• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 659
  • Last Modified:

Cisco 2600 site to site vpn problem

Hi
I am trying to make site to site vpn with two 2600 router. The router IOS are c2600-jk9o3s-mz.123-26.
I googled and found sample configurations i tried but it didnot work. My problem is vpn connection does not start it doesnot trigger.
My configs are

site A:
internet IP : 212.x.x.x
Local IP: 172.16.16.0 / 20

site B
 internet IP :213.x.x.x
Local IP :192.168.80.0/24


Site A config:
crypto isakmp policy 10
 authentication pre-share
 group 2
 exit
crypto isakmp key vpnkey address 213.x.x.x
!
crypto ipsec transform-set testvpn esp-des esp-sha-hmac
!
crypto map mVPN 1 ipsec-isakmp
 set peer 213.x.x.x
 set security-association lifetime seconds 86400
 set transform-set testvpn
 match address 100


access-list 100 permit ip  172.16.16.0 0.0.15.255 192.168.80.0 0.0.0.255

interface serial 0/0
ip add 212.x.x.x 255.255.255.0
 crypto map mVPN

siteB config:

 crypto isakmp policy 10
 authentication pre-share
 group 2
 exit
crypto isakmp key vpnkey address 212.x.x.x
!
crypto ipsec transform-set testvpn esp-des esp-sha-hmac
!
crypto map mVPN 1 ipsec-isakmp
 set peer 212.x.x.x
 set security-association lifetime seconds 86400
 set transform-set testvpn
 match address 100


access-list 100 permit ip   192.168.80.0 0.0.0.255 172.16.16.0 0.0.15.255

interface serial 0/0
ip add 213.x.x.x 255.255.255.0
 crypto map mVPN
0
esilma
Asked:
esilma
  • 2
  • 2
  • 2
1 Solution
 
JFrederick29Commented:
You don't have any routes on the router other than the default route, right?

Is the Ethernet interface on the router a 172.16.16.0/20 IP?  If so, from the router itself, try the following:

ping 192.168.80.x so <ethernet interface>

Where 192.168.80.x is the IP of the ethernet interface in SiteB.

This will source a ping from the router using a 172.16.16.0/20 IP address which will match the crypto and build up the tunnel.

After pinging (success or failure), do a "show cry isa sa" and "show cry ipsec sa".
0
 
esilmaAuthor Commented:

thanks for your comment

Yes, there is default route on router and ethernet interface ip 172.16.16.0/20
but i tried ping 192.168.80.x  it is failure.

I check "show cry isa sa" and "show cry ipsec sa" there is notihng and i also open debug comments for ipsec  but  nothing  is shown neither phase 1 or phase 2

0
 
JFrederick29Commented:
You pinged using the ethernet as the source of the ping, right?

ping 192.168.80.x so fa0/1
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
walthyCommented:
Some thoughts...

Your external interfaces, how are those connected? They are on different networks, there must be some kind of routing infrastructure in between the devices, right?

Then, on site A, do you have something like "ip route 0.0.0.0 0.0.0.0 212.x.x.x" in your config so that the traffic  to 213.x.x.x is routed to an access router for site A? Do you know that external address on 212.x.x.x can reach the 213.x.x.x gateway?

(If site A and B are connected directly, then they should have the same link network on each side.)

As other write, "ping 192.168.80.x so 172.16.16.x" should bring up the tunnel.

Enable logging with level debugging in your config (something like "logging buffered 32768 debugging").

Then run:
terminal monitor
debug crypto isakmp
debug crypto ipsec

Then run the ping with the "spoofed" source. Do you then see no ISAKMP messages? Nothing else interesting logged?

When done:
undebug all
terminal no monitor
0
 
walthyCommented:
Hi, any progress?
0
 
esilmaAuthor Commented:
Hi

I have change my configuration and used gre ipsec tunnel  (http://www.cisco.com/en/US/docs/security/vpn_modules/6342/configuration/guide/6342site3.html) and it worked.

thanks for your comments
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now