No announcement yet.

Cisco Site to Site help if possible

  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco Site to Site help if possible

    Hello i am having a problem with me VPN connect i can see the problem but no way to change this which is the most annoying this:

    (remote and local address has been changed to save people fiddling, the is the correct)

    crypto isakmp policy 11
    encr 3des
    authentication pre-share group 2
    lifetime 28800
    crypto isakmp key ********* address
    crypto ipsec transform-set TSLVPN esp-3des esp-sha-hmac
    crypto map VPNMAP 11 ipsec-isakmp
    set peer
    set transform-set TSLVPN
    set pfs group2
    match address 101

    this is all correctly on the interface and had this double checked which looks correct to everyone else

    but obviously not connecting

    when i do 'show crypto session'

    Interface: FastEthernet0
    Session status: DOWN
    Peer: port 500
    IPSEC FLOW: permit ip
    Active SAs: 0, origin: crypto map

    Interface: FastEthernet0
    Session status: DOWN-NEGOTIATING
    Peer: port 500
    IKE SA: local remote Inactive
    IKE SA: local remote Inactive
    IKE SA: local remote Inactive
    IKE SA: local remote Inactive

    on the IKE SA where is it getting that remote address from as its completely wrong the remote address should be the same as my set peer address

    i have tried re-creating the all details on the router and still no joy....the 146 cannot be pinged so no idea where it is

    also when doing a trace route from both site the 146 address is not mentioned in either on the results

    really scratching my head on this one....even more as its my first solo VPN setup that i want to do with people checking and now i have hit this problem

    if you can help could you please explain in detail possibly with some command examples...thankyouany help would be great cheers

    i have asked this question on a couple of other sites looking for some help as i am getting will be connecting to a Juniper firewall so i cannot test from another cisco box and see my results


  • #2
    Re: Cisco Site to Site help if possible

    worked it out

    the 146 address was spamming my address for some unknown reason....

    have to create and ACL to deny inbound traffic from that address then it all kicked in