Solved

Cisco Site to Site VPN Help

Posted on 2012-03-13
4
488 Views
Last Modified: 2012-03-15
We have two sites that we would like to connect via site to site vpn. I have configured as much as I can by tutorials but seem to be stuck. Can anyone please review my attached config files and tell me what i'm lacking? It would be great if you could give examples by command example.

Site 1 (T)  - Main site
Local: 10.8.40.x
External IP in config listed as: T.T.T.T for security purposes.

Site 2 (C)
Local: 10.8.50.x
External IP in config listed as: C.C.C.C for security purposes.


**These two sites were at once both using local ip scheme of 10.8.146.x and were connected via a T1 line. We split this up into the two new schemes of 10.8.40.x and 10.8.50.x but currently there is still needed vendor equipement at both sites with 10.8.146.x IP scheme and I would like to allow communication between 10.8.146.x at both sites open as well if possible.
site1-T-.txt
site2-C-.txt
0
Comment
Question by:considerscs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 37720047
Have you done any debugging yet?

Debug the isakmp and ipsec to see if you can get a clue to what is failing.
0
 
LVL 1

Author Comment

by:considerscs
ID: 37722554
If I run the debug crypto ipsec and debug crypto isakmp it says debugging is on but does not show any output. How do I get it to show output?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 450 total points
ID: 37722793
Your NAT acl is incorrect

ip access-list extended inside_to_outside
 deny   ip 10.8.30.0 0.0.0.255 10.8.146.0 0.0.0.255
 deny ip 10.8.40.0 0.0.0.255 10.8.50.0 0.0.0.255  <-- add this new line to match the crypto  match acl
 permit ip 10.8.146.0 0.0.0.255 any
 permit ip 10.8.40.0 0.0.0.255 any
 deny   ip 10.8.30.0 0.0.0.255 10.8.40.0 0.0.0.255 <-- this line need to be line #2 ^


You cannot have same IP subnet on both sides of an IPSEC VPN tunnel
Mirror the above acl on site 2
0
 
LVL 22

Assisted Solution

by:Matt V
Matt V earned 50 total points
ID: 37722879
If you are ssh/telnet in, you need to issue terminal monitor command to see the output.

When you are done you can issue
terminal no montitor
un all (turns off all debugging)
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question