Solved

Site to site vpn between two 1721

Posted on 2007-11-29
2
374 Views
Last Modified: 2010-08-05
I need to set a vpn link to a remote office at another site. As a first step i am setting up a lab with two 1721 routers. I have configured the two devices and they can ping each other external interface. however i can not seem to get the vpn up.

Please help

How do i trouble shoot this. I can find good documentation out there.

The configs are below

router 1 config (remote)

show ru
Building configuration...

Current configuration : 1426 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname YAK-SPK-VPN
!
boot-start-marker
boot-end-marker
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 192.168.75.1 192.168.75.100
!
ip dhcp pool Yakima
   network 192.168.75.0 255.255.255.0
   default-router 192.168.75.1
   dns-server 10.20.1.50 10.10.1.58
   lease 7
!
ip audit po max-events 100

!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key y@k1ma$ec address 67.132.135.205
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto map VPN-Map-1 10 ipsec-isakmp
 set peer 67.132.135.205
 set transform-set 3DES-SHA
 set pfs group2
 match address Crypto-list
!
!
!
interface Ethernet0
 ip address 67.132.135.206 255.255.255.224
 full-duplex
 crypto map VPN-Map-1
!
interface FastEthernet0
 ip address 192.168.75.1 255.255.255.0
 speed auto
 full-duplex
!
ip classless
no ip http server
no ip http secure-server
!
ip access-list extended Crypto-list
 permit ip 192.168.75.0 0.0.0.255 10.0.0.0 0.255.255.255
ip access-list extended Internet-inbound-ACL
 permit udp host 67.132.135.205 any eq isakmp
 permit esp host 67.132.135.205 any
!
!
line con 0
line aux 0
line vty 0 4
!
end

YAK-SPK-VPN#

Router 2 config (local)
Current configuration : 1670 bytes
!
! Last configuration change at 21:03:57 UTC Thu Nov 29 2007
! NVRAM config last updated at 20:50:29 UTC Thu Nov 29 2007
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SPK-YAK-VPN
!
boot-start-marker
boot-end-marker

!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
!
ip audit po max-events 100
no ip domain lookup
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key y@k1ma$ec address 67.132.135.206
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto map VPN-Map-1 10 ipsec-isakmp
 set peer 67.132.135.206
 set transform-set 3DES-SHA
 set pfs group2
 match address Crypto-list
!
!
!
interface Loopback1
 ip address 10.22.0.31 255.255.255.0
!
interface Ethernet0
 ip address 67.132.135.205 255.255.255.224
 full-duplex
 crypto map VPN-Map-1
!
interface FastEthernet0
 ip address 10.22.1.31 255.255.255.0
 speed auto
 full-duplex
!
router eigrp 100
 network 10.0.0.0
 no auto-summary
!
ip classless
no ip http server
no ip http secure-server
!
ip access-list extended Crypto-list
 permit ip 10.0.0.0 0.255.255.255 192.168.75.0 0.0.0.255
ip access-list extended Internet-inbound-ACL
 permit udp host 67.132.135.206 any eq isakmp
 permit esp host 67.132.135.206 any
!

!
line con 0
line aux 0
line vty 0 4
0
Comment
Question by:omegamueller
2 Comments
 
LVL 15

Accepted Solution

by:
wingatesl earned 500 total points
ID: 20379687
you need to set default routes to push the encrypted taffic out the crypto maps
on YAK-SPK-VPN
conf t
ip route 10.0.0.0 255.0.0.0 ethernet 0

on SPK-YAK-VPN
conf t
ip route 192.168.75.0 255.255.255.0 ethernet 0

I could not help but notice that these routers are on the same network (on the internet side) and do not have default routes. I will leave that alone as I am not sure if it is intentional or not. Are these devices in place right now?
0
 
LVL 4

Author Comment

by:omegamueller
ID: 20383505
Thank for the advise. Both routers user a default route that i accidentally cut out of the posted code.
The problem ended up being a bad 1721 vpn module.
Thank you for your help.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now