[onlinegamesnz]

Hey guys im having some issues getting a cisco IPSec site to site vpn going. Ive got a config from the remote site and and sh run from the receiving router.

I cant get the IPSec tunnel up. Here are my configs.

Sh run on the local router. 192.168.2.0

Code:

Current configuration : 3892 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname REMOVED
!
boot-start-marker
boot-end-marker
!
enable secret 5 REMOVED
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.254
!
ip dhcp pool LAN-192.168.2.0
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.254 
   dns-server REMOVED 
   class 1
      address range 192.168.2.100 192.168.2.200
!
!
ip dhcp class 1
!
ip domain name REMOVED
ip name-server 8.8.8.8
ip ssh version 2
!
!
!
username admin privilege 15 secret 5 REMOVED
!
! 
crypto keyring XXXCampbellXXX
  pre-shared-key address 114.xxx.xxx.xxx key REMOVED
crypto logging session
!
crypto isakmp policy 5
 encr aes
 authentication pre-share
 group 5
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 15
 encr aes
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 60
crypto isakmp profile XXXCampbellXXXX
   keyring XXXCampbellXXX
   match identity address 114.xxx.xxx.xxx 255.255.255.255 
!
!
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES128-SHA1 esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES192-SHA esp-aes 192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac 
!
crypto map IPSEC 10 ipsec-isakmp 
 description VPN Traffic REMOVED
 set peer 114.xxx.xxx.xxx
 set transform-set ESP-AES128-SHA1 
 set isakmp-profile XXXCampbellXXX
 match address ACL-XXXCampbellXXX
!
!         
!
interface ATM0
 description eex ppp dial operating-mode auto
 no ip address
 no atm ilmi-keepalive
 pvc INTERNET 0/100 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto 
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Vlan1
 ip address 192.168.2.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Dialer0
 description WAN interface running at 800Kbps
 bandwidth 800
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip nat enable
 ip virtual-reassembly
 encapsulation ppp
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp pap sent-username user@REMOVED password 0 password
 crypto map IPSEC
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source list 10 interface Dialer0 overload
!
ip access-list extended ACL-XXXCampbellXXX
 permit ip 192.168.2.0 0.0.0.255 10.0.0.0 0.0.0.255
 permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
!
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 no modem enable
line aux 0
line vty 0 2
 access-class aclTelnet in
 privilege level 15
 password REMOVED
 login local
 transport input telnet
line vty 3 4
 access-class aclQuietMode in
 privilege level 15
 password REMOVED
 login local
 transport input ssh
!
scheduler max-task-time 5000
end

And the existing config I copied and pasted. This is from a previous VPN that was running on this router, but not the above!

Code:

crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 60
crypto logging session
!
crypto isakmp policy 5
 encr aes
 authentication pre-share
 group 5  
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 15
 encr aes
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
!
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES128-SHA1 esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5-COMP esp-3des esp-md5-hmac comp-lzs 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES192-SHA esp-aes 192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES256-SHA-COMP esp-aes 256 esp-sha-hmac comp-lzs 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
!
crypto keyring VPNXXXCampbellXXX
  pre-shared-key address 114.xx.xxx.xxx.xxx key REMOVED
!
crypto isakmp profile VPN-to-CampbellRoad
   keyring VPN-to-CampbellXXX
   match identity address 114.xxx.xxx.xxx
!
crypto map IPSEC 10 ipsec-isakmp 
 description VPN Traffic REMOVED
 set peer 114.xxx.xxx.xxx
 set transform-set ESP-AES128-SHA1
 set isakmp-profile XXXCampbellXXX
 match address ACL-XXXCampbellXXX
!
ip access-list extended ACL-XXXCampbellXXX
 permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
!
interface dialer0
 crypto map IPSEC

To me it looks like the access lists are wrong, source and dst addresses consider the first config which is on 192.168.2.0 and the second config is on 10.0.0.0

Any ideas? sh crypto session says tunnels on both dialer0 and vlan1 are down.

Thanks guys

[onlinegamesnz]

Code:

l#sh crypto session 
Crypto session current status

Interface: Dialer0
Session status: DOWN
Peer: 114.xxx.xxx.xxx port 500 
  IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0 192.168.2.0/255.255.255.0 
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 10.0.0.0/255.255.255.0 
        Active SAs: 0, origin: crypto map

Interface: Virtual-Access2
Session status: DOWN
Peer: 114.xxx.xxx.xxx port 500 
  IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0 192.168.2.0/255.255.255.0 
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 10.0.0.0/255.255.255.0 
        Active SAs: 0, origin: crypto map

Im sure its routing, ACL or address between interfaces that is wrong!

[onlinegamesnz]

Originally Posted by onlinegamesnz

Code:

l#sh crypto session 
Crypto session current status

Interface: Dialer0
Session status: DOWN
Peer: 114.xxx.xxx.xxx port 500 
  IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0 192.168.2.0/255.255.255.0 
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 10.0.0.0/255.255.255.0 
        Active SAs: 0, origin: crypto map

Interface: Virtual-Access2
Session status: DOWN
Peer: 114.xxx.xxx.xxx port 500 
  IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0 192.168.2.0/255.255.255.0 
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 10.0.0.0/255.255.255.0 
        Active SAs: 0, origin: crypto map

Im sure its routing, ACL or address between interfaces that is wrong!

Had someone else check it out, apparently it was closing the tunnel but he couldnt figure out why. He enabled a keep alive or a automatic ping reuqest every 360 secs or something to keep the tunnel allive.

Thats over my head!