No announcement yet.

VPN Setup

  • Filter
  • Time
  • Show
Clear All
new posts

  • VPN Setup

    I am trying to setup a site-to-site VPN. Site A router is, site B router is The server to site A should exchange data with network to site B.

    The tunnel is not established. I get the state "MM_NO_STATE". Bellow is the configuration for site A (only importnat code). Is the deny ACL correct ? Server and network to the other end belong to different subnets.
    Any suggestions ?

    crypto isakmp policy 1
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key [email protected] address
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec df-bit clear
    crypto map SDM_CMAP_1 1 ipsec-isakmp
    description Tunnel to
    set peer
    set transform-set ESP-DES-MD5
    match address 104
    interface BRI0
    no ip address
    encapsulation hdlc
    interface ATM0
    no ip address
    no snmp trap link-status
    no atm ilmi-keepalive
    pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    dsl operating-mode auto
    interface FastEthernet0
    interface FastEthernet1
    interface FastEthernet2
    interface FastEthernet3
    interface Vlan1
    description Connection to firewall
    ip address
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1352
    no ip mroute-cache
    interface Dialer1
    mtu 1392
    bandwidth 1024
    ip address
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    no cdp enable
    ppp authentication chap pap callin
    ppp chap hostname [email protected]
    ppp chap password 0 p3668z1
    ppp pap sent-username [email protected] password 0 p3668z1
    crypto map SDM_CMAP_1
    interface Dialer0
    ip address
    no cdp enable
    ip classless
    ip route Dialer1
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source static tcp 3389 interface Dialer1 3389
    ip nat inside source static udp 1000 interface Dialer1 1000
    ip nat inside source static interface Dialer1
    ip nat inside source static tcp 25 interface Dialer1 25
    ip nat inside source static tcp 110 interface Dialer1 110
    ip nat inside source static tcp 21 interface Dialer1 21
    ip nat inside source static tcp 80 interface Dialer1 80
    ip nat inside source static tcp 1723 interface Dialer1 1723
    ip nat inside source static tcp 23 interface Dialer1 23
    ip nat inside source static tcp 3724 interface Dialer1 3724
    ip nat inside source static tcp 22001 interface Dialer1 22001
    ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
    access-list 101 permit ip any
    access-list 104 deny ip host
    access-list 104 permit ip any
    dialer-list 1 protocol ip permit
    no cdp run
    route-map SDM_RMAP_1 permit 1
    match ip address 104
    set ip next-hop

  • #2
    Re: VPN Setup

    Phase I is no coming up.
    Check your settings at both ends if they do match.

    Otherwise try running debug crypto isakmp to see where it's going wrong.
    Technical Consultant

    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"


    • #3
      Re: VPN Setup

      Dear Dumper,

      The other end had been setup by the ISP provider. They say all parameters are the same. I have already tried "debug crypto isakmp sa", this is how I found out the "MM_NO_STATE".

      Is "access-list 104 deny ip host" correct ? Is the mask ( correct ??


      • #4
        Re: VPN Setup

        Dear Dumber,

        on top of that, I found out that if I ping my static IP ( from outside I can't reach the router BUT if I tracert I reach the router...