Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

HP 7102dl VPN Site to Site Tunnel

Posted on 2011-02-20
7
951 Views
Last Modified: 2012-05-11
I am trying to create a site to site VPN tunnel between two HP 7102dl routers in the lab but can not get the tunnel to come up.  I have tried both CLI and the wizard but neither work.

Please see the attached Connect.jpg file to a network diagram and the config files.  In the lab I have two, just to get it working but ultimately I need to get 4 site to site links up.

What am I doing wrong?

   Network Diagram

Li Router

 
hostname "Li"
enable password encrypted "password"
!
clock timezone -5-Eastern-Time
!
ip subnet-zero
ip classless
ip routing
!
!
ip host "LiCont" 192.168.5.250
ip host "LiR" 192.168.5.254
ip host "LiS" 192.168.5.253
no ip domain-lookup
!
!
event-history on
no logging forwarding
no logging email
!
service password-encryption
!
username "admin_bmills" password encrypted "password"
!
banner motd %
***********************************************************
   WARNING TO UNAUTHORIZED USERS: This system is for the
use of authorized users only. Individuals using this
computer system without authority, or in excess of their
authority, are subject to having all of their activities
on this system monitored and recorded by system personnel.
In the course of monitoring individuals improperly using
this system, or in the course of system maintenance, the
activities of authorized users may be monitored.  Anyone
using this system expressly consents to such monitoring
and is advised that if such monitoring reveals possible
evidence of criminal activity, system personnel may provide
evidence of such monitoring to law enforecement officials.
***********************************************************
%
!
!
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
!
!
!
!
no autosynch-mode
no safe-mode
!
!
!
!
!
ip dhcp-server excluded-address 192.168.5.1 192.168.5.20
ip dhcp-server excluded-address 192.168.5.240 192.168.5.254
!
ip dhcp-server pool "Li"
  network 192.168.5.0 255.255.255.0
  domain-name "internet.com"
  dns-server 192.168.5.254
  default-router 192.168.5.254
!
!
!
ip crypto
!
crypto ike policy 100
  no initiate
  respond anymode
  local-id address 10.184.36.78
  peer 10.184.36.77
  attribute 1
    encryption 3des
    hash md5
    authentication pre-share
!
crypto ike remote-id any preshared-key "key" ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
  mode tunnel
!
crypto map VPN 10 ipsec-ike
  description Site2Site
  match address VPN-10-vpn-selectors
  set peer 10.184.36.77
  set transform-set esp-3des-esp-md5-hmac
  ike-policy 100
!
!
!
!
interface eth 0/1
  description Inside Interface
  ip address  192.168.5.254  255.255.255.0
  no shutdown
!
!
interface eth 0/2
  description Outside Interface
  ip address  10.184.36.78  255.255.255.0
  crypto map VPN
  no shutdown
!
!
!
!
!
!
!
!
!
!
ip access-list extended VPN-10-vpn-selectors
  permit ip 192.168.5.0 0.0.0.255  192.168.4.0 0.0.0.255
  permit ip 192.168.4.0 0.0.0.255  192.168.5.0 0.0.0.255
!
!
!
!
ip route 0.0.0.0 0.0.0.0 10.184.36.77
!
no ip tftp server
no ip tftp server overwrite
ip http server
no ip http secure-server
no ip snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
no snmp-server enable traps
!
!
!
ip sip
no ip sip proxy transparent
!
!
!
!
line con 0
  no login
!
line telnet 0 4
  login
  password encrypted "Password"
  no shutdown
line ssh 0 4
  login local-userlist
  no shutdown
!
!
!
!
!
end

Open in new window



La Router

 
hostname "La"
enable password encrypted "password"
!
clock timezone -5-Eastern-Time
!
ip subnet-zero
ip classless
ip routing
!
!
ip host "LaCont" 192.168.4.250
ip host "LaR" 192.168.4.254
ip host "LaS" 192.168.4.253
no ip domain-lookup
!
!
event-history on
no logging forwarding
no logging email
!
service password-encryption
!
username "admin_bmills" password encrypted "password"
!
banner motd %
***********************************************************
   WARNING TO UNAUTHORIZED USERS: This system is for the
use of authorized users only. Individuals using this
computer system without authority, or in excess of their
authority, are subject to having all of their activities
on this system monitored and recorded by system personnel.
In the course of monitoring individuals improperly using
this system, or in the course of system maintenance, the
activities of authorized users may be monitored.  Anyone
using this system expressly consents to such monitoring
and is advised that if such monitoring reveals possible
evidence of criminal activity, system personnel may provide
evidence of such monitoring to law enforecement officials.
***********************************************************
%
!
!
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
!
!
!
!
no autosynch-mode
no safe-mode
!
!
!
!
!
ip dhcp-server excluded-address 192.168.4.1 192.168.4.20
ip dhcp-server excluded-address 192.168.4.240 192.168.4.254
!
ip dhcp-server pool "La"
  network 192.168.4.0 255.255.255.0
  domain-name "internet.com"
  dns-server 192.168.4.254
  default-router 192.168.4.254
!
!
!
ip crypto
!
crypto ike policy 100
  no initiate
  respond anymode
  local-id address 10.184.36.77
  peer 10.184.36.78
  attribute 1
    encryption 3des
    hash md5
    authentication pre-share
!
crypto ike remote-id any preshared-key "key" ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
  mode tunnel
!
crypto map VPN 10 ipsec-ike
  description Site2Site
  match address VPN-10-vpn-selectors
  set peer 10.184.36.78
  set transform-set esp-3des-esp-md5-hmac
  ike-policy 100
!
!
!
!
interface eth 0/1
  description Inside Interface
  ip address  192.168.4.254  255.255.255.0
  no shutdown
!
!
interface eth 0/2
  description Outside Interface
  ip address  10.184.36.77  255.255.255.0
  no shutdown
!
!
!
!
!
!
!
!
!
!
ip access-list extended VPN-10-vpn-selectors
  permit ip 192.168.5.0 0.0.0.255  192.168.4.0 0.0.0.255
  permit ip 192.168.4.0 0.0.0.255  192.168.5.0 0.0.0.255
!
!
!
!
ip route 0.0.0.0 0.0.0.0 10.184.36.78
!
no ip tftp server
no ip tftp server overwrite
ip http server
no ip http secure-server
no ip snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
no snmp-server enable traps
!
!
!
ip sip
no ip sip proxy transparent
!
!
!
!
line con 0
  no login
!
line telnet 0 4
  login
  password encrypted "password"
  no shutdown
line ssh 0 4
  login local-userlist
  no shutdown
!
!
!
!
!
end

Open in new window


Thanks!!
0
Comment
Question by:millsusaf
  • 4
  • 3
7 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34938928
On the La Router I miss 'crypto map VPN' on interface eth 0/2.
0
 

Author Comment

by:millsusaf
ID: 34938990
Thank you, it is now there but the tunnel still will not come up.

I have clients on both sides of the private network trying to ping (constant) the opposite network private router address but no joy.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34939024
Ok,

I also have my doubts anout the access-list

Normally it should be:

ip access-list extended VPN-10-vpn-selectors
  permit ip 192.168.5.0 0.0.0.255  192.168.4.0 0.0.0.255

For the Li router and

ip access-list extended VPN-10-vpn-selectors
  permit ip 192.168.4.0 0.0.0.255  192.168.5.0 0.0.0.255

For the La router.

Furthermore, is anything showing up in the log which might gives us an indication?
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 

Author Comment

by:millsusaf
ID: 34939237
I've made that change as well but it's still not working.  Unfortunately the logs are not giving me much of anything.  Logging on this router leaves something to be desired.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 34941124
After some more digging another thing shows up:
crypto ike policy 100
  no initiate

On both sides.

That should be
crypto ike policy 100
initiate main
0
 

Author Closing Comment

by:millsusaf
ID: 34951480
Awesome!  Thank you very much.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34951667
You're welcome and thank YOU for the points.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are times where you would like to have access to information that is only available from a different network. This network could be down the hall, or across country. If each of the network sites have access to the internet, you can create a ne…
Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question