Solved

Cisco Site to Site VPN Help

Posted on 2012-03-13
4
483 Views
Last Modified: 2012-03-15
We have two sites that we would like to connect via site to site vpn. I have configured as much as I can by tutorials but seem to be stuck. Can anyone please review my attached config files and tell me what i'm lacking? It would be great if you could give examples by command example.

Site 1 (T)  - Main site
Local: 10.8.40.x
External IP in config listed as: T.T.T.T for security purposes.

Site 2 (C)
Local: 10.8.50.x
External IP in config listed as: C.C.C.C for security purposes.


**These two sites were at once both using local ip scheme of 10.8.146.x and were connected via a T1 line. We split this up into the two new schemes of 10.8.40.x and 10.8.50.x but currently there is still needed vendor equipement at both sites with 10.8.146.x IP scheme and I would like to allow communication between 10.8.146.x at both sites open as well if possible.
site1-T-.txt
site2-C-.txt
0
Comment
Question by:considerscs
  • 2
4 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 37720047
Have you done any debugging yet?

Debug the isakmp and ipsec to see if you can get a clue to what is failing.
0
 
LVL 1

Author Comment

by:considerscs
ID: 37722554
If I run the debug crypto ipsec and debug crypto isakmp it says debugging is on but does not show any output. How do I get it to show output?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 450 total points
ID: 37722793
Your NAT acl is incorrect

ip access-list extended inside_to_outside
 deny   ip 10.8.30.0 0.0.0.255 10.8.146.0 0.0.0.255
 deny ip 10.8.40.0 0.0.0.255 10.8.50.0 0.0.0.255  <-- add this new line to match the crypto  match acl
 permit ip 10.8.146.0 0.0.0.255 any
 permit ip 10.8.40.0 0.0.0.255 any
 deny   ip 10.8.30.0 0.0.0.255 10.8.40.0 0.0.0.255 <-- this line need to be line #2 ^


You cannot have same IP subnet on both sides of an IPSEC VPN tunnel
Mirror the above acl on site 2
0
 
LVL 22

Assisted Solution

by:Matt V
Matt V earned 50 total points
ID: 37722879
If you are ssh/telnet in, you need to issue terminal monitor command to see the output.

When you are done you can issue
terminal no montitor
un all (turns off all debugging)
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now