jasonmichel
asked on
Site to Site VPN Cisco
Wondering if i could get someone to look over my configs for a site to site ipsec vpn between a cisco 1841 and a 2821, just want to make sure the security and ACLs are good, i appreciate it in advance.
agbuilding32711.txt
courthouse-scrub.txt
agbuilding32711.txt
courthouse-scrub.txt
ASKER
Yeah I changed the group to 2 looking back after I posted.. The only thing the agbuilding needs from the mainsite is the 10.15.0.0 network...oh yeah for the nat, I forgot the nat inside and nat outside...thanks for catching
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
ok attached are updated, let me know if i fixed everything,
thanks again!
agbuildingscrub.txt
courthouse-scrub.txt
thanks again!
agbuildingscrub.txt
courthouse-scrub.txt
VPN configs look good from here.
ASKER
thanks for the assist, ill try it out
There are some mis-matches that will stop it working.
1. There's no common pre-share key IKE policy.
The two for the courthouse use DH group 2. For encryption one is aes and the other aes 256.
The one for the agbuilding uses aes but is configured to use DH group 5.
Should the agbuilding be configured for group 2?
2. The traffic to encrypt lists do not match.
The courthouse list, ohagvpn, has sources 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 for destination 192.168.25.0/24.
The agbuilding list, 101, has source 192.168.25.0/25 for destination 10.15.0.0/16
The addresses and the wildcard masks used must match to allow the security associations to be set up. Your agbuilding list 101 should use the same values as the courthouse list but with the source and destination entries reversed.
There's no NAT configuration in the agbuilding router. If it is used, don't forget to exclude the protected traffic from being address translated.