site to site vpn on 2600 router
Any expert out there to tell me what s wrong with this site to site configuration , I cannot ping between routers' Fa0/0 [10.100.100.14 and 10.100.100.15]
Router4#sh run
Building configuration...
Current configuration : 1205 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router4
!
boot system flash c2600-ik9s-mz.122-40a.bin
enable password cisco
!
username cisco privilege 15 password 0 cisco
ip subnet-zero
ip cef
!
!
!
!
crypto isakmp policy 9
hash md5
authentication pre-share
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set VPNTEST esp-3des esp-md5-hmac
!
crypto map MAPNAME 10 ipsec-isakmp
set peer 10.100.100.15
set transform-set VPNTEST
match address 100
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
crypto map MAPNAME
!
interface FastEthernet0/0
ip address 10.100.100.14 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip classless
ip http server
ip http authentication local
!
access-list 100 permit ip 10.100.100.0 0.0.0.255 any
!
dial-peer cor custom
!
!
!
!
!
line con 0
login
line aux 0
line vty 0 4
privilege level 0
password cisco
login
transport input pad v120 telnet rlogin udptn ssh
!
end
Router6#sh run
Building configuration...
Current configuration : 3169 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router6
!
boot-start-marker
boot system flash:c2600-advipservicesk
boot-end-marker
!
!
aaa new-model
!
!
!
aaa session-id common
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2805531640
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-2805531640
!
!
crypto pki certificate chain TP-self-signed-2805531640
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32383035 35333136 3430301E 170D3032 30333031 30303438
30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38303535
33313634 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009C0D 2E16FB38 A35002D9 B104DF33 AC5A8A72 6034EACF C682B27D 0DCF6A73
B2C82DF2 EDB507D4 365AAEA8 34A0D543 B55A6E4F 241C3869 2F555E21 707657CF
0780E6E8 B4238789 CF9F9D5E EB7857DA 421565D7 A1A3D40E 25A5E151 D2EFA801
5E733520 6ED1CE82 82EB26B5 858230F5 4C4A5850 33B0254A CF15B8C6 27E9E56E
85FF0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 07526F75 74657236 301F0603 551D2304 18301680 142AECF6
2AE2688B 1A61DC54 81623480 2CDB455B 35301D06 03551D0E 04160414 2AECF62A
E2688B1A 61DC5481 6234802C DB455B35 300D0609 2A864886 F70D0101 04050003
81810086 29AF2250 48BC78DF 04E8F2C0 B272A220 7FFE6AD1 D72FB5FE 18C2F2EB
4487D0EF 98EF5326 5FB7417B EEE4A213 8FA34400 2ACAB2E3 B27EEDBE CF4773D0
A8221BB6 9BE19C36 BE463194 D0AB95B0 BD5CF3BC 0B7210A0 25F094E4 C906D801
70F7F87E F6047358 15226EDD 8CCA8AE9 58A37208 1A312211 1E06E3E9 C5672FA4 B893C3
quit
username cisco1 privilege 15 secret 5 $1$V4kn$7BtRlK7FtSEsvyOA7m
username cisco privilege 15 password 0 cisco
!
!
!
!
crypto isakmp policy 9
hash md5
authentication pre-share
crypto isakmp key VPNKEY address 10.100.100.14 255.255.255.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set SETNAME esp-3des esp-md5-hmac
!
crypto map MAPNAME 10 ipsec-isakmp
set peer 10.100.100.14
set transform-set SETNAME
match address 100
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
crypto map MAPNAME
!
interface FastEthernet0/0
ip address 10.100.100.15 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
!
ip http server
ip http authentication local
ip http secure-server
!
access-list 100 permit ip 10.100.100.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
login ctrlc-disable
transport input telnet
!
!
end
Router4#sh run
Building configuration...
Current configuration : 1205 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router4
!
boot system flash c2600-ik9s-mz.122-40a.bin
enable password cisco
!
username cisco privilege 15 password 0 cisco
ip subnet-zero
ip cef
!
!
!
!
crypto isakmp policy 9
hash md5
authentication pre-share
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set VPNTEST esp-3des esp-md5-hmac
!
crypto map MAPNAME 10 ipsec-isakmp
set peer 10.100.100.15
set transform-set VPNTEST
match address 100
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
crypto map MAPNAME
!
interface FastEthernet0/0
ip address 10.100.100.14 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip classless
ip http server
ip http authentication local
!
access-list 100 permit ip 10.100.100.0 0.0.0.255 any
!
dial-peer cor custom
!
!
!
!
!
line con 0
login
line aux 0
line vty 0 4
privilege level 0
password cisco
login
transport input pad v120 telnet rlogin udptn ssh
!
end
Router6#sh run
Building configuration...
Current configuration : 3169 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router6
!
boot-start-marker
boot system flash:c2600-advipservicesk
boot-end-marker
!
!
aaa new-model
!
!
!
aaa session-id common
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2805531640
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-2805531640
!
!
crypto pki certificate chain TP-self-signed-2805531640
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32383035 35333136 3430301E 170D3032 30333031 30303438
30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38303535
33313634 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009C0D 2E16FB38 A35002D9 B104DF33 AC5A8A72 6034EACF C682B27D 0DCF6A73
B2C82DF2 EDB507D4 365AAEA8 34A0D543 B55A6E4F 241C3869 2F555E21 707657CF
0780E6E8 B4238789 CF9F9D5E EB7857DA 421565D7 A1A3D40E 25A5E151 D2EFA801
5E733520 6ED1CE82 82EB26B5 858230F5 4C4A5850 33B0254A CF15B8C6 27E9E56E
85FF0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 07526F75 74657236 301F0603 551D2304 18301680 142AECF6
2AE2688B 1A61DC54 81623480 2CDB455B 35301D06 03551D0E 04160414 2AECF62A
E2688B1A 61DC5481 6234802C DB455B35 300D0609 2A864886 F70D0101 04050003
81810086 29AF2250 48BC78DF 04E8F2C0 B272A220 7FFE6AD1 D72FB5FE 18C2F2EB
4487D0EF 98EF5326 5FB7417B EEE4A213 8FA34400 2ACAB2E3 B27EEDBE CF4773D0
A8221BB6 9BE19C36 BE463194 D0AB95B0 BD5CF3BC 0B7210A0 25F094E4 C906D801
70F7F87E F6047358 15226EDD 8CCA8AE9 58A37208 1A312211 1E06E3E9 C5672FA4 B893C3
quit
username cisco1 privilege 15 secret 5 $1$V4kn$7BtRlK7FtSEsvyOA7m
username cisco privilege 15 password 0 cisco
!
!
!
!
crypto isakmp policy 9
hash md5
authentication pre-share
crypto isakmp key VPNKEY address 10.100.100.14 255.255.255.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set SETNAME esp-3des esp-md5-hmac
!
crypto map MAPNAME 10 ipsec-isakmp
set peer 10.100.100.14
set transform-set SETNAME
match address 100
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
crypto map MAPNAME
!
interface FastEthernet0/0
ip address 10.100.100.15 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
!
ip http server
ip http authentication local
ip http secure-server
!
access-list 100 permit ip 10.100.100.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
login ctrlc-disable
transport input telnet
!
!
end
Last Comment
fgasimzade
You can not establish vpn between subnets with the same ip address scheme. You will have either to change one subnet or to use NAT
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Actually, access-list 100 permit ip 10.100.100.0 0.0.0.255 any is allowed, it will encrypt everything coming from 10.100.100.0. You can even use any any statement in the access-list, in this case all traffic will be ancrypted, however it is not recommended. But the problem here is routing, you can not route vpn traffic properly with both sites having the same ip address scheme
Yes, I suppose the access-list 100 permit ip 10.100.100.0 0.0.0.255 any is a case of CAN but SHOULDN'T :)
How are these routers physically connected? Are you using a cross over cable? The router not being able to ping has nothing to do with VPN. Being that they are on the same subnet they should be able to ping.
ASKER
Soulja:
the routers are both connected to the switch, my laptop is connected to the same switch too,and am able to ping both routers interfaces.
I guess the tunnel configuration screwed it up:
the routers are both connected to the switch, my laptop is connected to the same switch too,and am able to ping both routers interfaces.
I guess the tunnel configuration screwed it up:
Router4#sh run
Building configuration...
Current configuration : 1204 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router4
!
boot system flash c2600-ik9s-mz.122-40a.bin
enable password cisco
!
username cisco privilege 15 password 0 cisco
ip subnet-zero
ip cef
!
!
!
!
crypto isakmp policy 9
hash md5
authentication pre-share
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set VPNTEST esp-3des esp-md5-hmac
!
crypto map MAPNAME 10 ipsec-isakmp
set peer 192.168.2.15
set transform-set VPNTEST
match address 100
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
crypto map MAPNAME
!
interface FastEthernet0/0
ip address 10.100.100.14 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip classless
ip http server
ip http authentication local
!
access-list 100 permit ip 10.100.100.0 0.0.0.255 any
!
dial-peer cor custom
!
!
!
!
!
line con 0
login
line aux 0
line vty 0 4
privilege level 0
password cisco
login
transport input pad v120 telnet rlogin udptn ssh
!
end
Router6#sh run
Building configuration...
Current configuration : 3167 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router6
!
boot-start-marker
boot system flash:c2600-advipservicesk9-mz.124-18a.bin
boot-end-marker
!
!
aaa new-model
!
!
!
aaa session-id common
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2805531640
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2805531640
revocation-check none
rsakeypair TP-self-signed-2805531640
!
!
quit
username cisco1 privilege 15 secret 5 $1$V4kn$7BtRlK7FtSEsvyOA7mm3n.
username cisco privilege 15 password 0 cisco
!
!
!
!
crypto isakmp policy 9
hash md5
authentication pre-share
crypto isakmp key VPNKEY address 10.100.100.14 255.255.255.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set SETNAME esp-3des esp-md5-hmac
!
crypto map MAPNAME 10 ipsec-isakmp
set peer 10.100.100.14
set transform-set SETNAME
match address 100
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
crypto map MAPNAME
!
interface FastEthernet0/0
ip address 192.168.2.15 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
!
ip http server
ip http authentication local
ip http secure-server
!
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
login ctrlc-disable
transport input telnet
!
!
end
When you ping from the router are you using the fastethernet as the source?
ASKER
I meant from my laptop, when I reconfigure the laptop interface with IP in the same subnet as 192.168.2.0 , DG=192.168.2.15 , then I will be able to ping the router that has that IP 192.168.2.15(on Fa0/0).
when I reconfigure the laptop interface with IP in the same subnet as 10.100.100.14 , DG=100.100.100.14 , then I will be able to ping the router that has that IP 10.100.100.14(on Fa0/0).
but when I console to router4, I cannot ping router6 and vice-versa.
I can ping from router4 to my laptop when they are on the same subnet.
I can ping from router6 to my laptop when they are on the same subnet too.
but as stated , I cannot ping between routers
when I reconfigure the laptop interface with IP in the same subnet as 10.100.100.14 , DG=100.100.100.14 , then I will be able to ping the router that has that IP 10.100.100.14(on Fa0/0).
but when I console to router4, I cannot ping router6 and vice-versa.
I can ping from router4 to my laptop when they are on the same subnet.
I can ping from router6 to my laptop when they are on the same subnet too.
but as stated , I cannot ping between routers
Can you post the configuration of the switch and tell us, which ports both routers' fa0/0 are connected to?
Do you have a default route in the routers? You need an ip route 0.0.0.0 out the .1 interface.
Okay, your first config had the fast ethernet interfaces in the same subnet (10.100.100.x). This is the correct start for your test because the routers will need to be able to communicate with one another in order to establish a vpn tunnel. Your current config with them on separate networks won't work because since they are on different networks you won't be able to ping each other without a way of routing between the networks. So you either need to change the interfaces back to the same subnet so they can ping, or set up layer 3 SVI's for the two networks on the switch you have them connected to (provided switch is layer 3).
I would put the configuration back the way you had it initially, then create tunnel interfaces on each router with the internal networks you want to communicate with each other. Then use the fast ethernet at the tunnel sources.
I would put the configuration back the way you had it initially, then create tunnel interfaces on each router with the internal networks you want to communicate with each other. Then use the fast ethernet at the tunnel sources.
Additionally, my previous post is assuming the switch you have these connected to is configured with all ports on the same vlan.
ASKER
Soulja:
initially both Fa0/0 router4 and router6 were on the same subnet and connected to the same switch, until fgasimzade suggested to have 2 different subnets for the vpn tunnel to work. see 07/11/11 02:38 PM, ID: 36168416.
what do you mean by this:
<<<I would put the configuration back the way you had it initially, then create tunnel interfaces on each router with the internal networks you want to communicate with each other. Then use the fast ethernet at the tunnel sources.>>
Ok ...I can revert back to the previous IP subnets for Fa0/0 routers interfaces that are connected to the same switch. Then could you just paste the configuration of Site to site VPN , then I will go ahead and test it. ???
initially both Fa0/0 router4 and router6 were on the same subnet and connected to the same switch, until fgasimzade suggested to have 2 different subnets for the vpn tunnel to work. see 07/11/11 02:38 PM, ID: 36168416.
what do you mean by this:
<<<I would put the configuration back the way you had it initially, then create tunnel interfaces on each router with the internal networks you want to communicate with each other. Then use the fast ethernet at the tunnel sources.>>
Ok ...I can revert back to the previous IP subnets for Fa0/0 routers interfaces that are connected to the same switch. Then could you just paste the configuration of Site to site VPN , then I will go ahead and test it. ???
Here is a link of what I am referring to with sample configurations that you can build your config off of. This way you can understand what I am talking about.
http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629_ps6635_Products_White_Paper.html
FGasimzade's suggestion would be correct if you were trying to create a vpn over the internet that requires natting, but since you are testing this on a switch, this is why I suggested putting the fastethernet ip back to the same subnet, so they can talk to one another.
http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629_ps6635_Products_White_Paper.html
FGasimzade's suggestion would be correct if you were trying to create a vpn over the internet that requires natting, but since you are testing this on a switch, this is why I suggested putting the fastethernet ip back to the same subnet, so they can talk to one another.
ASKER
Yes, because you must have overlooked the this:
Special Requirements: The routers used must support IPSec. Most of Cisco routers do. Another need is that both sides use a static public IP address to connect to the Internet.
Because you are testing this over a switch is why I suggested the tunnel interfaces.
Special Requirements: The routers used must support IPSec. Most of Cisco routers do. Another need is that both sides use a static public IP address to connect to the Internet.
Because you are testing this over a switch is why I suggested the tunnel interfaces.
The assumption of the link is that you have these routers connecting to the internet.
ASKER
in my case I have just one interface from each router connected to the switch.
Router4: has int fa0/0 ip address 10.100.100.14
loopback 1.1.1.1
Router5: has int fa0/0 ip address 10.100.100.15
loopback 1.1.1.1
Both router are connected to the same switch
Could you just paste a config here that suits my case ? instead of taking the config in the link that you metioned above.
I would like to avoid this thread to get longer
Router4: has int fa0/0 ip address 10.100.100.14
loopback 1.1.1.1
Router5: has int fa0/0 ip address 10.100.100.15
loopback 1.1.1.1
Both router are connected to the same switch
Could you just paste a config here that suits my case ? instead of taking the config in the link that you metioned above.
I would like to avoid this thread to get longer
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Soulja:
I will fix Octal Async issue, then try your config pasted above,
Thanks
I will fix Octal Async issue, then try your config pasted above,
Thanks
ASKER
Soulja:
Sorry for the delay...........
I have used your configuration above. Now how do I know that the Site to site VPN is working properly?
thanks
Sorry for the delay...........
I have used your configuration above. Now how do I know that the Site to site VPN is working properly?
thanks
Sh crypto isakmp sa
ASKER
Sh crypto isakmp sa
it shows the other peer.
Does that mean it is working ?
it shows the other peer.
Does that mean it is working ?
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Yes if the other peer shows with idle state it is up.
ASKER
Excellent work!!!
Routers
A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.
49K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
