Hey guys im having some issues getting a cisco IPSec site to site vpn going. Ive got a config from the remote site and and sh run from the receiving router.
I cant get the IPSec tunnel up. Here are my configs.
Sh run on the local router. 192.168.2.0
Code:
Current configuration : 3892 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname REMOVED
!
boot-start-marker
boot-end-marker
!
enable secret 5 REMOVED
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.254
!
ip dhcp pool LAN-192.168.2.0
network 192.168.2.0 255.255.255.0
default-router 192.168.2.254
dns-server REMOVED
class 1
address range 192.168.2.100 192.168.2.200
!
!
ip dhcp class 1
!
ip domain name REMOVED
ip name-server 8.8.8.8
ip ssh version 2
!
!
!
username admin privilege 15 secret 5 REMOVED
!
!
crypto keyring XXXCampbellXXX
pre-shared-key address 114.xxx.xxx.xxx key REMOVED
crypto logging session
!
crypto isakmp policy 5
encr aes
authentication pre-share
group 5
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 15
encr aes
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 60
crypto isakmp profile XXXCampbellXXXX
keyring XXXCampbellXXX
match identity address 114.xxx.xxx.xxx 255.255.255.255
!
!
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-AES128-SHA1 esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES192-SHA esp-aes 192 esp-sha-hmac
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
!
crypto map IPSEC 10 ipsec-isakmp
description VPN Traffic REMOVED
set peer 114.xxx.xxx.xxx
set transform-set ESP-AES128-SHA1
set isakmp-profile XXXCampbellXXX
match address ACL-XXXCampbellXXX
!
!
!
interface ATM0
description eex ppp dial operating-mode auto
no ip address
no atm ilmi-keepalive
pvc INTERNET 0/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
ip address 192.168.2.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
description WAN interface running at 800Kbps
bandwidth 800
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip nat enable
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp pap sent-username user@REMOVED password 0 password
crypto map IPSEC
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source list 10 interface Dialer0 overload
!
ip access-list extended ACL-XXXCampbellXXX
permit ip 192.168.2.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
!
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
exec-timeout 0 0
no modem enable
line aux 0
line vty 0 2
access-class aclTelnet in
privilege level 15
password REMOVED
login local
transport input telnet
line vty 3 4
access-class aclQuietMode in
privilege level 15
password REMOVED
login local
transport input ssh
!
scheduler max-task-time 5000
end
And the existing config I copied and pasted. This is from a previous VPN that was running on this router, but not the above!
Code:
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 60
crypto logging session
!
crypto isakmp policy 5
encr aes
authentication pre-share
group 5
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 15
encr aes
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
!
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-AES128-SHA1 esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5-COMP esp-3des esp-md5-hmac comp-lzs
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES192-SHA esp-aes 192 esp-sha-hmac
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES256-SHA-COMP esp-aes 256 esp-sha-hmac comp-lzs
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
!
crypto keyring VPNXXXCampbellXXX
pre-shared-key address 114.xx.xxx.xxx.xxx key REMOVED
!
crypto isakmp profile VPN-to-CampbellRoad
keyring VPN-to-CampbellXXX
match identity address 114.xxx.xxx.xxx
!
crypto map IPSEC 10 ipsec-isakmp
description VPN Traffic REMOVED
set peer 114.xxx.xxx.xxx
set transform-set ESP-AES128-SHA1
set isakmp-profile XXXCampbellXXX
match address ACL-XXXCampbellXXX
!
ip access-list extended ACL-XXXCampbellXXX
permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
!
interface dialer0
crypto map IPSEC
To me it looks like the access lists are wrong, source and dst addresses consider the first config which is on 192.168.2.0 and the second config is on 10.0.0.0
Any ideas? sh crypto session says tunnels on both dialer0 and vlan1 are down.
Thanks guys