?
Solved

Cisco 877 to 877 vpn will not connect

Posted on 2009-07-12
17
Medium Priority
?
536 Views
Last Modified: 2012-05-07
Hi Guys,

We have a cisco 877 in our head office that has been setup for VPN's to our remote offices. One of our remote offices has recently upgraded to a 877w also (previously had a Netcomm NB5580W and VPN worked fine). Our ISP has configured the 877 at the remote location for VPN - but it will not connect.

Thanks in advance,
Michael

Head Office config
 
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname seagrims
!
boot-start-marker
boot-end-marker
!
logging buffered 65535
logging console informational
enable xxx
!
no aaa new-model
clock timezone ACST 9 30
clock summer-time ACST recurring last Sun Oct 2:00 last Sun Mar 2:00
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.3.34 192.168.3.255
!
ip dhcp pool lan
   network 192.168.3.0 255.255.255.0
   default-router 192.168.3.1 
   dns-server 192.168.3.40 192.231.203.2 
   netbios-name-server 192.168.3.50 192.168.3.40 
   lease infinite
!
!
ip domain name internode.on.net
ip name-server 192.231.203.132
ip name-server 192.231.203.3
!
multilink bundle-name authenticated
!
!
!
!
username xxx password xxx
!
! 
crypto keyring Seagrims 
  pre-shared-key address 150.101.23.142 key xxx
  pre-shared-key address 150.101.23.238 key xxx
  pre-shared-key address 203.122.249.152 key xxx
  pre-shared-key address 150.101.231.83 key xxx
  pre-shared-key address 203.122.227.174 key xxx
  pre-shared-key address 150.101.250.194 key xxx
  pre-shared-key address 202.6.150.185 key xxx
  pre-shared-key address 202.136.109.2 key xxx
  pre-shared-key address 202.138.33.55 key xxx
crypto keyring seagrims 
  pre-shared-key address 150.101.250.194 key xxx
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp profile SeagrimsPtLn
   keyring Seagrims
   match identity address 150.xxx.xxx.xxx 255.255.255.255 
crypto isakmp profile SeagrimsPtPirie
   keyring Seagrims
   match identity address 150.xxx.xxx.xxx 255.255.255.255 
crypto isakmp profile SeagrimsWhyalla
   keyring Seagrims
   match identity address 150.xxx.xxx.xxx 255.255.255.255 
crypto isakmp profile SeagrimsPtAug
   keyring Seagrims
   match identity address 203.xxx.xxx.xxx 255.255.255.255 
crypto isakmp profile SeagrimsAdelaide
   keyring Seagrims
   match identity address 150.xxx.xxx.xxx 255.255.255.255 
crypto isakmp profile SeagrimsKadina
   keyring Seagrims
   match identity address 203.xxx.xxx.xxx 255.255.255.255 
crypto isakmp profile Ottewill
   keyring Seagrims
   match identity address 202.xxx.xxx.xxx 255.255.255.255 
crypto isakmp profile Willoughbys
   keyring Seagrims
   match identity address 202.xxx.xxx.xxx 255.255.255.255 
crypto isakmp profile BScottMildura
   keyring Seagrims
   match identity address 202.xxx.xxx.xxx 255.255.255.255 
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac 
!
crypto map ipsec-maps 10 ipsec-isakmp 
 set peer 150.xxx.xxx.xxx
 set transform-set strong 
 set isakmp-profile SeagrimsPtLn
 match address SeagrimsPtLn
crypto map ipsec-maps 20 ipsec-isakmp 
 set peer 150.xxx.xxx.xxx
 set transform-set strong 
 set isakmp-profile SeagrimsPtPirie
 match address SeagrimsPtPirie
crypto map ipsec-maps 30 ipsec-isakmp 
 set peer 150.xxx.xxx.xxx
 set transform-set strong 
 set isakmp-profile SeagrimsWhyalla
 match address SeagrimsWhyalla
crypto map ipsec-maps 40 ipsec-isakmp 
 set peer 203.xxx.xxx.xxx
 set transform-set strong 
 set isakmp-profile SeagrimsPtAug
 match address SeagrimsPtAug
crypto map ipsec-maps 50 ipsec-isakmp 
 set peer 150.xxx.xxx.xxx
 set transform-set strong 
 set isakmp-profile SeagrimsAdelaide
 match address SeagrimsAdelaide
crypto map ipsec-maps 60 ipsec-isakmp 
 set peer 203.xxx.xxx.xxx
 set transform-set strong 
 set isakmp-profile SeagrimsKadina
 match address SeagrimsKadina
crypto map ipsec-maps 70 ipsec-isakmp 
 set peer 202.xxx.xxx.xxx
 set transform-set strong 
 set isakmp-profile Ottewill
 match address Ottewill
crypto map ipsec-maps 80 ipsec-isakmp 
 set peer 202.xxx.xxx.xxx
 set transform-set strong 
 set isakmp-profile Willoughbys
 match address Willoughbys
crypto map ipsec-maps 90 ipsec-isakmp 
 set peer 202.xxx.xxx.xxx
 set transform-set strong 
 set isakmp-profile BScottMildura
 match address BScottMildura
!
!
!
!
interface ATM0
 description --- ADSL to Internode ---
 no ip address
 no atm ilmi-keepalive
 pvc 8/35 
  encapsulation aal5snap
  protocol ip inarp
  pppoe-client dial-pool-number 1
! dsl operating-mode auto 
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description --- Ethernet LAN ---
 ip address 192.168.3.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Dialer0
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 ppp authentication chap callin
 ppp chap hostname xxx@internode.on.net
 ppp chap password xxx
 crypto map ipsec-maps
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static tcp 192.168.3.40 25 interface Dialer0 25
ip nat inside source static tcp 192.168.3.40 80 interface Dialer0 80
ip nat inside source static tcp 192.168.3.40 443 interface Dialer0 443
ip nat inside source static tcp 192.168.3.40 4125 interface Dialer0 4125
ip nat inside source static tcp 192.168.3.40 3389 interface Dialer0 3389
!
ip access-list extended BScottMildura
 permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255
ip access-list extended Ottewill
 permit ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255
ip access-list extended SeagrimsAdelaide
 permit ip 192.168.3.0 0.0.0.255 192.168.8.0 0.0.0.255
ip access-list extended SeagrimsKadina
 permit ip 192.168.3.0 0.0.0.255 192.168.9.0 0.0.0.255
ip access-list extended SeagrimsPtAug
 permit ip 192.168.3.0 0.0.0.255 192.168.7.0 0.0.0.255
ip access-list extended SeagrimsPtLn
 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended SeagrimsPtPirie
 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended SeagrimsWhyalla
 permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
ip access-list extended Willoughbys
 permit ip 192.168.3.0 0.0.0.255 192.168.32.0 0.0.0.255
!
access-list 1 permit 192.xxx.231.0 0.0.0.255
access-list 1 permit 203.xxx.95.0 0.0.0.255
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 101 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.3.0 0.0.0.255 any
snmp-server community public%d RO
!
!
!
!
control-plane
!
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 access-class 1 in
 login local
!
scheduler max-task-time 5000
sntp server 192.xxx.xxx.xxx
end
 
Remote Office config
 
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Ottewill
!
boot-start-marker
boot-end-marker
!
logging buffered 8192
enable password xxx
!
no aaa new-model
clock timezone ACST 9 30
clock summer-time ACDT recurring last Sun Oct 2:00 last Sun Mar 3:00
!
dot11 syslog
!
dot11 ssid seagrims-ottewill
   vlan 1
   authentication open 
   authentication key-management wpa
   wpa-psk ascii 7 07092D43590C0B1646
!
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.10.50 192.168.10.255
!
ip dhcp pool 0
   network 192.168.10.0 255.255.255.0
   dns-server 122.49.191.252 122.49.191.253 
   default-router 192.168.10.1 
!
!
no ip bootp server
ip name-server 122.49.191.252
ip name-server 122.49.191.253
!
!
!
username xxx password xxx
! 
crypto keyring Seagrims 
  pre-shared-key address 150.101.226.22 key xxx
  pre-shared-key address 150.101.23.142 key xxx
  pre-shared-key address 150.101.23.238 key xxx
  pre-shared-key address 203.122.227.174 key xxx
  pre-shared-key address 150.101.250.194 key xxx
  pre-shared-key address 202.136.109.2 key xxx
  pre-shared-key address 202.138.33.55 key xxx
crypto keyring seagrims 
  pre-shared-key address 202.6.150.185 key xxx
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp profile SeagrimsPtLn
   keyring Seagrims
   match identity address 150.xxx.xxx.xxx 255.255.255.255 
crypto isakmp profile SeagrimsPtPirie
   keyring Seagrims
   match identity address 150.xxx.xxx.xxx 255.255.255.255 
crypto isakmp profile SeagrimsWhyalla
   keyring Seagrims
   match identity address 150.xxx.xxx.xxx 255.255.255.255 
crypto isakmp profile SeagrimsPtAug
   keyring Seagrims
   match identity address 150.xxx.xxx.xxx 255.255.255.255 
crypto isakmp profile SeagrimsKadina
   keyring Seagrims
   match identity address 203.xxx.xxx.xxx 255.255.255.255 
crypto isakmp profile Willoughbys
   keyring Seagrims
   match identity address 202.xxx.xxx.xxx 255.255.255.255 
crypto isakmp profile BScottMildura
   keyring Seagrims
   match identity address 202.xxx.xxx.xxx 255.255.255.255 
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac 
!
crypto map ipsec-maps 10 ipsec-isakmp 
 set peer 150.xxx.xxx.xxx
 set transform-set strong 
 set isakmp-profile SeagrimsPtLn
 match address SeagrimsPtLn
crypto map ipsec-maps 20 ipsec-isakmp 
 set peer 150.xxx.xxx.xxx
 set transform-set strong 
 set isakmp-profile SeagrimsPtPirie
 match address SeagrimsPtPirie
crypto map ipsec-maps 30 ipsec-isakmp 
 set peer 150.xxx.xxx.xxx
 set transform-set strong 
 set isakmp-profile SeagrimsWhyalla
 match address SeagrimsWhyalla
crypto map ipsec-maps 40 ipsec-isakmp 
 set peer 150.xxx.xxx.xxx
 set transform-set strong 
 set isakmp-profile SeagrimsPtAug
 match address SeagrimsPtAug
crypto map ipsec-maps 60 ipsec-isakmp 
 set peer 203.xxx.xxx.xxx
 set transform-set strong 
 set isakmp-profile SeagrimsKadina
 match address SeagrimsKadina
crypto map ipsec-maps 80 ipsec-isakmp 
 set peer 202.xxx.xxx.xxx
 set transform-set strong 
 set isakmp-profile Willoughbys
 match address Willoughbys
!
archive
 log config
  hidekeys
!
!
ip tcp mss 1420
ip tcp synwait-time 10
!
bridge irb
!
!
interface ATM0
 description ADSL Parent Interface
 no ip address
 no atm auto-configuration
 no atm ilmi-keepalive
 no atm address-registration
 no atm ilmi-enable
 dsl operating-mode auto 
!
interface ATM0.835 point-to-point
 description Internet PVC, carrying PPPoE
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 pvc 8/35 
  oam-pvc manage cc segment direction sink
  pppoe-client dial-pool-number 1
 !
 bridge-group 1
!
interface FastEthernet0
 no cdp enable
!
interface FastEthernet1
 no cdp enable
!
interface FastEthernet2
 no cdp enable
!
interface FastEthernet3
 no cdp enable
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 1 mode ciphers tkip 
 !
 ssid xxx-xxx
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description Customer LAN
 no ip address
 ip verify unicast source reachable-via rx
 no ip proxy-arp
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
 bridge-group 1
 hold-queue 100 out
!
interface Dialer0
 description Internet connection via Adam Internet - MTU MUST BE <=1492
 mtu 1492
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer idle-timeout 0
 dialer persistent
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname xxx@adam.com.au
 ppp chap password xxx
 crypto map ipsec-maps
!
interface BVI1
 ip address 192.168.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source list 130 interface Dialer0 overload
ip nat inside source route-map nonat interface Dialer0 overload
!
ip access-list extended Mildura
 permit ip 192.168.10.0 0.0.0.255 192.168.33.0 0.0.0.255
ip access-list extended NO-NAT
 remark ****** NAT NAT ******
 deny   ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
 permit ip 192.168.10.0 0.0.0.255 any
ip access-list extended SeagrimsKadina
 permit ip 192.168.10.0 0.0.0.255 192.168.9.0 0.0.0.255
ip access-list extended SeagrimsPtAug
 permit ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
ip access-list extended SeagrimsPtLn
 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended SeagrimsPtPirie
 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended SeagrimsWhyalla
 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
ip access-list extended Willoughbys
 permit ip 192.168.10.0 0.0.0.255 192.168.32.0 0.0.0.255
!
access-list 23 remark Permitted Telnet into the router
access-list 23 remark Customer Network
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 23 permit 122.xx.xx.0 0.0.0.255
access-list 23 remark Adam NOC
access-list 23 permit 0.0.0.28 255.255.255.128
access-list 23 permit 203.xx.xx.0 0.0.0.255
access-list 130 permit ip 192.168.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
!
route-map nonat permit 10
 match ip address NO-NAT
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 exec-timeout 120 0
 login local
 no modem enable
 transport preferred none
line aux 0
 exec-timeout 120 0
 login local
 transport preferred none
line vty 0 4
 access-class 23 in
 exec-timeout 120 0
 login local
 transport preferred none
!
scheduler max-task-time 5000
ntp source Dialer0
ntp access-group serve-only 1
end

Open in new window

0
Comment
Question by:havy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
17 Comments
 
LVL 8

Accepted Solution

by:
pgolding00 earned 2000 total points
ID: 24837378
most likely nat is picking up the traffic you want in the vpn, from the first "ip nat inside source" statement at Ottewill. you need to remove the permit 192.168 to any nat statement from nat (acl 130). most likely you want to remove the first ip nat inside statement from Ottewill.
0
 

Author Comment

by:havy
ID: 24837462
Hi,

Thanks for the comments.

On the Ottewill 877 I have entered;
no access-list 130 permit ip 192.168.10.0 0.0.0.255 any
no ip nat inside source list 130 interface Dialer0 overload

Staff at the Ottewill site can now reach the terminal server at the Seagrims site (head office) using Remote Desktop Connection. However, the Seagrims site (192.168.3.x) cannot reach the terminal server at the Ottewill site (192.168.10.x).
0
 

Author Comment

by:havy
ID: 24837487
Hi,

I have tried to ping the Ottewill terminal server (192.168.10.66) and I get not response. However I can ping other network devices (like printers) successfully.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 8

Expert Comment

by:pgolding00
ID: 24837602
is the terminal server default gateway right?

if you clear acl counters at seagrims, then try again from central to remote site, do you see new matches against the acl for the remote site? this shows its trying to send the data. next "show cryp isa sa" and "show cryp ips sa" to see if the tunnel is coming up for that site (most likely is if its working 1 way).

i'm going with a bad default gateway if you can ping other things.
0
 

Author Comment

by:havy
ID: 24837781
Hi,

The default gateway was still set for the Netcomm. We have update the default gateway on the Ottewill terminal server, however I still cannot reach it by remote desktop connection. I can now ping the Ottewill server.

I have run 'show cryp isa sa' on both and their corresponding IP's do not appear

Ottewill#show cryp isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
202.(ottewill ip) 150.(whyalla ip)  QM_IDLE           2036    0 ACTIVE
202.(ottewill ip)   202.(willoughby ip)   QM_IDLE           2032    0 ACTIVE

seagrims#show cryp isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
150.(adelaide ip)  150.(seagrims ip)  MM_NO_STATE          0    0 ACTIVE
150.(adelaide ip)  150.(seagrims ip) MM_NO_STATE          0    0 ACTIVE (deleted)
203.(kadina ip) 150.(seagrims ip)  MM_NO_STATE          0    0 ACTIVE
203.(accounting ip) 150.(seagrims ip)  MM_NO_STATE          0    0 ACTIVE (deleted)
150.(seagrims ip)  150.(ptpitie ip)QM_IDLE           2043    0 ACTIVE
150.(seagrims ip)  150.(ptln ip)  QM_IDLE           2046    0 ACTIVE
150.(seagrims ip)  150.(ptln ip)  QM_IDLE           2042    0 ACTIVE
150.(seagrims ip)  202.(willoughbys)  QM_IDLE           2044    0 ACTIVE
150.(seagrims ip) 150.(whyalla)  QM_IDLE           2045    0 ACTIVE
150.(seagrims ip)  150.(whyalla)  MM_NO_STATE       2041    0 ACTIVE (deleted)

when I do show cryp ips sa on the seagrims 877 I receive;

local  ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
   current_peer 202.(ottewill ip) port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1685, #pkts encrypt: 1685, #pkts digest: 1685
    #pkts decaps: 1478, #pkts decrypt: 1478, #pkts verify: 1478
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 150.(seagrims IP), remote crypto endpt.: 202.(Ottewill ip)
     path mtu 1492, ip mtu 1492, ip mtu idb Dialer0
     current outbound spi: 0x8CE83950(2364029264)

     inbound esp sas:
      spi: 0x5C7F57BC(1551849404)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 35, flow_id: Motorola SEC 1.0:35, crypto map: ipsec-maps
        sa timing: remaining key lifetime (k/sec): (4600711/524)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x8CE83950(2364029264)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 36, flow_id: Motorola SEC 1.0:36, crypto map: ipsec-maps
        sa timing: remaining key lifetime (k/sec): (4600729/523)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

I have cleared the ACL counters, but I am not sure how to check the acl counters
0
 

Author Comment

by:havy
ID: 24837983
Thank you,

All looks good, Remote Desktop Connection to the Ottewill site is now working.

Are you also able to help me with the VPN to the SeagrimsWhyalla location, or do I need to post another question?

Kind Regards,
Michael
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 24838034
you can check acl counters from "show access-l <name>", the counters appear at the end of each line.

there are a few reasons that ottewill might not appear in the ipsec or isakmp lists on the central router: either its failing to set up, most likely due to mis-match in the isakmp or ipsec settings at each end, or there has been no interesting traffic to make it come up (or its timed out and been removed).

i thought you said you could ping other hosts through this tunnel, which means that it does come up some times. that rules out bad config in the isa or ipsec, if its really working when you have successful pings. try pinging again and then grab "show cry isa sa" as quickly as possible from both ends. you should see qm_idle at both ends, for the partners address for isakmp. if not, check the crypto isa profile xxx match identify address is correct at both ends.

note that isa could expire while ipsec keeps going, until the next rekey time.

clearing both isa ans ipsec will force it all to start again (and interrupt traffic for a few seconds). "clear cry ipsec" and "clear cry isa" from memory, are the commands to do that. if you dont have out of band access to the remove end then do isakmp first, as when you clear ipsec your session will die if its working through the tunnel.

then kick off some pings and see if you get isakmp and ipsec sa's establish. the isakmp has to come first, when starting from scratch. if no isa, capture "debug cry isa". if the isa is ok but no working traffic, grab "debug cry ips". there should be some message giving a reason that its not working.

on second thoughts, it really does look like its working sometimes, given the show cry ipsec you have above. perhaps just try clearing everything first, then test with a ping and see what happens.
pg
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 24839229
i'm not sure if this site has rules about multiple topics in the same thread, but its all vpn related so i guess it should be ok to carry on here. happy to help if i can.
0
 

Author Comment

by:havy
ID: 24845161
Thank you pgolding00,

We would like to get the VPN working between Ottewill and SeagrimsWhyalla. We have a VPN from SeagrimsPtAug to SeagrimsWhyalla that works fine. I have checked the keys and crypto maps etc, and they all match. I have a feeling it could the the acl's again - but I don't know where to start.

Regards,
Michael
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 24846277
first step is to check the whyalla access list, it should be the exact reverse of the ottewill list, which looks like 192.168.10 to 192.168.4. so the other end should be 192.168.4 to 192.168.10. once you have verified that, clear crypto ipsec and isa - for the appropriate peer at both ends, then test with pings and see what ipsec and isa sa's get set up. can you post the relevant config parts and show command output here and we can have a look.
cheers, peter
0
 

Author Comment

by:havy
ID: 24846750
Hi,

At the Whyalla office we have a Pix 501 which was configured for VPN into the Netcomm. I have checked the whyalla access-list and it is as you have said.

I have also cleared crypto ipsec and isa on both devices and then pinged - attached are the results.

Regards,
Michael
Ottewill-Whyalla.txt
whyalla.txt
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 24846837
michael,
at the time you captured this info, there had not been any interesting traffic to bring up the ipsec sa's, at least since the last clear was issued. the acl definitions look correct and they match at both ends, and the isa seems to be established. can you verify that you have default gateway settings correct on relevant hosts, as it seems that traffic might not be getting to the pix and router.

you might also add 'crypto isa ident address' on the pix as the ottewill local crypto endpoint is unknown.
peter
0
 

Author Comment

by:havy
ID: 24846884
Hi Peter,

To test the VPN we have tried to access the Ottewill Terminal server using remote desktop connection (from Whyalla), but the connection fails. I have also tried to ping printers from both ends, but I receive no response (from the SeagrimsPtAug 877 I can ping the printers in both locations). I don't think it is a default gateway problem because I can connect to the Ottewill server from SeagrimsPtAug.

Regards,
Michael
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 24847029
Michael,

ok, given that, lets add the crypto ident address. if thats no go, clear all the sa'a again, config debug logging to the buffer if you dont have it already and set the buffer size to 64k or more, then debug cry ips and debug cry isa on both ends, then initiate ping or telnet or something to trigger the tunnels. capture the relevant info from the buffers and post that back for us to look at. dont forget to undebug all when you are done.
peter
0
 

Author Comment

by:havy
ID: 24847046
Hi Peter,

I am not sure how to add the 'crypto isa ident address' on the pix. Could you please provide me with the lines to enter.

I have been comparing the Ottewill 877 config to the SeagrimsPtAug 877 config and I noticed that the deny statements are different.

Ottewill 877
ip access-list extended NO-NAT
deny ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255

SeagrimsPtAug 877
access-list 101 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

The Ottewill statement seems to be limited to just 192.168.3.0. But my knowledge of this stuff is pretty limited and I am too scared to make a change that might effect the VPN to SeagrimsPtAug that is working.

Regards,
Michael
0
 

Author Comment

by:havy
ID: 24847833
Hi Peter,

VPN's to all offices are working now.

To get it working I modified the extended NO-NAT access-list by adding;
5 deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255

Thank you for your help in getting it all up and running.
Regards,
Michael
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 24848561
no problem Michael, glad I could help.
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question