troubleshooting Question

Site-to-Site VPN on Cisco 1721

Avatar of Daenks
DaenksFlag for United States of America asked on
RoutersVPNInternet Protocol Security
10 Comments1 Solution1007 ViewsLast Modified:
I am using dual Cisco 1721 routers each running c1700-k9o3sy7-mz.123-11.t.bin

I am trying to create a site-to-site VPN between two offices.

I've been using the guide located at http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a0080194650.shtml to help me along but i am stuck.

I have fully configured the routers, but i cannot see the SA tunnel; and obviously, traffic does not pass.

Router A:
Current configuration : 2043 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BODY-RTR-01
!
boot-start-marker
boot-end-marker
!
enable secret 5 ***
enable password ***
!
username *** password 0 *** privilege 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool dhcp-pool
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 76.208.108.102
!
!
ip cef
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
crypto isakmp key *** address 71.41.X.X
!
!
crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac
!
crypto map aesmap 10 ipsec-isakmp
 set peer 71.41.X.X
 set transform-set aesset
 match address 111
!
!
!
interface Ethernet0
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 half-duplex
 crypto map aesmap
!
interface FastEthernet0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 76.208.Y.Y
ip route 10.40.16.0 255.255.255.0 Ethernet0
no ip http server
no ip http secure-server
!
ip nat inside source list acl_nat interface Ethernet0 overload
!
!
!
ip access-list extended acl_nat
 deny   ip 192.168.1.0 0.0.0.255 10.40.16.0 0.0.0.255
 permit ip 192.168.200.0 0.0.0.255 any
ip access-list extended acl_vpn
 permit ip 10.40.16.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 10.40.16.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 111 permit ip host 76.208.Y.Y host 71.41.X.X
access-list 112 permit ip 192.168.1.0 0.0.0.255 10.40.16.0 0.0.0.255
access-list 112 permit ip 10.40.16.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
end

Router B:
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TCFLM-RTR-01
!
boot-start-marker
boot-end-marker
!
enable secret 5 ***
enable password ***
!
username *** password 0 *** privilege 15
memory-size iomem 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
!
ip cef
no ip domain lookup
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
crypto isakmp key *** address 76.208.Y.Y

!
!
crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac
!
crypto map aesmap 10 ipsec-isakmp
 set peer 76.208.Y.Y
 set transform-set aesset
 match address 111
!
!
!
interface Ethernet0
 ip address 71.41.X.X 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 full-duplex
 crypto map aesmap
!
interface FastEthernet0
 ip address 10.40.16.3 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed auto
!
router rip
 version 2
 network 0.0.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 71.41.X.X
ip route 192.168.1.0 255.255.255.0 Ethernet0
no ip http server
no ip http secure-server
!
ip nat inside source list acl_nat interface Ethernet0 overload
!
!
!
ip access-list extended acl_nat
 deny   ip 10.40.16.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 10.40.16.0 0.0.0.255 any
ip access-list extended acl_vpn
 permit ip 10.40.16.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 10.40.16.0 0.0.0.255
access-list 1 permit 10.40.16.0 0.0.0.255
access-list 111 permit ip host 76.208.Y.Y host 71.41.X.X
access-list 112 permit ip 192.168.1.0 0.0.0.255 10.40.16.0 0.0.0.255
access-list 112 permit ip 10.40.16.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
end

when i run:
show crypto isakmp sa

Router A:
dst             src             state          conn-id slot status

Router B:
dst             src             state          conn-id slot status


when i run:
show crypto ipsec sa:

Router A:

interface: Ethernet0
    Crypto map tag: aesmap, local addr 76.208.Y.Y

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (76.208.Y.Y/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (71.41.X.X/255.255.255.255/0/0)
   current_peer 71.41.Y.Y port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 76.208.X.X, remote crypto endpt.: 71.41.Y.Y
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

And i get a similar screen on router B.

any ideas?

Thanks!
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 10 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 10 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros