[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

cisco 1800 site site vpn

Posted on 2009-07-16
6
Medium Priority
?
1,059 Views
Last Modified: 2012-08-14
i have been asked to setup 2 cisco 1841 routhers as a site to site vpn

i have tried the SDM and CCP and it seems neither do a complete job
so have tried to do this in the command line

i am a litttle out of my depth hear as windows etc is my ball park

i have head office
10.16.60.0 255.255.0.0

branch
10.16.250.0 255.255.255.0

in the long term we will have 3g cards in the remote office routhers to act as failover for the adsl lines though i think i need a update for the IOS 1st for that

so for now i want the vpn on my test bench

i have pasted the configs of the 2 routers below
config for router 10.16.60.13 head office
 
Current configuration : 3537 bytes
 
!
 
version 12.4
 
service timestamps debug datetime msec
 
service timestamps log datetime msec
 
no service password-encryption
 
!
 
hostname pbvpn1
 
!
 
boot-start-marker
 
boot-end-marker
 
!
 
logging buffered 52000 debugging
 
enable secret 5 $1$3qCy$csT6jlZlCLkVCYQj0dVsa.
 
enable password denyall
 
!
 
no aaa new-model
 
!
 
resource policy
 
!
 
mmi polling-interval 60
 
no mmi auto-configure
 
no mmi pvc
 
mmi snmp-timeout 180
 
ip subnet-zero
 
ip cef
 
!
 
!
 
!
 
!
 
!
 
!
 
!
 
crypto pki trustpoint TP-self-signed-1341063515
 
 enrollment selfsigned
 
 subject-name cn=IOS-Self-Signed-Certificate-1341063515
 
 revocation-check none
 
 rsakeypair TP-self-signed-1341063515
 
!
 
!
 
crypto pki certificate chain TP-self-signed-1341063515
 
 certificate self-signed 01
 
  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
 
  69666963 6174652D 31333431 30363335 3135301E 170D3039 30373135 31343235 
 
  32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33343130 
 
  36333531 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
 
  8100D3C9 1E54DE21 B8C5AAEA BF52780C 729E3887 9A288E10 82D9EA41 4C0EBF51 
 
  BAF69DC3 D92FB399 0246B90B 300DBAEB EF64E9EF 0CD064A8 25348A19 AAEBC182 
 
  374DA98D EA93A818 7CCCF907 2B1A051F A24CAC5B A6502131 BB05027F A2762B07 
 
  673E1D7E 677D27EB EF130778 4DDAB18F FB28F729 326809DF 2D7614D0 488AB1F5 
 
  C60B0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603 
 
  551D1104 0B300982 07706276 706E312E 301F0603 551D2304 18301680 1436B5DD 
 
  3AB2DF5F F1DEDF19 BBBDB01A 7ADC9FEC 9D301D06 03551D0E 04160414 36B5DD3A 
 
  B2DF5FF1 DEDF19BB BDB01A7A DC9FEC9D 300D0609 2A864886 F70D0101 04050003 
 
  818100A3 E0467222 6136A95E E1D73A5F 95853C40 88B69700 213AB110 4BB88591 
 
  2C573C30 638BA9DD 18351F3C 41A7EA60 4CDA946C 15B89B41 A1A3F2CE F3CF6677 
 
  32742ED0 0F4C4C0F 8243D9FB ECD4447F 9CA972CD 1BAF54C3 FC072A64 6E37D235 
 
  326375A0 C33DD049 56B058F7 616F6A71 B595199D 275A6AEB AB3D6BD7 08B64B4E 8414D7
 
  quit
 
username philby privilege 15 password 0 chu017
 
!
 
! 
 
!
 
crypto isakmp policy 9
 
 hash md5
 
 authentication pre-share
 
crypto isakmp key chu017 address 1.1.1.20
 
!
 
crypto ipsec security-association lifetime seconds 86400
 
!
 
crypto ipsec transform-set pbvpn esp-3des esp-md5-hmac 
 
!
 
crypto map pbvpn 10 ipsec-isakmp 
 
 set peer 1.1.1.20
 
 set transform-set pbvpn 
 
 match address pbvpn
 
!
 
!
 
!
 
interface FastEthernet0/0
 
 description $ETH-WAN$
 
 ip address 1.1.1.10 255.0.0.0
 
 ip access-group pbvpn in
 
 ip access-group pbvpn out
 
 speed auto
 
 full-duplex
 
 no mop enabled
 
 crypto map pbvpn
 
!
 
interface FastEthernet0/1
 
 ip address 10.16.60.13 255.0.0.0
 
 speed auto
 
 full-duplex
 
 no mop enabled
 
!
 
router rip
 
 redistribute connected
 
 network 1.0.0.0
 
 network 10.0.0.0
 
!
 
ip classless
 
!
 
ip http server
 
ip http authentication local
 
ip http secure-server
 
!
 
ip access-list extended pbvpn
 
 remark CCP_ACL Category=21
 
 permit ahp host 1.1.1.10 host 1.1.1.20
 
 permit esp host 1.1.1.10 host 1.1.1.20
 
 permit udp host 1.1.1.10 eq isakmp host 1.1.1.20
 
 permit udp host 1.1.1.10 eq non500-isakmp host 1.1.1.20
 
 permit udp host 1.1.1.20 host 1.1.1.10 eq non500-isakmp
 
 permit udp host 1.1.1.20 host 1.1.1.10 eq isakmp
 
 permit esp host 1.1.1.20 host 1.1.1.10
 
 permit ahp host 1.1.1.20 host 1.1.1.10
 
!
 
access-list 2 permit 0.0.0.0 255.255.0.0
 
dialer-list 1 protocol ip permit
 
snmp-server community public RO
 
!
 
!
 
control-plane
 
!
 
!
 
line con 0
 
line aux 0
 
line vty 0 4
 
 password trustnoone
 
 login
 
!
 
end
 
 
 
config for remote router 10.16.250.1
 
Current configuration : 3957 bytes
 
!
 
version 12.4
 
service config
 
service timestamps debug datetime msec
 
service timestamps log datetime msec
 
no service password-encryption
 
!
 
hostname pbvpn2
 
!
 
boot-start-marker
 
boot-end-marker
 
!
 
enable secret 5 $1$E5BZ$QJcTW2ykKNVDKDHZd09I80
 
enable password denyall
 
!
 
no aaa new-model
 
!
 
resource policy
 
!
 
mmi polling-interval 60
 
no mmi auto-configure
 
no mmi pvc
 
mmi snmp-timeout 180
 
ip subnet-zero
 
ip cef
 
!
 
!
 
!
 
!
 
!
 
!
 
!
 
crypto pki trustpoint TP-self-signed-2708910118
 
 enrollment selfsigned
 
 subject-name cn=IOS-Self-Signed-Certificate-2708910118
 
 revocation-check none
 
 rsakeypair TP-self-signed-2708910118
 
!
 
!
 
crypto pki certificate chain TP-self-signed-2708910118
 
 certificate self-signed 01
 
  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
 
  69666963 6174652D 32373038 39313031 3138301E 170D3039 30373136 30393234 
 
  32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37303839 
 
  31303131 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
 
  8100CC81 D925F52F 4EF20B1D 4FD51CCB FEA0708A 227F5098 EE6D5223 3AA20DE8 
 
  54C49B91 F55CD5D9 19D358C3 6E7693D7 193BFD32 AFE2D40E 77FE26D8 17BBC56E 
 
  83E5A665 07AC683C 79CB171E E8980CA3 57BA0DBC 1710BA46 7EF36E9F 2D4B3BE3 
 
  E1D786D4 95F237DC D8C0EA2E DDE334C4 AC12A342 A854BE3F D4E15775 EAF477E0 
 
  5ABD0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603 
 
  551D1104 0B300982 07706276 706E322E 301F0603 551D2304 18301680 14BBBF1F 
 
  938F6C8F 5EEFD3C1 EA6271BC 434A9103 43301D06 03551D0E 04160414 BBBF1F93 
 
  8F6C8F5E EFD3C1EA 6271BC43 4A910343 300D0609 2A864886 F70D0101 04050003 
 
  8181008E 731C07D2 08A8DAC2 DC81B4D6 346A5A1F 2D4F3502 6B6AB9E4 3FCB6B45 
 
  6E6354D1 F961405C 4C980761 2DC6FF3B DFE9A5BA 58429ECF ADF81C80 6A7FC7DB 
 
  81A94D5B A37D67BC A00AD997 912D584B 79652F15 03940237 70E9EC86 9C25930A 
 
  D7AAC4D7 03AE04F0 D63FF206 98EF8186 E5973C73 F908B747 D5EB5000 0D74528E EC95B9
 
  quit
 
username philby privilege 15 password 0 chu017
 
!
 
! 
 
!
 
crypto isakmp policy 9
 
 hash md5
 
 authentication pre-share
 
crypto isakmp key chu017 address 1.1.1.10
 
!
 
crypto ipsec security-association lifetime seconds 86400
 
!
 
crypto ipsec transform-set pbvpn esp-3des esp-md5-hmac 
 
!
 
crypto map pbvpn 10 ipsec-isakmp 
 
 set peer 1.1.1.10
 
 set transform-set pbvpn 
 
 match address SDM_1
 
!
 
!
 
!
 
interface FastEthernet0/0
 
 description $ETH-WAN$
 
 ip address 1.1.1.20 255.0.0.0
 
 ip access-group pbvpn in
 
 ip access-group pbvpn out
 
 speed auto
 
 full-duplex
 
 no mop enabled
 
 crypto map pbvpn
 
!
 
interface FastEthernet0/1
 
 ip address 10.16.250.1 255.255.255.0
 
 speed auto
 
 full-duplex
 
 no mop enabled
 
!
 
router rip
 
 redistribute connected
 
 network 1.0.0.0
 
 network 10.0.0.0
 
!
 
ip classless
 
!
 
ip http server
 
ip http authentication local
 
ip http secure-server
 
!
 
ip access-list extended SDM_1
 
 remark CCP_ACL Category=21
 
 permit ahp host 1.1.1.20 host 1.1.1.10
 
 permit esp host 1.1.1.20 host 1.1.1.10
 
 permit udp host 1.1.1.20 host 1.1.1.10 eq isakmp
 
 permit udp host 1.1.1.20 host 1.1.1.10 eq non500-isakmp
 
 permit udp host 1.1.1.10 eq non500-isakmp host 1.1.1.20
 
 permit udp host 1.1.1.10 eq isakmp host 1.1.1.20
 
 permit esp host 1.1.1.10 host 1.1.1.20
 
 permit ahp host 1.1.1.10 host 1.1.1.20
 
ip access-list extended pbvpn
 
 remark CCP_ACL Category=21
 
 permit ahp host 1.1.1.20 host 1.1.1.10
 
 permit esp host 1.1.1.20 host 1.1.1.10
 
 permit udp host 1.1.1.20 eq isakmp host 1.1.1.10
 
 permit udp host 1.1.1.20 eq non500-isakmp host 1.1.1.10
 
 permit udp host 1.1.1.10 host 1.1.1.20 eq non500-isakmp
 
 permit udp host 1.1.1.10 host 1.1.1.20 eq isakmp
 
 permit esp host 1.1.1.10 host 1.1.1.20
 
 permit ahp host 1.1.1.10 host 1.1.1.20
 
!
 
access-list 2 permit 0.0.0.0 255.255.255.0
 
dialer-list 1 protocol ip permit
 
snmp-server community public RO
 
!
 
!
 
control-plane
 
!
 
!
 
line con 0
 
line aux 0
 
line vty 0 4
 
 password trustnoone
 
 login
 
!
 
end

Open in new window

0
Comment
Question by:chu017
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 16

Expert Comment

by:memo_tnt
ID: 24868054
0
 

Author Comment

by:chu017
ID: 24868328
i have been through a couple of examples like that is how i have got ot where i am now

was hopeing for something more specific than a point to another post
0
 
LVL 7

Expert Comment

by:clonga13
ID: 24868520
Check your access-list pbvpn. It looks like your only letting esp and ah traffic through. Create a second list for VPN that allows traffic from one subnet to another:

access-list 101 permit ip 10.16.60.0 0.0.0.255 10.16.250.0 0.0.0.255

And another access list thats the inverse to prevent NATing from occuring:

access-list 102 deny ip 10.16.60.0 0.0.0.255 10.16.250.0 0.0.0.255
access-list 102 permit ip 10.16.60.0 0.0.0.255 any

Let me know if you need any more info.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:chu017
ID: 24868603
i think i understand that

i just ran the tunnel test from CCP
results below

but it seems the routers cant ping eachother on there 1.1.1.x interfaces   (both connected to the samse switch)

am i missing somethginv simple
VPN Troubleshooting Report Details
 
 
 
Router Details 
 
Attribute	Value
Router Model	 1841
Image Name	 c1841-advsecurityk9-mz.124-3i.bin
IOS Version	 12.4(3i)
Hostname	 pbvpn1
 
 
Test Activity Summary 
 
Activity	Status
Checking the tunnel status...	 Down
Checking interface status...	 Successful
Checking the configuration...	 Successful
Checking Routing...	 Successful
Checking peer connectivity...	 Failed
Checking NAT...	 Successful
Checking Firewall...	 Successful
Debugging the VPN connection ...	 Completed
Checking the tunnel status...	 Down
 
 
Test Activity Details 
 
Activity	Status
Checking the tunnel status...	 Down
    Encapsulation :0	
    Decapsulation :0	
    Send Error :0	
    Received Error :0	
Checking interface status...	 Successful
    Interface :FastEthernet0/0	
    Interface physical status :Up	
    Line protocol status :Up	
Checking the configuration...	 Successful
    Checking IPSec	
    Crypto map name : pbvpn	
    Sequence number : 10	
    Crypto map type : Static	
    Peer : Configured	
    Transform set : Configured	
    Interesting traffic : Configured	
    IPSec configuration status : Valid	
    Checking IKE	
    IKE Policies : Configured	
    Policies with pre shared key authentication method : Configured	
    Global pre shared key with wild cards : Not configured	
    Pre-shared key for 1.1.1.20 Configured	
    IKE configuration status : Valid	
Checking Routing...	 Successful
    Peer :1.1.1.20:Valid(Routed through the crypto interface)	
    Traffic source :1.1.1.10:Invalid(Routed through the crypto interface)	
    Traffic destination :1.1.1.20:Valid(Routed through the crypto interface)	
    Traffic source :1.1.1.10:Invalid(Routed through the crypto interface)	
    Traffic destination :1.1.1.20:Valid(Routed through the crypto interface)	
    Traffic source :1.1.1.10:Invalid(Routed through the crypto interface)	
    Traffic destination :1.1.1.20:Valid(Routed through the crypto interface)	
    Traffic source :1.1.1.10:Invalid(Routed through the crypto interface)	
    Traffic destination :1.1.1.20:Valid(Routed through the crypto interface)	
    Traffic source :1.1.1.20:Invalid(Routed through the crypto interface)	
    Traffic destination :1.1.1.10:Valid(Routed through the crypto interface)	
    Traffic source :1.1.1.20:Invalid(Routed through the crypto interface)	
    Traffic destination :1.1.1.10:Valid(Routed through the crypto interface)	
    Traffic source :1.1.1.20:Invalid(Routed through the crypto interface)	
    Traffic destination :1.1.1.10:Valid(Routed through the crypto interface)	
    Traffic source :1.1.1.20:Invalid(Routed through the crypto interface)	
    Traffic destination :1.1.1.10:Valid(Routed through the crypto interface)	
    Traffic source :ANY:Valid(Route exists in routing table)	
    Traffic destination :ANY:Valid(Routed through the crypto interface)	
Checking peer connectivity...	 Failed
    Peer :1.1.1.20:Failed	
Checking NAT...	 Successful
Checking Firewall...	 Successful
Debugging the VPN connection ...	 Completed
    Peer :1.1.1.20	
Checking the tunnel status...	 Down
    Encapsulation :0	
    Decapsulation :0	
    Send Error :0	
    Received Error :0	
 
 
Troubleshooting Results 
Failure Reason(s)	Recommended Action(s)
There is no response from the peer 1.1.1.20	 
1) Ensure that the peer device is configured properly. Generate the mirror configuration from 'Configure->VPN->Site to site VPN->Edit Site to Site VPN' and match it with the peer configuration. 
2) A firewall in the network or peer device may be blocking the VPN traffic. Contact the ISP or administrator to resolve this issue.
None of the peers passed the connectivity check. The check is performed by executing a ping to the peer. The connectivity check can fail due to the following reasons: 
1) The peer device is down. 
2) This router, or the public network, blocks ICMP echo packets. 
3) This router may not be connected to the public network.	 Contact your administrator/service provider to correct this problem.
The following source(s) are routed through the crypto map interface. 
1) 1.1.1.10 2) 1.1.1.10 3) 1.1.1.10 4) 1.1.1.10 5) 1.1.1.20 6) 1.1.1.20 7) 1.1.1.20 8) 1.1.1.20	 Go to 'Configure->Routing' and correct the routing table.

Open in new window

0
 
LVL 7

Accepted Solution

by:
clonga13 earned 750 total points
ID: 24870227
They can't ping each other because your access list pbvpn doesn't allow ICMP traffic to come across. You would need to add ICMP echo and echo-reply to the access-list for it to work.

In my opinion, you should write a seperate access-list for each thing you want to do even if they look the same. One for the VPN traffic, one for the NATing, one for what traffic you want to allow into your network and one if you want to specify what you want to leave your network.

Let me know if you need any more info.
0
 

Author Closing Comment

by:chu017
ID: 31604156
a very usefull post that has tacken me in the right direction
thankyou
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question