Solved

Site to site vpn between two 1721

Posted on 2007-11-29
2
377 Views
Last Modified: 2010-08-05
I need to set a vpn link to a remote office at another site. As a first step i am setting up a lab with two 1721 routers. I have configured the two devices and they can ping each other external interface. however i can not seem to get the vpn up.

Please help

How do i trouble shoot this. I can find good documentation out there.

The configs are below

router 1 config (remote)

show ru
Building configuration...

Current configuration : 1426 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname YAK-SPK-VPN
!
boot-start-marker
boot-end-marker
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 192.168.75.1 192.168.75.100
!
ip dhcp pool Yakima
   network 192.168.75.0 255.255.255.0
   default-router 192.168.75.1
   dns-server 10.20.1.50 10.10.1.58
   lease 7
!
ip audit po max-events 100

!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key y@k1ma$ec address 67.132.135.205
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto map VPN-Map-1 10 ipsec-isakmp
 set peer 67.132.135.205
 set transform-set 3DES-SHA
 set pfs group2
 match address Crypto-list
!
!
!
interface Ethernet0
 ip address 67.132.135.206 255.255.255.224
 full-duplex
 crypto map VPN-Map-1
!
interface FastEthernet0
 ip address 192.168.75.1 255.255.255.0
 speed auto
 full-duplex
!
ip classless
no ip http server
no ip http secure-server
!
ip access-list extended Crypto-list
 permit ip 192.168.75.0 0.0.0.255 10.0.0.0 0.255.255.255
ip access-list extended Internet-inbound-ACL
 permit udp host 67.132.135.205 any eq isakmp
 permit esp host 67.132.135.205 any
!
!
line con 0
line aux 0
line vty 0 4
!
end

YAK-SPK-VPN#

Router 2 config (local)
Current configuration : 1670 bytes
!
! Last configuration change at 21:03:57 UTC Thu Nov 29 2007
! NVRAM config last updated at 20:50:29 UTC Thu Nov 29 2007
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SPK-YAK-VPN
!
boot-start-marker
boot-end-marker

!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
!
ip audit po max-events 100
no ip domain lookup
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key y@k1ma$ec address 67.132.135.206
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto map VPN-Map-1 10 ipsec-isakmp
 set peer 67.132.135.206
 set transform-set 3DES-SHA
 set pfs group2
 match address Crypto-list
!
!
!
interface Loopback1
 ip address 10.22.0.31 255.255.255.0
!
interface Ethernet0
 ip address 67.132.135.205 255.255.255.224
 full-duplex
 crypto map VPN-Map-1
!
interface FastEthernet0
 ip address 10.22.1.31 255.255.255.0
 speed auto
 full-duplex
!
router eigrp 100
 network 10.0.0.0
 no auto-summary
!
ip classless
no ip http server
no ip http secure-server
!
ip access-list extended Crypto-list
 permit ip 10.0.0.0 0.255.255.255 192.168.75.0 0.0.0.255
ip access-list extended Internet-inbound-ACL
 permit udp host 67.132.135.206 any eq isakmp
 permit esp host 67.132.135.206 any
!

!
line con 0
line aux 0
line vty 0 4
0
Comment
Question by:omegamueller
2 Comments
 
LVL 15

Accepted Solution

by:
wingatesl earned 500 total points
ID: 20379687
you need to set default routes to push the encrypted taffic out the crypto maps
on YAK-SPK-VPN
conf t
ip route 10.0.0.0 255.0.0.0 ethernet 0

on SPK-YAK-VPN
conf t
ip route 192.168.75.0 255.255.255.0 ethernet 0

I could not help but notice that these routers are on the same network (on the internet side) and do not have default routes. I will leave that alone as I am not sure if it is intentional or not. Are these devices in place right now?
0
 
LVL 4

Author Comment

by:omegamueller
ID: 20383505
Thank for the advise. Both routers user a default route that i accidentally cut out of the posted code.
The problem ended up being a bad 1721 vpn module.
Thank you for your help.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Xen host became unreachable in the xencenter pool, why? 3 50
Local DNS and Home Routers 4 36
Internet Protocol Security question 3 72
IPSec/L2TP 25 27
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question