-set ESP-3DES-SHA1
 match address 104
!
!
!
interface Null0
 no ip unreachables
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 no cdp enable
!
interface FastEthernet0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet1
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip address 38.154.x.2 255.255.255.0
 ip verify unicast reverse-path
 ip mask-reply
 ip directed-broadcast
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 crypto map SDM_CMAP_1
!
interface FastEthernet2
 no ip address
 no cdp enable
!
interface FastEthernet3
 no ip address
 no cdp enable
!
interface FastEthernet4
 no ip address
 no cdp enable
!
interface FastEthernet5
 no ip address
 no cdp enable
!
interface FastEthernet6
 no ip address
 no cdp enable
!
interface FastEthernet7
 no ip address
 no cdp enable
!
interface FastEthernet8
 no ip address
 no cdp enable
!
interface FastEthernet9
 no ip address
 no cdp enable
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
 ip address 192.168.30.1 255.255.255.0
 ip access-group 105 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 38.154.x.1
!
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet1 overload
ip nat inside source static tcp 192.168.10.200 21 38.154.x.2 21 extendable
ip nat inside source static tcp 192.168.10.200 25 38.154.x.2 25 extendable
ip nat inside source static tcp 192.168.10.200 80 38.154.x.2 80 extendable
ip nat inside source static tcp 192.168.10.200 110 38.154.x.2 110 extendable
ip nat inside source static tcp 192.168.10.200 443 38.154.x.2 443 extendable
ip nat inside source static tcp 192.168.10.100 1494 38.154.x.2 1494 extendable
ip nat inside source static tcp 192.168.10.210 1723 38.154.x.2 1723 extendable
ip nat inside source static tcp 192.168.10.100 3389 38.154.x.2 3389 extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.30.0 0.0.0.255
access-list 2 deny   any
access-list 100 remark auto-generated by Cisco SDM Express firewall configuratio
n
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 38.154.X.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 permit ip 192.168.30.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 deny   ip 38.154.x.0 0.0.0.255 any
access-list 105 deny   ip host 255.255.255.255 any
access-list 105 deny   ip 127.0.0.0 0.255.255.255 any
access-list 105 permit ip any any
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 106 permit tcp any host 38.154.x.2 eq 3389
access-list 106 permit tcp any host 38.154.x.2 eq 1723
access-list 106 permit tcp any host 38.154.x.2 eq 1494
access-list 106 permit tcp any host 38.154.x.2 eq pop3
access-list 106 permit tcp any host 38.154.x.2 eq www
access-list 106 permit tcp any host 38.154.x.2 eq smtp
access-list 106 permit tcp any host 38.154.x.2 eq ftp
access-list 106 permit udp host 38.9.x.2 eq domain host 38.154.x.2
access-list 106 permit udp host 38.9.x.2 eq domain host 38.154.x.2
access-list 106 permit ahp host 66.42.x.84 host 38.154.x.2
access-list 106 permit esp host 66.42.x.84 host 38.154.x.2
access-list 106 permit udp host 66.42.x.84 host 38.154.x.2 eq isakmp
access-list 106 permit udp host 66.42.x.84 host 38.154.x.2 eq non500-isakmp
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 106 deny   ip 192.168.30.0 0.0.0.255 any
access-list 106 permit icmp any host 38.154.x.2 echo-reply
access-list 106 permit icmp any host 38.154.x.2 time-exceeded
access-list 106 permit icmp any host 38.154.x.2 unreachable
access-list 106 permit tcp any host 38.154.x.2 eq 443
access-list 106 permit tcp any host 38.154.x.2 eq 22
access-list 106 permit tcp any host 38.154.x.2 eq cmd
access-list 106 deny   ip 10.0.0.0 0.255.255.255 any
access-list 106 deny   ip 172.16.0.0 0.15.255.255 any
access-list 106 deny   ip 192.168.0.0 0.0.255.255 any
access-list 106 deny   ip 127.0.0.0 0.255.255.255 any
access-list 106 deny   ip host 255.255.255.255 any
access-list 106 deny   ip host 0.0.0.0 any
access-list 106 deny   ip any any log
access-list 107 remark VTY Access-class list
access-list 107 remark SDM_ACL Category=1
access-list 107 permit ip 192.168.30.0 0.0.0.255 any
access-list 107 deny   ip any any
no cdp run
!
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login authentication local_authen
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 107 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
line vty 5 15
 access-class 107 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end
0
 
EricAuthor Commented:
THAT ABOVE IS THE MAIN OFFICE CONFIGURATION

0
 
EricAuthor Commented:
THIS BELOW IS THE REMOTE LOCATION CONFIGURATION:..


1.  i only have the 192.168.0.5 address on the cisco router for testing .. it's the only thing in the branch network right now.  i'm just trying to create the vpn tunnel first, then i'll worry about the clients out there once the tunnel is established...

2.  there is a netgear rp114 router between the internet conenction and the cisco router at the branch office.   this router makes the connection to the internet.  

ISP -> netgear router -> cisco router
66.... -> 192.168.0.1 -> 192.168.0.5

2a.  do i have to create a static route to the cisco router through the netgear router
2b.  if i do create a static router on the netgear router, will it mess up clients that are already on the 192.168.0.x network that use the netgear as the gateway to the internet ?
0
 
EricAuthor Commented:
BRANCH OFFICE CONFIGURATION


Using 2596 out of 131072 bytes
!
! Last configuration change at 09:50:38 PCTime Thu Apr 27 2006 by cisco
! NVRAM config last updated at 09:50:39 PCTime Thu Apr 27 2006 by cisco
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname modesto-router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxx
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
!
!
ip cef
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name x.us
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
!
interface FastEthernet0
 no ip address
 no cdp enable
!
interface FastEthernet1
 no ip address
 no cdp enable
!
interface FastEthernet2
 no ip address
 no cdp enable
!
interface FastEthernet3
 no ip address
 no cdp enable
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address 192.168.0.5 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 10.10.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport preferred all
 transport output telnet
line aux 0
 login local
 transport preferred all
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport preferred all
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
modesto-router#
0
 
stressedout2004Commented:
The main office configuration looks fine. On the branch office, here is what you need:

access-list 101 permit ip  192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255

crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
 exit

crypto isakmp key xxxxx address 38.154.x.2

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
exit

crypto map p2p_vpn 1 ipsec-isakmp
 set peer 38.154.x.2
 set transform-set ESP-3DES-SHA
 match address 101
 exit

interface FastEthernet4
crypto map p2p_vpn
exit
0
 
EricAuthor Commented:
still got no connectivity here...

0
 
stressedout2004Commented:
You said the router is behind Netgear which is the internet gateway for the rest of the network. The IP address 66.42.x.84, is that the Netgears public IP address, or is it the NAT IP address assigned to the branch router?

The reason I asked is that for this setup to work, you need to have a one is to one NAT on the Netgear router for the
branch router's IP address (192.168.0.5). Meaning, 66.42.x.84 should be mapped to 192.168.0.4. Or you can try to do port redirect on UDP 500 and UDP 4500.
0
 
EricAuthor Commented:
netgear public address = 66.42.x.84
netgear private address = 192.168.0.1


cisco private address = 192.168.0.5
no public address for the cisco


0
 
EricAuthor Commented:
on the netgear router i have the option to set a static route:

Route Name   (Blank means to delete this route)  
Active?    
Destination IP Address    0.0.0.0
IP Subnet Mask    0.0.0.0
Gateway IP Address    0.0.0.0
Metric    0
 Private  ?




if i set up a static route, will this mess up the client computers that use the netgear at the default gateway to get out to the internet ??
 
0
 
stressedout2004Commented:
You don't need any static route. What you need is configure NAT on Netgear. How many public IP address do you have?
What is the exact model and version of your Netgear?
0
 
EricAuthor Commented:
Netgear RP114

one public ip address at the branch office.

i have an option for filters (i guess netgears way of NAT)



                         Menu 21.4.1 - TCP/IP Filter Rule

                    Filter #: 4,1
                    Filter Type= TCP/IP Filter Rule
                    Active= Yes
                    IP Protocol= 0     IP Source Route= No
                    Destination: IP Addr=
                                 IP Mask=
                                 Port #=
                                 Port # Comp= None
                         Source: IP Addr=
                                 IP Mask=
                                 Port #=
                                 Port # Comp= None
                    TCP Estab= N/A
                    More= No           Log= None
                    Action Matched= Check Next Rule
                    Action Not Matched= Check Next Rule

                    Press ENTER to Confirm or ESC to Cancel:
0
 
stressedout2004Commented:
That's going to be a difficult setup. If you only have one public IP assigned to Netgear, why didn't you just terminate the VPN on the Netgear itself? The problem here is that you need UDP 500 and Protocol ESP, and in most router, they don't allow NAT on Protocol ESP since it is portless.

We can try a workaround but I can't guarantee its going to work, but it is worth a shot. Instead of using ESP, we will use UDP 4500 hoping that the router on the main office will detect connection behind NAT and will allow the connection. Follow the following link for creating port redirection in your netgear.

http://kbserver.netgear.com/kb_web_files/n101145.asp#MR314Anchor

You need to redirect the following port to 192.168.0.5:

UDP 500
UDP 4500

So you need to create two redirections, if you can't find the port on the list, create the service on Netgear I believe under Security settings.


0
 
EricAuthor Commented:
tried the port redirection..  

nothing...

0
 
stressedout2004Commented:
Hmmm. I was reading thru the netgear knowledgebase and it says  there that it should support ipsec passthrough. Can you create a service protocol using 50 and 51 then do the port redirection using these protocol. Keep in mind when you are creating the services that 50 and 51 are protocol not port, they are portless. If this doesn't work then our best bet is either  getting a spare public IP for the cisco router or terminating the VPN on the netgear itself.
0
 
EricAuthor Commented:
we switched out the 1812 router with a 1841 router, reconfigured both ends and got it working.

0
 
PAQ_ManCommented:
Closed, 250 points refunded.
PAQ_Man
Community Support Moderator
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

  • 12
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now