Solved

Site to site vpn between two 1721

Posted on 2007-11-29
2
375 Views
Last Modified: 2010-08-05
I need to set a vpn link to a remote office at another site. As a first step i am setting up a lab with two 1721 routers. I have configured the two devices and they can ping each other external interface. however i can not seem to get the vpn up.

Please help

How do i trouble shoot this. I can find good documentation out there.

The configs are below

router 1 config (remote)

show ru
Building configuration...

Current configuration : 1426 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname YAK-SPK-VPN
!
boot-start-marker
boot-end-marker
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 192.168.75.1 192.168.75.100
!
ip dhcp pool Yakima
   network 192.168.75.0 255.255.255.0
   default-router 192.168.75.1
   dns-server 10.20.1.50 10.10.1.58
   lease 7
!
ip audit po max-events 100

!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key y@k1ma$ec address 67.132.135.205
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto map VPN-Map-1 10 ipsec-isakmp
 set peer 67.132.135.205
 set transform-set 3DES-SHA
 set pfs group2
 match address Crypto-list
!
!
!
interface Ethernet0
 ip address 67.132.135.206 255.255.255.224
 full-duplex
 crypto map VPN-Map-1
!
interface FastEthernet0
 ip address 192.168.75.1 255.255.255.0
 speed auto
 full-duplex
!
ip classless
no ip http server
no ip http secure-server
!
ip access-list extended Crypto-list
 permit ip 192.168.75.0 0.0.0.255 10.0.0.0 0.255.255.255
ip access-list extended Internet-inbound-ACL
 permit udp host 67.132.135.205 any eq isakmp
 permit esp host 67.132.135.205 any
!
!
line con 0
line aux 0
line vty 0 4
!
end

YAK-SPK-VPN#

Router 2 config (local)
Current configuration : 1670 bytes
!
! Last configuration change at 21:03:57 UTC Thu Nov 29 2007
! NVRAM config last updated at 20:50:29 UTC Thu Nov 29 2007
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SPK-YAK-VPN
!
boot-start-marker
boot-end-marker

!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
!
ip audit po max-events 100
no ip domain lookup
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key y@k1ma$ec address 67.132.135.206
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto map VPN-Map-1 10 ipsec-isakmp
 set peer 67.132.135.206
 set transform-set 3DES-SHA
 set pfs group2
 match address Crypto-list
!
!
!
interface Loopback1
 ip address 10.22.0.31 255.255.255.0
!
interface Ethernet0
 ip address 67.132.135.205 255.255.255.224
 full-duplex
 crypto map VPN-Map-1
!
interface FastEthernet0
 ip address 10.22.1.31 255.255.255.0
 speed auto
 full-duplex
!
router eigrp 100
 network 10.0.0.0
 no auto-summary
!
ip classless
no ip http server
no ip http secure-server
!
ip access-list extended Crypto-list
 permit ip 10.0.0.0 0.255.255.255 192.168.75.0 0.0.0.255
ip access-list extended Internet-inbound-ACL
 permit udp host 67.132.135.206 any eq isakmp
 permit esp host 67.132.135.206 any
!

!
line con 0
line aux 0
line vty 0 4
0
Comment
Question by:omegamueller
2 Comments
 
LVL 15

Accepted Solution

by:
wingatesl earned 500 total points
ID: 20379687
you need to set default routes to push the encrypted taffic out the crypto maps
on YAK-SPK-VPN
conf t
ip route 10.0.0.0 255.0.0.0 ethernet 0

on SPK-YAK-VPN
conf t
ip route 192.168.75.0 255.255.255.0 ethernet 0

I could not help but notice that these routers are on the same network (on the internet side) and do not have default routes. I will leave that alone as I am not sure if it is intentional or not. Are these devices in place right now?
0
 
LVL 4

Author Comment

by:omegamueller
ID: 20383505
Thank for the advise. Both routers user a default route that i accidentally cut out of the posted code.
The problem ended up being a bad 1721 vpn module.
Thank you for your help.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now