Announcement

Collapse
No announcement yet.

VPN Setup

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • VPN Setup

    I am trying to setup a site-to-site VPN. Site A router is 79.129.63.208, site B router is 213.249.2.6. The server 10.0.0.50 to site A should exchange data with network 10.10.33.0/24 to site B.

    The tunnel is not established. I get the state "MM_NO_STATE". Bellow is the configuration for site A (only importnat code). Is the deny ACL correct ? Server and network to the other end belong to different subnets.
    Any suggestions ?

    !
    !
    crypto isakmp policy 1
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key [email protected] address 213.249.2.6
    !
    !
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec df-bit clear
    !
    crypto map SDM_CMAP_1 1 ipsec-isakmp
    description Tunnel to 213.249.2.6
    set peer 213.249.2.6
    set transform-set ESP-DES-MD5
    match address 104
    !
    !
    !
    interface BRI0
    no ip address
    encapsulation hdlc
    shutdown
    !
    interface ATM0
    no ip address
    no snmp trap link-status
    no atm ilmi-keepalive
    pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    dsl operating-mode auto
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Vlan1
    description Connection to firewall
    ip address 10.0.0.100 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1352
    no ip mroute-cache
    !
    interface Dialer1
    mtu 1392
    bandwidth 1024
    ip address 79.129.63.208 255.255.255.0
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    no cdp enable
    ppp authentication chap pap callin
    ppp chap hostname [email protected]
    ppp chap password 0 p3668z1
    ppp pap sent-username [email protected] password 0 p3668z1
    crypto map SDM_CMAP_1
    !
    interface Dialer0
    ip address 194.219.211.144 255.255.255.0
    shutdown
    no cdp enable
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source static tcp 10.0.0.50 3389 interface Dialer1 3389
    ip nat inside source static udp 10.0.0.50 1000 interface Dialer1 1000
    ip nat inside source static 192.168.0.10 interface Dialer1
    ip nat inside source static tcp 192.168.0.10 25 interface Dialer1 25
    ip nat inside source static tcp 192.168.0.10 110 interface Dialer1 110
    ip nat inside source static tcp 192.168.0.10 21 interface Dialer1 21
    ip nat inside source static tcp 192.168.0.10 80 interface Dialer1 80
    ip nat inside source static tcp 192.168.0.10 1723 interface Dialer1 1723
    ip nat inside source static tcp 192.168.0.1 23 interface Dialer1 23
    ip nat inside source static tcp 10.0.0.50 3724 interface Dialer1 3724
    ip nat inside source static tcp 10.0.0.50 22001 interface Dialer1 22001
    ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
    !
    access-list 101 permit ip 10.0.0.0 0.0.0.255 any
    access-list 104 deny ip host 10.0.0.50 10.10.33.0 0.0.0.255
    access-list 104 permit ip 10.0.0.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    no cdp run
    route-map SDM_RMAP_1 permit 1
    match ip address 104
    set ip next-hop 213.249.2.6
    !

  • #2
    Re: VPN Setup

    Phase I is no coming up.
    Check your settings at both ends if they do match.

    Otherwise try running debug crypto isakmp to see where it's going wrong.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: VPN Setup

      Dear Dumper,

      The other end had been setup by the ISP provider. They say all parameters are the same. I have already tried "debug crypto isakmp sa", this is how I found out the "MM_NO_STATE".

      Is "access-list 104 deny ip host 10.0.0.50 10.10.33.0 0.0.0.255" correct ? Is the mask (0.0.0.255) correct ??

      Comment


      • #4
        Re: VPN Setup

        Dear Dumber,

        on top of that, I found out that if I ping my static IP (79.129.63.20 from outside I can't reach the router BUT if I tracert I reach the router...

        Comment

        Working...
        X