Solved

CISCO IOS 3 way Lan-to-Lan VPN

Posted on 2011-03-16
17
468 Views
Last Modified: 2012-05-11
I have 3 x Cisco 877 K9's in each of Brisbane, Sydney and Melbourne.  The site to site VPN between SYD and BNE works fine.  Just trying to add MEL into the picture.

Everything on the MEL router seems fine, except that it's not picking up the VPN connections.
I'm quite novice with cisco gear, so take it easy ;)

Here's a "show crypto map" from each router.

 
BRISBANE_VPN - 10.10.1.0/24 - BRISBANE
---------------------------------------------
Crypto Map "IPSEC-MAPS" 10 ipsec-isakmp
        Peer = SYDNEY
        Extended IP access list 101
            access-list 101 permit ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255
        Current peer: SYDNEY
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): Y
        DH group:  group2
        Transform sets={
                3DESSHA,
        }

Crypto Map "IPSEC-MAPS" 20 ipsec-isakmp
        Peer = MELB
        Extended IP access list 102
            access-list 102 permit ip 10.10.1.0 0.0.0.255 10.10.3.0 0.0.0.255
        Current peer: MELBOURNE
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): Y
        DH group:  group2
        Transform sets={
                3DESSHA,
        }
        Interfaces using crypto map IPSEC-MAPS:
                Virtual-Access2

                Dialer1

Open in new window


 
SYDNEY_VPN - 10.10.2.0/24 - SYDNEY
-----------------------------------
Sydney#show crypto map
Crypto Map "IPSEC-MAPS" 10 ipsec-isakmp
        Peer = BRISBANE
        Extended IP access list 101
            access-list 101 permit ip 10.10.2.0 0.0.0.255 10.10.1.0 0.0.0.255
        Current peer: BRISBANE
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): Y
        DH group:  group2
        Transform sets={
                3DESSHA,
        }

Crypto Map "IPSEC-MAPS" 20 ipsec-isakmp
        Peer = MELB
        Extended IP access list 102
            access-list 102 permit ip 10.10.2.0 0.0.0.255 10.10.3.0 0.0.0.255
        Current peer: MELB
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): Y
        DH group:  group2
        Transform sets={
                3DESSHA,
        }
        Interfaces using crypto map IPSEC-MAPS:
                Virtual-Access3

                Dialer1

Open in new window


 
MELBOURNE_VPN - 10.10.3.0/24 - MELB
------------------------------------
MELB#show crypto map
Crypto Map "IPSEC-MAPS" 10 ipsec-isakmp
        Peer = BRISBANE
        Extended IP access list 101
            access-list 101 permit ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255
        Current peer: BRISBANE
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): Y
        DH group:  group2
        Transform sets={
                3DESSHA,
        }

Crypto Map "IPSEC-MAPS" 20 ipsec-isakmp
        Peer = SYDNEY
        Extended IP access list 102
            access-list 102 permit ip 10.10.3.0 0.0.0.255 10.10.2.0 0.0.0.255
        Current peer: SYDNEY
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): Y
        DH group:  group2
        Transform sets={
                3DESSHA,
        }
        Interfaces using crypto map IPSEC-MAPS:
                Dialer1

                Virtual-Access2

Open in new window


i've cleared and re-entered the MELB router a few times, and done numerous reloads, etc.

Happy to post more data, but if anyone has any ideas of where i'm going wrong, i really need some help.

0
Comment
Question by:Sc0tte
  • 8
  • 7
17 Comments
 
LVL 6

Expert Comment

by:vikrantambhore
ID: 35153880
Can you please  post "sh cry isa sa" of each router
It will be great if u will post sh run

Vikrant
0
 

Author Comment

by:Sc0tte
ID: 35153956
Here's the "show crypto isakmp sa"

N.B  I've substituted our actual IP's with just city names

Brisbane
BrisVPN#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
SYDNEY  BRISBANE  QM_IDLE           2001    0 ACTIVE

Open in new window


Sydney
Sydney#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
SYDNEY       BRISBANE         QM_IDLE           2488    0   ACTIVE

Open in new window


Melbourne  (blank)
MELB#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status

Open in new window


And,,, the running configs.  (altered only to protect the innocent)  :)

Brisbane
 
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
!
hostname BrisVPN
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
enable password 7 <mysecret>
!
no aaa new-model
!
!
dot11 syslog
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
username admin privilege 15 password 7 <mysecret>
!
!
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key <abc12345> address SYDNEY
crypto isakmp key <abc12345> address MELBOURNE
crypto isakmp key <abc12345> address OLD_MELBOURNE
!
!
crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac
!
crypto map IPSEC-MAPS 10 ipsec-isakmp
 set peer SYDNEY
 set transform-set 3DESSHA
 set pfs group2
 match address 101
crypto map IPSEC-MAPS 20 ipsec-isakmp
 set peer MELBOURNE
 set transform-set 3DESSHA
 set pfs group2
 match address 102
!
archive
 log config
  hidekeys
!
!
!
class-map match-any PRIORITY-DATA
 description Important traffic such as RDP, VNC and Citrix traffic
 match access-group name ImportantTraffic
class-map match-any VOICE
 match ip dscp ef
 match ip dscp cs5
 match ip dscp af41
class-map match-any CALL-SIGNALING
 match ip dscp cs3
 match ip dscp af31
!
!
policy-map QOS-policy-outside-outbound
 class VOICE
  priority 256
 class CALL-SIGNALING
  bandwidth percent 5
 class PRIORITY-DATA
  bandwidth percent 10
 class class-default
  fair-queue
  queue-limit 30
!
!
!
!
interface ATM0
 bandwidth 886
 no ip address
 load-interval 30
 no atm ilmi-keepalive
 pvc 8/35
  vbr-nrt 510 510 1
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
  service-policy output QOS-policy-outside-outbound
 !
 dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 bandwidth 512
 ip address 10.10.1.11 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1420
 load-interval 30
!
interface Dialer1
 bandwidth 512
 ip address negotiated
 ip mtu 1460
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 no ip route-cache cef
 ip route-cache flow
 no ip mroute-cache
 load-interval 30
 dialer pool 1
 dialer idle-timeout 0
 dialer persistent
 dialer-group 1
 no cdp enable
 ppp chap hostname <myusername>
 ppp chap password 7 <mysecret>
 crypto map IPSEC-MAPS
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
ip nat inside source list NAT interface Dialer1 overload
ip nat inside source static tcp 10.10.1.22 389 BRISBANE 389 extendable
ip nat inside source static tcp 10.10.1.22 1503 BRISBANE 1503 extendable
ip nat inside source static tcp 10.10.1.22 1718 BRISBANE 1718 extendable
ip nat inside source static udp 10.10.1.22 1718 BRISBANE 1718 extendable
ip nat inside source static tcp 10.10.1.22 1719 BRISBANE 1719 extendable
ip nat inside source static udp 10.10.1.22 1719 BRISBANE 1719 extendable
ip nat inside source static tcp 10.10.1.22 1720 BRISBANE 1720 extendable
ip nat inside source static tcp 10.10.1.22 1731 BRISBANE 1731 extendable
ip nat inside source static tcp 10.10.1.22 3230 BRISBANE 3230 extendable
ip nat inside source static udp 10.10.1.22 3230 BRISBANE 3230 extendable
ip nat inside source static tcp 10.10.1.22 3231 BRISBANE 3231 extendable
ip nat inside source static udp 10.10.1.22 3231 BRISBANE 3231 extendable
ip nat inside source static tcp 10.10.1.22 3232 BRISBANE 3232 extendable
ip nat inside source static udp 10.10.1.22 3232 BRISBANE 3232 extendable
ip nat inside source static tcp 10.10.1.22 3233 BRISBANE 3233 extendable
ip nat inside source static udp 10.10.1.22 3233 BRISBANE 3233 extendable
ip nat inside source static tcp 10.10.1.22 3234 BRISBANE 3234 extendable
ip nat inside source static udp 10.10.1.22 3234 BRISBANE 3234 extendable
ip nat inside source static tcp 10.10.1.22 3235 BRISBANE 3235 extendable
ip nat inside source static udp 10.10.1.22 3235 BRISBANE 3235 extendable
ip nat inside source static tcp 10.10.1.22 3236 BRISBANE 3236 extendable
ip nat inside source static udp 10.10.1.22 3236 BRISBANE 3236 extendable
ip nat inside source static tcp 10.10.1.22 3237 BRISBANE 3237 extendable
ip nat inside source static udp 10.10.1.22 3237 BRISBANE 3237 extendable
ip nat inside source static tcp 10.10.1.22 3603 BRISBANE 3603 extendable
!
ip access-list extended ImportantTraffic
 permit tcp any any eq 3389
 permit tcp any any eq 5900
 permit tcp any any eq 5901
 permit tcp any any eq 1494
ip access-list extended NAT
 deny   ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255
 deny   ip 10.10.1.0 0.0.0.255 10.10.3.0 0.0.0.255
 permit ip 10.10.1.0 0.0.0.255 any
ip access-list extended POLYCOMPVX
 permit tcp any any range 3230 3237
 permit udp any any range 3230 3237
 permit tcp any any eq 389
 permit tcp any any eq 1503
 permit udp any any eq 1718
 permit udp any any eq 1719
 permit tcp any any eq 1720
 permit tcp any any eq 1731
ip access-list extended VoipTraffic
 remark Traffic to and from VoIP PBX
 permit ip host 10.10.1.5 any
 permit ip any host 10.10.1.5
!
access-list 101 permit ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 102 permit ip 10.10.1.0 0.0.0.255 10.10.3.0 0.0.0.255
access-list 103 permit ip 10.10.1.0 0.0.0.255 10.10.1.0 0.0.0.255
no cdp run
!
!
!
!
control-plane
!
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 exec-timeout 240 0
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

Open in new window


Sydney
 
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
!
hostname Sydney
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
enable password 7 <mysecret>
!
aaa new-model
!
!
aaa authentication login default local group radius
aaa authentication ppp default group radius local
aaa authorization network default group radius local
!
!
aaa session-id common
ip cef
!
!
!
!
ip inspect max-incomplete high 1100
ip inspect max-incomplete low 1100
ip inspect one-minute high 1100
ip inspect one-minute low 1100
ip inspect udp idle-time 60
ip inspect dns-timeout 10
ip inspect name FIRE tcp timeout 3600
ip inspect name FIRE udp timeout 15
ip inspect name FIRE ftp timeout 3600
ip inspect name FIRE rcmd timeout 3600
ip inspect name FIRE smtp timeout 3600
ip inspect name FIRE sqlnet timeout 3600
ip inspect name FIRE tftp timeout 30
ip inspect name FIRE icmp timeout 30
ip inspect name FIRE ssh timeout 3600
ip inspect name FIRE dns timeout 15
ip inspect name FIRE http timeout 3600
ip inspect name FIRE https timeout 3600
ip inspect name FIRE imap timeout 3600
ip inspect name FIRE imaps timeout 3600
ip inspect name FIRE rtsp timeout 3600
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
 l2tp tunnel password 7
!
!
!
!
!
username admin privilege 15 password 7 <mysecret>
username tester password 7 <mysecret>
!
!
class-map match-any PRIORITY-DATA
 description Important traffic such as RDP, VNC and Citrix traffic
 match access-group name ImportantTraffic
class-map match-any VOICE
 description VoIP call traffic to/from the VoIP PBX (non tagged)
 match ip dscp ef
 match access-group name VoipTraffic
 match ip dscp cs5
 match ip dscp af41
class-map match-any CALL-SIGNALING
 description VoIP signaling traffic as tagged by the server
 match ip dscp cs3
 match ip dscp af31
!
!
policy-map QOS-policy-outside-outbound
 class VOICE
  priority percent 50
 class CALL-SIGNALING
  bandwidth percent 5
 class PRIORITY-DATA
  bandwidth percent 10
 class class-default
  fair-queue
  queue-limit 30
!
!
!
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key <abc12345> address BRISBANE
crypto isakmp key <abc12345> address UNKNOWN_ADDR
crypto isakmp key <abc12345> address MELBOURNE
crypto isakmp key <abc12345> address OLD_MELBOURNE
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac
!
crypto map IPSEC-MAPS 10 ipsec-isakmp
 set peer BRISBANE
 set transform-set 3DESSHA
 set pfs group2
 match address 101
crypto map IPSEC-MAPS 20 ipsec-isakmp
 set peer MELBOURNE
 set transform-set 3DESSHA
 set pfs group2
 match address 102
!
!
!
!
interface ATM0
 no ip address
 load-interval 30
 no atm ilmi-keepalive
 pvc 8/35
  vbr-nrt 950 950 1
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
  service-policy output QOS-policy-outside-outbound
 !
 dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1
 ip unnumbered Vlan1
 peer default ip address pool DIAL-IN
 no keepalive
 ppp mtu adaptive
 ppp encrypt mppe auto required
 ppp authentication ms-chap ms-chap-v2
!
interface Vlan1
 bandwidth 21000
 bandwidth receive 950
 ip address 10.10.2.10 255.255.255.0
 ip mtu 1340
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1300
!
interface Dialer1
 bandwidth 950
 bandwidth receive 21000
 ip address negotiated
 ip access-group incoming in
 ip mtu 1460
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 no ip route-cache cef
 ip route-cache flow
 no ip mroute-cache
 load-interval 30
 dialer pool 1
 dialer idle-timeout 0
 dialer persistent
 dialer-group 1
 ppp chap hostname <myusername>
 ppp chap password 7 <mypassword>
 crypto map IPSEC-MAPS
!
ip local pool DIAL-IN 10.10.2.21 10.10.2.46
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
ip nat inside source static udp 10.10.2.5 5060 interface Dialer1 5060
ip nat inside source static tcp 10.10.2.5 5060 interface Dialer1 5060
ip nat inside source static tcp 10.10.2.9 25 interface Dialer1 25
ip nat inside source static tcp 10.10.2.9 20 interface Dialer1 20
ip nat inside source static tcp 10.10.2.9 21 interface Dialer1 21
ip nat inside source static tcp 10.10.2.9 80 interface Dialer1 80
ip nat inside source static tcp 10.10.2.9 443 interface Dialer1 443
ip nat inside source static tcp 10.10.2.1 3784 interface Dialer1 3784
ip nat inside source static udp 10.10.2.1 3784 interface Dialer1 3784
ip nat inside source route-map nonat interface Dialer1 overload
!
ip access-list extended ImportantTraffic
 permit tcp any any eq 3389
 permit tcp any any eq 5900
 permit tcp any any eq 5901
 permit tcp any any eq 1494
 permit tcp any any eq 3784
 permit udp any any eq 3784
ip access-list extended VoipTraffic
 remark Traffic to and from VoIP PBX
 permit ip host 10.10.1.5 any
 permit ip any host 10.10.1.5
ip access-list extended incoming
 permit tcp any host SYDNEY eq smtp
 permit tcp any host SYDNEY eq www
 permit tcp any host SYDNEY eq 443
 permit tcp any host SYDNEY eq ftp-data
 permit tcp any host SYDNEY eq ftp
 permit tcp any host SYDNEY eq 5060
 permit udp any host SYDNEY eq 5060
 permit ip host BRISBANE host SYDNEY
 permit icmp any any
 permit esp any any
 permit gre any any
 permit tcp any host SYDNEY eq 1723
 permit tcp any host SYDNEY eq 1701
 permit ip any any
 permit tcp any host SYDNEY eq 3784
 permit udp any host SYDNEY eq 3784
ip access-list extended nat-list
 deny   ip 10.10.2.0 0.0.0.255 10.10.1.0 0.0.0.255
 deny   ip 10.10.2.0 0.0.0.255 10.10.3.0 0.0.0.255
 permit tcp 10.10.2.0 0.0.0.255 any eq www
 permit tcp 10.10.2.0 0.0.0.255 any eq 443
 permit tcp 10.10.2.0 0.0.0.255 any eq ftp-data
 permit tcp 10.10.2.0 0.0.0.255 any eq ftp
 permit tcp 10.10.2.0 0.0.0.255 any eq domain
 permit udp 10.10.2.0 0.0.0.255 any eq domain
 permit tcp host 10.10.2.2 any eq smtp
 permit ip host 10.10.1.5 any
 permit ip host 10.10.1.9 any
 permit icmp any any
 permit tcp 10.10.2.0 0.0.0.255 any eq 3784
 permit udp 10.10.2.0 0.0.0.255 any eq 3784
 permit ip host 10.10.2.2 any
 permit ip host 10.10.2.51 any
ip access-list extended outboundfilters
 permit ip any any reflect iptraffic
 permit icmp any any reflect icmptraffic
 permit ip any any
 permit ahp any any
 permit esp any any
 permit udp any any eq isakmp
!
access-list 101 permit ip 10.10.2.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 102 permit ip 10.10.2.0 0.0.0.255 10.10.3.0 0.0.0.255
!
!
!
route-map nonat permit 10
 match ip address nat-list
!
radius-server host 10.10.1.7 auth-port 1645 acct-port 1646 key 7 <SECRET>
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 exec-timeout 240 0
 privilege level 15
!
scheduler max-task-time 5000
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

Open in new window


Melbourne
 
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname MELB
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
enable password 7 <SECRET>
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.3.1
ip dhcp excluded-address 10.10.3.1 10.10.3.20
!
ip dhcp pool MelbPool
   network 10.10.3.0 255.255.255.0
   default-router 10.10.3.10
   dns-server 192.231.203.132 10.10.1.1
   domain-name melb.tmchade.local
   lease 7
!
!
ip name-server 10.10.1.7
ip name-server 10.10.1.1
ip name-server 10.10.2.1
ip name-server 192.231.203.132
ip name-server 192.231.203.3
ip name-server 198.142.0.51
!
!
!
username admin privilege 15 password 7 <secret>
!
!
!
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key <abc12345> address BRISBANE
crypto isakmp key <abc12345> address SYDNEY
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac
!
crypto map IPSEC-MAPS 10 ipsec-isakmp
 set peer BRISBANE
 set transform-set 3DESSHA
 set pfs group2
 match address 101
crypto map IPSEC-MAPS 20 ipsec-isakmp
 set peer SYDNEY
 set transform-set 3DESSHA
 set pfs group2
 match address 102
!
!
!
interface ATM0
 no ip address
 load-interval 30
 no atm ilmi-keepalive
 pvc 8/35
  vbr-nrt 510 510 1
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description --- Ethernet LAN ---
 ip address 10.10.3.10 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1300
!
interface Dialer1
 description --- Internode ADSL ---
 ip address negotiated
 ip mtu 1460
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer idle-timeout 0
 dialer persistent
 dialer-group 1
 ppp chap hostname <myusername>
 ppp chap password 7 <mypassword>
 crypto map IPSEC-MAPS
!
no ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.10.3.0 255.255.255.0 Vlan1
!
no ip http server
no ip http secure-server
ip nat inside source list NAT interface Dialer1 overload
!
ip access-list extended NAT
 permit ip 10.10.3.0 0.0.0.255 any
 deny   ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255
 deny   ip 10.10.3.0 0.0.0.255 10.10.2.0 0.0.0.255
!
access-list 101 permit ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 102 permit ip 10.10.3.0 0.0.0.255 10.10.2.0 0.0.0.255
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 exec-timeout 240 0
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end

Open in new window

0
 
LVL 6

Expert Comment

by:vikrantambhore
ID: 35153998
COnfig looks like fine,
Do you have static IP for All sites ?
please post output
ter mon
deb cry ipsec error
0
 

Author Comment

by:Sc0tte
ID: 35154036
Yes, each site has static IP's

I can ping each site's external IP.

the debug command just gives me "Crypto IPSEC Error debugging is on"

Just tried to re-apply the map to dialer1...  (to see if any errors occur).... nothing... :-(

 
MELB(config)#interface Dialer1
MELB(config-if)#no crypto map IPSEC-MAPS
MELB(config-if)#
000044: *Mar 17 05:58:24.834: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
MELB(config-if)#crypto map IPSEC-MAPS
MELB(config-if)#
000045: *Mar 17 05:58:51.742: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
MELB(config-if)#end
MELB#

Open in new window

0
 
LVL 6

Expert Comment

by:vikrantambhore
ID: 35154063
I recommended u need to use  DMVPN instead of LAN to LAN, it is full mesh topology, I am also from Melbourne, I am using DMVPN for 4 sites, Mel, Perth, Sydney & India
0
 

Author Comment

by:Sc0tte
ID: 35154110
hrrm...  

I had this working before.  Then we closed our Melb office for a few years, and now it's back.  I'm kicking myself now.

The DMVPN looks interesting, but i'm on a tight deadline... was hoping to just alter this config to get it working as is then deploy.

I'm currently in Brisbane, with a spare internet connection which i'm pretending is Melbourne.
0
 
LVL 6

Expert Comment

by:vikrantambhore
ID: 35154117
Ok, NP

please post output of "deb cry ipsec error"
0
 

Author Comment

by:Sc0tte
ID: 35154123
For each router,

All i get is:  Crypto IPSEC Error debugging is on.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 6

Expert Comment

by:vikrantambhore
ID: 35154127
I need from Melbourne, Did u get any message or error on Hyper terminal ?
0
 

Author Comment

by:Sc0tte
ID: 35154134
no,

I'm on the "Mel" router via a console cable anyway.


MELB>en
Password:
MELB#deb cry ipsec error
Crypto IPSEC Error debugging is on
MELB#
0
 
LVL 6

Expert Comment

by:vikrantambhore
ID: 35154136
also try this isakmp policy 5 authentication pre-share
0
 
LVL 6

Expert Comment

by:vikrantambhore
ID: 35154161
r u sure ur able to ping Public Ip of rest branch from Mel
0
 
LVL 6

Expert Comment

by:vikrantambhore
ID: 35154211
Bro, Not sure, I just did study on ur whole config, I am not sure why it's not working, All config looks good ! we need to do more test
0
 

Author Comment

by:Sc0tte
ID: 35154434
Just checked, and yes.  each router can ping each other using their external IP's

Now that the Sydney guys have gone home, i might just try and remove/re-add the maps for BNE and MEL

0
 

Accepted Solution

by:
Sc0tte earned 0 total points
ID: 35161845
So i've started from scratch on the MEL router..  got another router, set it to factory defaults, and started again.

Works now... I've attached the new config... to me it looks predominantly the same..
Maybe that's what i get for buying an 877 of eBay :-P

I'll have another crack at this eBay router when i get time, and see if i can't get its VPN working...
(no changes to config on BNE or SYD routers, just a reload.)


 
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname MEL
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
!
no aaa new-model
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.3.1 10.10.3.20
!
ip dhcp pool MelPool
   network 10.10.3.0 255.255.255.0
   default-router 10.10.3.10
   dns-server 192.231.203.132 10.10.1.1
   lease 7
!
!
ip name-server 192.231.203.132
ip name-server 10.10.1.1
ip name-server 10.10.2.1
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 18800
crypto isakmp key <abc123> address BRISBANE
crypto isakmp key <abc123> address SYDNEY
!
!
crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac
!
crypto map IPSEC-MAPS 10 ipsec-isakmp
 set peer BRISBANE
 set transform-set 3DESSHA
 set pfs group2
 match address 101
crypto map IPSEC-MAPS 20 ipsec-isakmp
 set peer SYDNEY
 set transform-set 3DESSHA
 set pfs group2
 match address 102
!
!
!
!
interface ATM0
 no ip address
 load-interval 30
 no atm ilmi-keepalive
 pvc 8/35
  vbr-nrt 510 510 1
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description --- Ethernet LAN ---
 ip address 10.10.3.10 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1420
!
interface Dialer1
 ip address negotiated
 ip mtu 1460
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 no ip route-cache cef
 ip route-cache flow
 no ip mroute-cache
 load-interval 30
 dialer pool 1
 dialer idle-timeout 0
 dialer persistent
 dialer-group 1
 no cdp enable
 ppp chap hostname <username>@internode.on.net
 ppp chap password 7 <password>
 crypto map IPSEC-MAPS
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
ip nat inside source list NAT interface Dialer1 overload
!
ip access-list extended NAT
 deny   ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255
 deny   ip 10.10.3.0 0.0.0.255 10.10.2.0 0.0.0.255
 permit ip 10.10.3.0 0.0.0.255 any
!
access-list 101 permit ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 102 permit ip 10.10.3.0 0.0.0.255 10.10.2.0 0.0.0.255
no cdp run
!
!
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
end

Open in new window

0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35390638
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Let’s list some of the technologies that enable smooth teleworking. 
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now