Cisco L2L VPN problem
I am having a problem with a site to site VPN setup. I am recieving the following errors on the hub router:
000221: *Feb 26 16:38:49.341 EST: ISAKMP:(2031): IPSec policy invalidated proposal with error 256
000222: *Feb 26 16:38:49.341 EST: ISAKMP:(2031): phase 2 SA policy not acceptable! (local 216.222.165.72 remote 216.222.162.155)
000223: *Feb 26 16:38:49.341 EST: ISAKMP:(2031):deleting node -1773415254 error TRUE reason "QM rejected"
I recieve the following error on the remote router:
ISAKMP:(2002):deleting node -1382141815 error TRUE reason "Delete Larval"
Here is the config for the main site:
Building configuration...
Current configuration : 9226 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxx
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login clientauth local
aaa authentication ppp default local
aaa authorization exec local_author local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time EDT recurring
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.201 192.168.1.254
!
ip dhcp pool POOL_LAN_DHCP
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 64.33.128.10 209.143.0.10
!
!
ip tcp synwait-time 10
ip tftp source-interface Vlan1
no ip bootp server
no ip domain lookup
ip domain name local
ip name-server 64.33.128.10
ip name-server 209.143.0.10
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name CBACinspect cuseeme
ip inspect name CBACinspect ftp
ip inspect name CBACinspect h323
ip inspect name CBACinspect icmp
ip inspect name CBACinspect netshow
ip inspect name CBACinspect rcmd
ip inspect name CBACinspect realaudio
ip inspect name CBACinspect rtsp
ip inspect name CBACinspect esmtp
ip inspect name CBACinspect sqlnet
ip inspect name CBACinspect streamworks
ip inspect name CBACinspect tftp
ip inspect name CBACinspect tcp
ip inspect name CBACinspect udp
ip inspect name CBACinspect vdolive
vpdn enable
!
!
!
!
!
!
crypto keyring L2L
pre-shared-key address x.x.x.155 key xxxxxxx
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group RemoteAccessVPN
key xxxxxxxxx
pool Pool_RemoteAccessVPN
acl ACL_VPN_RemoteAccess
!
crypto isakmp client configuration group watertower
key xxxxxx
pool watertower
acl VPN_watertower
crypto isakmp profile VPNClient
description VPN clients with access LAN
match identity group RemoteAccessVPN
client authentication list clientauth
isakmp authorization list groupauthor
client configuration address respond
crypto isakmp profile L2L
keyring L2L
match identity address x.x.x.155 255.255.255.255
crypto isakmp profile watertower
match identity group watertower
client authentication list local
isakmp authorization list groupauthor
client configuration address respond
!
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set newset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 5
set transform-set ESP-AES256-SHA
set isakmp-profile VPNClient
crypto dynamic-map dynmap 10
set transform-set ESP-AES256-SHA
crypto dynamic-map dynmap 15
set transform-set newset
!
!
crypto map VPNmap 30 ipsec-isakmp dynamic dynmap
crypto map VPNmap 40 ipsec-isakmp
set peer x.x.x.155
set transform-set newset
match address ACL_L2L_watertower
!
!
!
!
interface Null0
no ip unreachables
!
interface Loopback0
description Lo0 used for outbound traffic not subject to NAT
ip address 10.20.30.40 255.255.255.0
!
interface FastEthernet0
description External - Internet - to DSL modem
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
switchport access vlan 12
!
interface Vlan1
description Internal LAN
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip policy route-map RMAP_NO_STATIC_NAT
!
interface Vlan12
no ip address
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
interface Dialer1
ip address negotiated
ip access-group ACL_outside_in in
ip nat outside
ip inspect CBACinspect out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxx password 7 xxxxx
ppp ipcp dns request
ppp ipcp address accept
crypto map VPNmap
!
ip local pool Pool_RemoteAccessVPN 192.168.100.100 192.168.100.150
ip local pool watertower 192.168.9.50 192.168.9.60
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source static tcp 192.168.1.41 23 interface Dialer1 1000
ip nat inside source route-map NAT_RMAP interface Dialer1 overload
!
ip access-list extended ACL_L2L_watertower
permit ip 192.168.1.0 0.0.0.255 192.168.13.0 0.0.0.255
ip access-list extended ACL_NAT_RMAP
deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.13.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended ACL_RMAP_NO_STATIC
permit ip 192.168.1.0 0.0.0.255 192.168.13.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 any
ip access-list extended ACL_VPN_RemoteAccess
permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
ip access-list extended ACL_outside_in
permit udp any eq bootps any eq bootpc
permit icmp any host x.x.x.72 echo-reply
permit icmp any host x.x.x.72 time-exceeded
permit icmp any host x.x.x.72 unreachable
permit udp any host x.x.x.72 eq non500-isakmp
permit udp any host x.x.x.72 eq isakmp
permit esp any host x.x.x.72
permit ahp any host x.x.x.72
permit gre any host x.x.x.72
permit tcp any host x.x.x.72 eq 22
permit tcp any host x.x.x.72 eq telnet
permit tcp any host x.x.x.72 eq 1000
deny tcp any host x.x.x.72 eq cmd
deny udp any host x.x.x.72 eq snmp
permit ip x.x.x.x x.x.x.72 any
permit ip x.x.x.x x.x.x.72 any
ip access-list extended ACL_vty_access_in
remark VTY Access-class list
permit ip 192.168.100.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
remark VTY Access-class list
deny ip any any
ip access-list extended VPN_watertower
permit ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.255 192.168.9.0 0.0.0.255
!
logging trap debugging
dialer-list 1 protocol ip permit
no cdp run
!
!
!
route-map NAT_RMAP permit 1
match ip address ACL_NAT_RMAP
!
route-map RMAP_NO_STATIC_NAT permit 1
match ip address ACL_RMAP_NO_STATIC
set ip next-hop 10.20.30.41
!
!
!
!
control-plane
!
This is the config for the remote site:
Building configuration...
Current configuration : 3863 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
dot11 syslog
!
!
ip cef
no ip domain lookup
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key xxxxxx address x.x.x.72
!
!
crypto ipsec transform-set newest esp-3des esp-sha-hmac
!
crypto map newmap 10 ipsec-isakmp
set peer x.x.x.72
set transform-set newest
match address 110
!
archive
log config
hidekeys
!
!
ip tcp mss 1452
!
bridge irb
!
!
interface ATM0
no ip address
no ip route-cache cef
no ip route-cache
load-interval 30
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 192.168.13.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no autostate
!
interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxxxx password 7 xxxxxx
ppp ipcp dns request
ppp ipcp address accept
crypto map newmap
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 110 permit ip 192.168.13.0 0.0.0.255 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
Any help would be greatly appreciated. Thanks!
000221: *Feb 26 16:38:49.341 EST: ISAKMP:(2031): IPSec policy invalidated proposal with error 256
000222: *Feb 26 16:38:49.341 EST: ISAKMP:(2031): phase 2 SA policy not acceptable! (local 216.222.165.72 remote 216.222.162.155)
000223: *Feb 26 16:38:49.341 EST: ISAKMP:(2031):deleting node -1773415254 error TRUE reason "QM rejected"
I recieve the following error on the remote router:
ISAKMP:(2002):deleting node -1382141815 error TRUE reason "Delete Larval"
Here is the config for the main site:
Building configuration...
Current configuration : 9226 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxx
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login clientauth local
aaa authentication ppp default local
aaa authorization exec local_author local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time EDT recurring
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.201 192.168.1.254
!
ip dhcp pool POOL_LAN_DHCP
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 64.33.128.10 209.143.0.10
!
!
ip tcp synwait-time 10
ip tftp source-interface Vlan1
no ip bootp server
no ip domain lookup
ip domain name local
ip name-server 64.33.128.10
ip name-server 209.143.0.10
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name CBACinspect cuseeme
ip inspect name CBACinspect ftp
ip inspect name CBACinspect h323
ip inspect name CBACinspect icmp
ip inspect name CBACinspect netshow
ip inspect name CBACinspect rcmd
ip inspect name CBACinspect realaudio
ip inspect name CBACinspect rtsp
ip inspect name CBACinspect esmtp
ip inspect name CBACinspect sqlnet
ip inspect name CBACinspect streamworks
ip inspect name CBACinspect tftp
ip inspect name CBACinspect tcp
ip inspect name CBACinspect udp
ip inspect name CBACinspect vdolive
vpdn enable
!
!
!
!
!
!
crypto keyring L2L
pre-shared-key address x.x.x.155 key xxxxxxx
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group RemoteAccessVPN
key xxxxxxxxx
pool Pool_RemoteAccessVPN
acl ACL_VPN_RemoteAccess
!
crypto isakmp client configuration group watertower
key xxxxxx
pool watertower
acl VPN_watertower
crypto isakmp profile VPNClient
description VPN clients with access LAN
match identity group RemoteAccessVPN
client authentication list clientauth
isakmp authorization list groupauthor
client configuration address respond
crypto isakmp profile L2L
keyring L2L
match identity address x.x.x.155 255.255.255.255
crypto isakmp profile watertower
match identity group watertower
client authentication list local
isakmp authorization list groupauthor
client configuration address respond
!
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set newset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 5
set transform-set ESP-AES256-SHA
set isakmp-profile VPNClient
crypto dynamic-map dynmap 10
set transform-set ESP-AES256-SHA
crypto dynamic-map dynmap 15
set transform-set newset
!
!
crypto map VPNmap 30 ipsec-isakmp dynamic dynmap
crypto map VPNmap 40 ipsec-isakmp
set peer x.x.x.155
set transform-set newset
match address ACL_L2L_watertower
!
!
!
!
interface Null0
no ip unreachables
!
interface Loopback0
description Lo0 used for outbound traffic not subject to NAT
ip address 10.20.30.40 255.255.255.0
!
interface FastEthernet0
description External - Internet - to DSL modem
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
switchport access vlan 12
!
interface Vlan1
description Internal LAN
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip policy route-map RMAP_NO_STATIC_NAT
!
interface Vlan12
no ip address
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
interface Dialer1
ip address negotiated
ip access-group ACL_outside_in in
ip nat outside
ip inspect CBACinspect out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxx password 7 xxxxx
ppp ipcp dns request
ppp ipcp address accept
crypto map VPNmap
!
ip local pool Pool_RemoteAccessVPN 192.168.100.100 192.168.100.150
ip local pool watertower 192.168.9.50 192.168.9.60
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source static tcp 192.168.1.41 23 interface Dialer1 1000
ip nat inside source route-map NAT_RMAP interface Dialer1 overload
!
ip access-list extended ACL_L2L_watertower
permit ip 192.168.1.0 0.0.0.255 192.168.13.0 0.0.0.255
ip access-list extended ACL_NAT_RMAP
deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.13.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended ACL_RMAP_NO_STATIC
permit ip 192.168.1.0 0.0.0.255 192.168.13.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 any
ip access-list extended ACL_VPN_RemoteAccess
permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
ip access-list extended ACL_outside_in
permit udp any eq bootps any eq bootpc
permit icmp any host x.x.x.72 echo-reply
permit icmp any host x.x.x.72 time-exceeded
permit icmp any host x.x.x.72 unreachable
permit udp any host x.x.x.72 eq non500-isakmp
permit udp any host x.x.x.72 eq isakmp
permit esp any host x.x.x.72
permit ahp any host x.x.x.72
permit gre any host x.x.x.72
permit tcp any host x.x.x.72 eq 22
permit tcp any host x.x.x.72 eq telnet
permit tcp any host x.x.x.72 eq 1000
deny tcp any host x.x.x.72 eq cmd
deny udp any host x.x.x.72 eq snmp
permit ip x.x.x.x x.x.x.72 any
permit ip x.x.x.x x.x.x.72 any
ip access-list extended ACL_vty_access_in
remark VTY Access-class list
permit ip 192.168.100.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
remark VTY Access-class list
deny ip any any
ip access-list extended VPN_watertower
permit ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.255 192.168.9.0 0.0.0.255
!
logging trap debugging
dialer-list 1 protocol ip permit
no cdp run
!
!
!
route-map NAT_RMAP permit 1
match ip address ACL_NAT_RMAP
!
route-map RMAP_NO_STATIC_NAT permit 1
match ip address ACL_RMAP_NO_STATIC
set ip next-hop 10.20.30.41
!
!
!
!
control-plane
!
This is the config for the remote site:
Building configuration...
Current configuration : 3863 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
dot11 syslog
!
!
ip cef
no ip domain lookup
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key xxxxxx address x.x.x.72
!
!
crypto ipsec transform-set newest esp-3des esp-sha-hmac
!
crypto map newmap 10 ipsec-isakmp
set peer x.x.x.72
set transform-set newest
match address 110
!
archive
log config
hidekeys
!
!
ip tcp mss 1452
!
bridge irb
!
!
interface ATM0
no ip address
no ip route-cache cef
no ip route-cache
load-interval 30
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 192.168.13.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no autostate
!
interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxxxx password 7 xxxxxx
ppp ipcp dns request
ppp ipcp address accept
crypto map newmap
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 110 permit ip 192.168.13.0 0.0.0.255 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
Any help would be greatly appreciated. Thanks!
ASKER
I miss copied the config. Upon looking at the remote router group 2 is in the policy.
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
I don't see the NAT policy at the remote site config
ASKER
The Spoke config got chopped up for some reason. i am going to re paste it here. Sorry for the inconvenience.
Building configuration...
Current configuration : 4068 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
dot11 syslog
!
!
no ip cef
no ip domain lookup
ip domain name menomonie.net
!
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxx address x.x.x.72
!
!
crypto ipsec transform-set newset esp-3des esp-sha-hmac
!
crypto map newmap 10 ipsec-isakmp
set peer x.x.x.72
set transform-set newset
match address 110
!
archive
log config
hidekeys
!
!
ip tcp mss 1452
!
bridge irb
!
!
interface Tunnel0
no ip address
!
interface ATM0
no ip address
no ip route-cache
load-interval 30
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 192.168.13.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no autostate
!
interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxxxx password 7 xxxxx
ppp ipcp dns request
ppp ipcp address accept
crypto map newmap
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 102 interface Dialer1 overload
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 102 deny ip 192.168.13.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.13.0 0.0.0.255 any
access-list 110 permit ip 192.168.13.0 0.0.0.255 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
Building configuration...
Current configuration : 4068 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
dot11 syslog
!
!
no ip cef
no ip domain lookup
ip domain name menomonie.net
!
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxx address x.x.x.72
!
!
crypto ipsec transform-set newset esp-3des esp-sha-hmac
!
crypto map newmap 10 ipsec-isakmp
set peer x.x.x.72
set transform-set newset
match address 110
!
archive
log config
hidekeys
!
!
ip tcp mss 1452
!
bridge irb
!
!
interface Tunnel0
no ip address
!
interface ATM0
no ip address
no ip route-cache
load-interval 30
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 192.168.13.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no autostate
!
interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxxxx password 7 xxxxx
ppp ipcp dns request
ppp ipcp address accept
crypto map newmap
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 102 interface Dialer1 overload
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 102 deny ip 192.168.13.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.13.0 0.0.0.255 any
access-list 110 permit ip 192.168.13.0 0.0.0.255 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi Dear,
Can suggest, why u use 1000 instead of 40 & issue was eliminated
How was this solved ?
We have same issue ?
Please help
Can suggest, why u use 1000 instead of 40 & issue was eliminated
How was this solved ?
We have same issue ?
Please help
encr 3des
authentication pre-share
group 2 <<<=== add this to the remote router. Your policies must be identical.