Cisco 2600 site to site vpn problem

Hi
I am trying to make site to site vpn with two 2600 router. The router IOS are c2600-jk9o3s-mz.123-26.
I googled and found sample configurations i tried but it didnot work. My problem is vpn connection does not start it doesnot trigger.
My configs are

site A:
internet IP : 212.x.x.x
Local IP: 172.16.16.0 / 20

site B
 internet IP :213.x.x.x
Local IP :192.168.80.0/24


Site A config:
crypto isakmp policy 10
 authentication pre-share
 group 2
 exit
crypto isakmp key vpnkey address 213.x.x.x
!
crypto ipsec transform-set testvpn esp-des esp-sha-hmac
!
crypto map mVPN 1 ipsec-isakmp
 set peer 213.x.x.x
 set security-association lifetime seconds 86400
 set transform-set testvpn
 match address 100


access-list 100 permit ip  172.16.16.0 0.0.15.255 192.168.80.0 0.0.0.255

interface serial 0/0
ip add 212.x.x.x 255.255.255.0
 crypto map mVPN

siteB config:

 crypto isakmp policy 10
 authentication pre-share
 group 2
 exit
crypto isakmp key vpnkey address 212.x.x.x
!
crypto ipsec transform-set testvpn esp-des esp-sha-hmac
!
crypto map mVPN 1 ipsec-isakmp
 set peer 212.x.x.x
 set security-association lifetime seconds 86400
 set transform-set testvpn
 match address 100


access-list 100 permit ip   192.168.80.0 0.0.0.255 172.16.16.0 0.0.15.255

interface serial 0/0
ip add 213.x.x.x 255.255.255.0
 crypto map mVPN
esilmaAsked:
Who is Participating?
 
esilmaAuthor Commented:
Hi

I have change my configuration and used gre ipsec tunnel  (http://www.cisco.com/en/US/docs/security/vpn_modules/6342/configuration/guide/6342site3.html) and it worked.

thanks for your comments
0
 
JFrederick29Commented:
You don't have any routes on the router other than the default route, right?

Is the Ethernet interface on the router a 172.16.16.0/20 IP?  If so, from the router itself, try the following:

ping 192.168.80.x so <ethernet interface>

Where 192.168.80.x is the IP of the ethernet interface in SiteB.

This will source a ping from the router using a 172.16.16.0/20 IP address which will match the crypto and build up the tunnel.

After pinging (success or failure), do a "show cry isa sa" and "show cry ipsec sa".
0
 
esilmaAuthor Commented:

thanks for your comment

Yes, there is default route on router and ethernet interface ip 172.16.16.0/20
but i tried ping 192.168.80.x  it is failure.

I check "show cry isa sa" and "show cry ipsec sa" there is notihng and i also open debug comments for ipsec  but  nothing  is shown neither phase 1 or phase 2

0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
JFrederick29Commented:
You pinged using the ethernet as the source of the ping, right?

ping 192.168.80.x so fa0/1
0
 
walthyCommented:
Some thoughts...

Your external interfaces, how are those connected? They are on different networks, there must be some kind of routing infrastructure in between the devices, right?

Then, on site A, do you have something like "ip route 0.0.0.0 0.0.0.0 212.x.x.x" in your config so that the traffic  to 213.x.x.x is routed to an access router for site A? Do you know that external address on 212.x.x.x can reach the 213.x.x.x gateway?

(If site A and B are connected directly, then they should have the same link network on each side.)

As other write, "ping 192.168.80.x so 172.16.16.x" should bring up the tunnel.

Enable logging with level debugging in your config (something like "logging buffered 32768 debugging").

Then run:
terminal monitor
debug crypto isakmp
debug crypto ipsec

Then run the ping with the "spoofed" source. Do you then see no ISAKMP messages? Nothing else interesting logged?

When done:
undebug all
terminal no monitor
0
 
walthyCommented:
Hi, any progress?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.