Sc0tte
asked on
CISCO IOS 3 way Lan-to-Lan VPN
I have 3 x Cisco 877 K9's in each of Brisbane, Sydney and Melbourne. The site to site VPN between SYD and BNE works fine. Just trying to add MEL into the picture.
Everything on the MEL router seems fine, except that it's not picking up the VPN connections.
I'm quite novice with cisco gear, so take it easy ;)
Here's a "show crypto map" from each router.
i've cleared and re-entered the MELB router a few times, and done numerous reloads, etc.
Happy to post more data, but if anyone has any ideas of where i'm going wrong, i really need some help.
Everything on the MEL router seems fine, except that it's not picking up the VPN connections.
I'm quite novice with cisco gear, so take it easy ;)
Here's a "show crypto map" from each router.
BRISBANE_VPN - 10.10.1.0/24 - BRISBANE
---------------------------------------------
Crypto Map "IPSEC-MAPS" 10 ipsec-isakmp
Peer = SYDNEY
Extended IP access list 101
access-list 101 permit ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255
Current peer: SYDNEY
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={
3DESSHA,
}
Crypto Map "IPSEC-MAPS" 20 ipsec-isakmp
Peer = MELB
Extended IP access list 102
access-list 102 permit ip 10.10.1.0 0.0.0.255 10.10.3.0 0.0.0.255
Current peer: MELBOURNE
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={
3DESSHA,
}
Interfaces using crypto map IPSEC-MAPS:
Virtual-Access2
Dialer1
SYDNEY_VPN - 10.10.2.0/24 - SYDNEY
-----------------------------------
Sydney#show crypto map
Crypto Map "IPSEC-MAPS" 10 ipsec-isakmp
Peer = BRISBANE
Extended IP access list 101
access-list 101 permit ip 10.10.2.0 0.0.0.255 10.10.1.0 0.0.0.255
Current peer: BRISBANE
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={
3DESSHA,
}
Crypto Map "IPSEC-MAPS" 20 ipsec-isakmp
Peer = MELB
Extended IP access list 102
access-list 102 permit ip 10.10.2.0 0.0.0.255 10.10.3.0 0.0.0.255
Current peer: MELB
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={
3DESSHA,
}
Interfaces using crypto map IPSEC-MAPS:
Virtual-Access3
Dialer1
MELBOURNE_VPN - 10.10.3.0/24 - MELB
------------------------------------
MELB#show crypto map
Crypto Map "IPSEC-MAPS" 10 ipsec-isakmp
Peer = BRISBANE
Extended IP access list 101
access-list 101 permit ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255
Current peer: BRISBANE
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={
3DESSHA,
}
Crypto Map "IPSEC-MAPS" 20 ipsec-isakmp
Peer = SYDNEY
Extended IP access list 102
access-list 102 permit ip 10.10.3.0 0.0.0.255 10.10.2.0 0.0.0.255
Current peer: SYDNEY
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={
3DESSHA,
}
Interfaces using crypto map IPSEC-MAPS:
Dialer1
Virtual-Access2
i've cleared and re-entered the MELB router a few times, and done numerous reloads, etc.
Happy to post more data, but if anyone has any ideas of where i'm going wrong, i really need some help.
ASKER
Here's the "show crypto isakmp sa"
N.B I've substituted our actual IP's with just city names
Brisbane
Sydney
Melbourne (blank)
And,,, the running configs. (altered only to protect the innocent) :)
Brisbane
Sydney
Melbourne
N.B I've substituted our actual IP's with just city names
Brisbane
BrisVPN#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
SYDNEY BRISBANE QM_IDLE 2001 0 ACTIVE
Sydney
Sydney#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
SYDNEY BRISBANE QM_IDLE 2488 0 ACTIVE
Melbourne (blank)
MELB#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
And,,, the running configs. (altered only to protect the innocent) :)
Brisbane
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
!
hostname BrisVPN
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
enable password 7 <mysecret>
!
no aaa new-model
!
!
dot11 syslog
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
username admin privilege 15 password 7 <mysecret>
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key <abc12345> address SYDNEY
crypto isakmp key <abc12345> address MELBOURNE
crypto isakmp key <abc12345> address OLD_MELBOURNE
!
!
crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac
!
crypto map IPSEC-MAPS 10 ipsec-isakmp
set peer SYDNEY
set transform-set 3DESSHA
set pfs group2
match address 101
crypto map IPSEC-MAPS 20 ipsec-isakmp
set peer MELBOURNE
set transform-set 3DESSHA
set pfs group2
match address 102
!
archive
log config
hidekeys
!
!
!
class-map match-any PRIORITY-DATA
description Important traffic such as RDP, VNC and Citrix traffic
match access-group name ImportantTraffic
class-map match-any VOICE
match ip dscp ef
match ip dscp cs5
match ip dscp af41
class-map match-any CALL-SIGNALING
match ip dscp cs3
match ip dscp af31
!
!
policy-map QOS-policy-outside-outbound
class VOICE
priority 256
class CALL-SIGNALING
bandwidth percent 5
class PRIORITY-DATA
bandwidth percent 10
class class-default
fair-queue
queue-limit 30
!
!
!
!
interface ATM0
bandwidth 886
no ip address
load-interval 30
no atm ilmi-keepalive
pvc 8/35
vbr-nrt 510 510 1
encapsulation aal5mux ppp dialer
dialer pool-member 1
service-policy output QOS-policy-outside-outbound
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
bandwidth 512
ip address 10.10.1.11 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1420
load-interval 30
!
interface Dialer1
bandwidth 512
ip address negotiated
ip mtu 1460
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
ip route-cache flow
no ip mroute-cache
load-interval 30
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
no cdp enable
ppp chap hostname <myusername>
ppp chap password 7 <mysecret>
crypto map IPSEC-MAPS
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
ip nat inside source list NAT interface Dialer1 overload
ip nat inside source static tcp 10.10.1.22 389 BRISBANE 389 extendable
ip nat inside source static tcp 10.10.1.22 1503 BRISBANE 1503 extendable
ip nat inside source static tcp 10.10.1.22 1718 BRISBANE 1718 extendable
ip nat inside source static udp 10.10.1.22 1718 BRISBANE 1718 extendable
ip nat inside source static tcp 10.10.1.22 1719 BRISBANE 1719 extendable
ip nat inside source static udp 10.10.1.22 1719 BRISBANE 1719 extendable
ip nat inside source static tcp 10.10.1.22 1720 BRISBANE 1720 extendable
ip nat inside source static tcp 10.10.1.22 1731 BRISBANE 1731 extendable
ip nat inside source static tcp 10.10.1.22 3230 BRISBANE 3230 extendable
ip nat inside source static udp 10.10.1.22 3230 BRISBANE 3230 extendable
ip nat inside source static tcp 10.10.1.22 3231 BRISBANE 3231 extendable
ip nat inside source static udp 10.10.1.22 3231 BRISBANE 3231 extendable
ip nat inside source static tcp 10.10.1.22 3232 BRISBANE 3232 extendable
ip nat inside source static udp 10.10.1.22 3232 BRISBANE 3232 extendable
ip nat inside source static tcp 10.10.1.22 3233 BRISBANE 3233 extendable
ip nat inside source static udp 10.10.1.22 3233 BRISBANE 3233 extendable
ip nat inside source static tcp 10.10.1.22 3234 BRISBANE 3234 extendable
ip nat inside source static udp 10.10.1.22 3234 BRISBANE 3234 extendable
ip nat inside source static tcp 10.10.1.22 3235 BRISBANE 3235 extendable
ip nat inside source static udp 10.10.1.22 3235 BRISBANE 3235 extendable
ip nat inside source static tcp 10.10.1.22 3236 BRISBANE 3236 extendable
ip nat inside source static udp 10.10.1.22 3236 BRISBANE 3236 extendable
ip nat inside source static tcp 10.10.1.22 3237 BRISBANE 3237 extendable
ip nat inside source static udp 10.10.1.22 3237 BRISBANE 3237 extendable
ip nat inside source static tcp 10.10.1.22 3603 BRISBANE 3603 extendable
!
ip access-list extended ImportantTraffic
permit tcp any any eq 3389
permit tcp any any eq 5900
permit tcp any any eq 5901
permit tcp any any eq 1494
ip access-list extended NAT
deny ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255
deny ip 10.10.1.0 0.0.0.255 10.10.3.0 0.0.0.255
permit ip 10.10.1.0 0.0.0.255 any
ip access-list extended POLYCOMPVX
permit tcp any any range 3230 3237
permit udp any any range 3230 3237
permit tcp any any eq 389
permit tcp any any eq 1503
permit udp any any eq 1718
permit udp any any eq 1719
permit tcp any any eq 1720
permit tcp any any eq 1731
ip access-list extended VoipTraffic
remark Traffic to and from VoIP PBX
permit ip host 10.10.1.5 any
permit ip any host 10.10.1.5
!
access-list 101 permit ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 102 permit ip 10.10.1.0 0.0.0.255 10.10.3.0 0.0.0.255
access-list 103 permit ip 10.10.1.0 0.0.0.255 10.10.1.0 0.0.0.255
no cdp run
!
!
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
exec-timeout 240 0
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Sydney
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
!
hostname Sydney
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
enable password 7 <mysecret>
!
aaa new-model
!
!
aaa authentication login default local group radius
aaa authentication ppp default group radius local
aaa authorization network default group radius local
!
!
aaa session-id common
ip cef
!
!
!
!
ip inspect max-incomplete high 1100
ip inspect max-incomplete low 1100
ip inspect one-minute high 1100
ip inspect one-minute low 1100
ip inspect udp idle-time 60
ip inspect dns-timeout 10
ip inspect name FIRE tcp timeout 3600
ip inspect name FIRE udp timeout 15
ip inspect name FIRE ftp timeout 3600
ip inspect name FIRE rcmd timeout 3600
ip inspect name FIRE smtp timeout 3600
ip inspect name FIRE sqlnet timeout 3600
ip inspect name FIRE tftp timeout 30
ip inspect name FIRE icmp timeout 30
ip inspect name FIRE ssh timeout 3600
ip inspect name FIRE dns timeout 15
ip inspect name FIRE http timeout 3600
ip inspect name FIRE https timeout 3600
ip inspect name FIRE imap timeout 3600
ip inspect name FIRE imaps timeout 3600
ip inspect name FIRE rtsp timeout 3600
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel password 7
!
!
!
!
!
username admin privilege 15 password 7 <mysecret>
username tester password 7 <mysecret>
!
!
class-map match-any PRIORITY-DATA
description Important traffic such as RDP, VNC and Citrix traffic
match access-group name ImportantTraffic
class-map match-any VOICE
description VoIP call traffic to/from the VoIP PBX (non tagged)
match ip dscp ef
match access-group name VoipTraffic
match ip dscp cs5
match ip dscp af41
class-map match-any CALL-SIGNALING
description VoIP signaling traffic as tagged by the server
match ip dscp cs3
match ip dscp af31
!
!
policy-map QOS-policy-outside-outbound
class VOICE
priority percent 50
class CALL-SIGNALING
bandwidth percent 5
class PRIORITY-DATA
bandwidth percent 10
class class-default
fair-queue
queue-limit 30
!
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key <abc12345> address BRISBANE
crypto isakmp key <abc12345> address UNKNOWN_ADDR
crypto isakmp key <abc12345> address MELBOURNE
crypto isakmp key <abc12345> address OLD_MELBOURNE
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac
!
crypto map IPSEC-MAPS 10 ipsec-isakmp
set peer BRISBANE
set transform-set 3DESSHA
set pfs group2
match address 101
crypto map IPSEC-MAPS 20 ipsec-isakmp
set peer MELBOURNE
set transform-set 3DESSHA
set pfs group2
match address 102
!
!
!
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
pvc 8/35
vbr-nrt 950 950 1
encapsulation aal5mux ppp dialer
dialer pool-member 1
service-policy output QOS-policy-outside-outbound
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1
ip unnumbered Vlan1
peer default ip address pool DIAL-IN
no keepalive
ppp mtu adaptive
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
interface Vlan1
bandwidth 21000
bandwidth receive 950
ip address 10.10.2.10 255.255.255.0
ip mtu 1340
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1300
!
interface Dialer1
bandwidth 950
bandwidth receive 21000
ip address negotiated
ip access-group incoming in
ip mtu 1460
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
ip route-cache flow
no ip mroute-cache
load-interval 30
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp chap hostname <myusername>
ppp chap password 7 <mypassword>
crypto map IPSEC-MAPS
!
ip local pool DIAL-IN 10.10.2.21 10.10.2.46
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
ip nat inside source static udp 10.10.2.5 5060 interface Dialer1 5060
ip nat inside source static tcp 10.10.2.5 5060 interface Dialer1 5060
ip nat inside source static tcp 10.10.2.9 25 interface Dialer1 25
ip nat inside source static tcp 10.10.2.9 20 interface Dialer1 20
ip nat inside source static tcp 10.10.2.9 21 interface Dialer1 21
ip nat inside source static tcp 10.10.2.9 80 interface Dialer1 80
ip nat inside source static tcp 10.10.2.9 443 interface Dialer1 443
ip nat inside source static tcp 10.10.2.1 3784 interface Dialer1 3784
ip nat inside source static udp 10.10.2.1 3784 interface Dialer1 3784
ip nat inside source route-map nonat interface Dialer1 overload
!
ip access-list extended ImportantTraffic
permit tcp any any eq 3389
permit tcp any any eq 5900
permit tcp any any eq 5901
permit tcp any any eq 1494
permit tcp any any eq 3784
permit udp any any eq 3784
ip access-list extended VoipTraffic
remark Traffic to and from VoIP PBX
permit ip host 10.10.1.5 any
permit ip any host 10.10.1.5
ip access-list extended incoming
permit tcp any host SYDNEY eq smtp
permit tcp any host SYDNEY eq www
permit tcp any host SYDNEY eq 443
permit tcp any host SYDNEY eq ftp-data
permit tcp any host SYDNEY eq ftp
permit tcp any host SYDNEY eq 5060
permit udp any host SYDNEY eq 5060
permit ip host BRISBANE host SYDNEY
permit icmp any any
permit esp any any
permit gre any any
permit tcp any host SYDNEY eq 1723
permit tcp any host SYDNEY eq 1701
permit ip any any
permit tcp any host SYDNEY eq 3784
permit udp any host SYDNEY eq 3784
ip access-list extended nat-list
deny ip 10.10.2.0 0.0.0.255 10.10.1.0 0.0.0.255
deny ip 10.10.2.0 0.0.0.255 10.10.3.0 0.0.0.255
permit tcp 10.10.2.0 0.0.0.255 any eq www
permit tcp 10.10.2.0 0.0.0.255 any eq 443
permit tcp 10.10.2.0 0.0.0.255 any eq ftp-data
permit tcp 10.10.2.0 0.0.0.255 any eq ftp
permit tcp 10.10.2.0 0.0.0.255 any eq domain
permit udp 10.10.2.0 0.0.0.255 any eq domain
permit tcp host 10.10.2.2 any eq smtp
permit ip host 10.10.1.5 any
permit ip host 10.10.1.9 any
permit icmp any any
permit tcp 10.10.2.0 0.0.0.255 any eq 3784
permit udp 10.10.2.0 0.0.0.255 any eq 3784
permit ip host 10.10.2.2 any
permit ip host 10.10.2.51 any
ip access-list extended outboundfilters
permit ip any any reflect iptraffic
permit icmp any any reflect icmptraffic
permit ip any any
permit ahp any any
permit esp any any
permit udp any any eq isakmp
!
access-list 101 permit ip 10.10.2.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 102 permit ip 10.10.2.0 0.0.0.255 10.10.3.0 0.0.0.255
!
!
!
route-map nonat permit 10
match ip address nat-list
!
radius-server host 10.10.1.7 auth-port 1645 acct-port 1646 key 7 <SECRET>
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 240 0
privilege level 15
!
scheduler max-task-time 5000
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Melbourne
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname MELB
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
enable password 7 <SECRET>
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.3.1
ip dhcp excluded-address 10.10.3.1 10.10.3.20
!
ip dhcp pool MelbPool
network 10.10.3.0 255.255.255.0
default-router 10.10.3.10
dns-server 192.231.203.132 10.10.1.1
domain-name melb.tmchade.local
lease 7
!
!
ip name-server 10.10.1.7
ip name-server 10.10.1.1
ip name-server 10.10.2.1
ip name-server 192.231.203.132
ip name-server 192.231.203.3
ip name-server 198.142.0.51
!
!
!
username admin privilege 15 password 7 <secret>
!
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key <abc12345> address BRISBANE
crypto isakmp key <abc12345> address SYDNEY
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac
!
crypto map IPSEC-MAPS 10 ipsec-isakmp
set peer BRISBANE
set transform-set 3DESSHA
set pfs group2
match address 101
crypto map IPSEC-MAPS 20 ipsec-isakmp
set peer SYDNEY
set transform-set 3DESSHA
set pfs group2
match address 102
!
!
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
pvc 8/35
vbr-nrt 510 510 1
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description --- Ethernet LAN ---
ip address 10.10.3.10 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1300
!
interface Dialer1
description --- Internode ADSL ---
ip address negotiated
ip mtu 1460
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp chap hostname <myusername>
ppp chap password 7 <mypassword>
crypto map IPSEC-MAPS
!
no ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.10.3.0 255.255.255.0 Vlan1
!
no ip http server
no ip http secure-server
ip nat inside source list NAT interface Dialer1 overload
!
ip access-list extended NAT
permit ip 10.10.3.0 0.0.0.255 any
deny ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255
deny ip 10.10.3.0 0.0.0.255 10.10.2.0 0.0.0.255
!
access-list 101 permit ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 102 permit ip 10.10.3.0 0.0.0.255 10.10.2.0 0.0.0.255
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 240 0
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
COnfig looks like fine,
Do you have static IP for All sites ?
please post output
ter mon
deb cry ipsec error
Do you have static IP for All sites ?
please post output
ter mon
deb cry ipsec error
ASKER
Yes, each site has static IP's
I can ping each site's external IP.
the debug command just gives me "Crypto IPSEC Error debugging is on"
Just tried to re-apply the map to dialer1... (to see if any errors occur).... nothing... :-(
I can ping each site's external IP.
the debug command just gives me "Crypto IPSEC Error debugging is on"
Just tried to re-apply the map to dialer1... (to see if any errors occur).... nothing... :-(
MELB(config)#interface Dialer1
MELB(config-if)#no crypto map IPSEC-MAPS
MELB(config-if)#
000044: *Mar 17 05:58:24.834: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
MELB(config-if)#crypto map IPSEC-MAPS
MELB(config-if)#
000045: *Mar 17 05:58:51.742: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
MELB(config-if)#end
MELB#
I recommended u need to use DMVPN instead of LAN to LAN, it is full mesh topology, I am also from Melbourne, I am using DMVPN for 4 sites, Mel, Perth, Sydney & India
ASKER
hrrm...
I had this working before. Then we closed our Melb office for a few years, and now it's back. I'm kicking myself now.
The DMVPN looks interesting, but i'm on a tight deadline... was hoping to just alter this config to get it working as is then deploy.
I'm currently in Brisbane, with a spare internet connection which i'm pretending is Melbourne.
I had this working before. Then we closed our Melb office for a few years, and now it's back. I'm kicking myself now.
The DMVPN looks interesting, but i'm on a tight deadline... was hoping to just alter this config to get it working as is then deploy.
I'm currently in Brisbane, with a spare internet connection which i'm pretending is Melbourne.
Ok, NP
please post output of "deb cry ipsec error"
please post output of "deb cry ipsec error"
ASKER
For each router,
All i get is: Crypto IPSEC Error debugging is on.
All i get is: Crypto IPSEC Error debugging is on.
I need from Melbourne, Did u get any message or error on Hyper terminal ?
ASKER
no,
I'm on the "Mel" router via a console cable anyway.
MELB>en
Password:
MELB#deb cry ipsec error
Crypto IPSEC Error debugging is on
MELB#
I'm on the "Mel" router via a console cable anyway.
MELB>en
Password:
MELB#deb cry ipsec error
Crypto IPSEC Error debugging is on
MELB#
also try this isakmp policy 5 authentication pre-share
r u sure ur able to ping Public Ip of rest branch from Mel
Bro, Not sure, I just did study on ur whole config, I am not sure why it's not working, All config looks good ! we need to do more test
ASKER
Just checked, and yes. each router can ping each other using their external IP's
Now that the Sydney guys have gone home, i might just try and remove/re-add the maps for BNE and MEL
Now that the Sydney guys have gone home, i might just try and remove/re-add the maps for BNE and MEL
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
It will be great if u will post sh run
Vikrant