[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 464
  • Last Modified:

Cisco IPSEC VPN Issue

I'm having trouble get a VPN between a Cisco 1841 (Spoke) router and a Cisco 3825 (Hub) router working correctly. Everything (sh crypto sessions, sh crypto ipsec sa, sh crypto isakmp sa) indicates the VPN tunnel is established, but traffic refuses to pass. This leads me to think it's a routing or a NAT issue.

I'm trying to establish a IPSEC VPN between Site A (Spoke) and Site B (Hub). Site A must also have access to Site C where the servers are located.

Site A (10.1.20.X) is connected to the Internet via Comcast Broadband (int Fast0/0). Site B (10.1.0.X) is connect to the Internet via AT&T MLPPP T1s (int MULTI1). Site C (10.1.10.X, 10.1.11.x, 10.1.12.x) is connected via AT&T MPLS to Site B (int Gi0/0). Site C accesses the MLPPPT1s in site B for Internet access.

Router Configs are attached. Anyone have any ideas what I'm missing here? I'm desperate! The location is completely down - they moved before the MPLS circuits were ready and they still have a few weeks before those will go in. Site-A.txt Site-B.txt
0
Matt Walker
Asked:
Matt Walker
  • 2
1 Solution
 
Marius GunnerudSenior Systems EngineerCommented:
At first glance, you are missing ppp multilink group 1 from the multilink1 interface.
0
 
adrianuta2004Commented:
access-list 155 permit ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255 ( in both sites you have subnet 10.1.0.0/16  ???????? )
0
 
Matt WalkerAuthor Commented:
PPP Multilink group 1 is there - it might not have come out in the configuration I copied here - Internet access through this Interface works fine.

In site A (Spoke Site) is subnet 10.1.20.X and site B (Hub site) is subnet 10.1.0.X. Site C (Server Site) is subnets 10.1.10.X, 10.1.11.X, and 10.1.12.X).
0
 
adrianuta2004Commented:

crypto map mymap 10 ipsec-isakmp
 set peer 12.94.195.170
 set transform-set myset
 match address 155
access-list 155 permit ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255
this is your config for site A, for identifying traffic wich must pass through vpn you use access list 155, but in access list 155 you say that traffic originating from network 10.1.0.0/16 and that goes to network 10.1.0.0/16 must pass through vpn. This statement it is not correct.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now