Announcement

Collapse
No announcement yet.

VPN doesn't turn to state up.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • VPN doesn't turn to state up.

    hi everybody !

    I'm trying to set up a site-to-site vpn between 2 cisco 851w. this is my configuration:

    LAN ---- 192.168.1.0 ----

    192.168.1.254 | cisco 851W (Lievin) | ip negociated -------- modem D-Link (bridged)


    Internet


    modem D-Link (bridged) --------- ip negociated | cisco 851W (Lens) | 192.168.2.254

    ------ 192.168.2.0---- LAN



    From each side, I can access to Internet and ping remote router. I think i've correctly configure my VPN access but he definitely remains in down state....

    Here are my 2 config. If someone can see if something is missing it would be a great help.

    thanks a lot

    Lievin:

    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname Lievin
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 warnings
    !
    no aaa new-model
    clock timezone Paris 1
    !
    crypto pki trustpoint TP-self-signed-1955653872
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1955653872
    revocation-check none
    rsakeypair TP-self-signed-1955653872
    !
    !
    crypto pki certificate chain TP-self-signed-1955653872
    certificate self-signed 01
    30820252 308201BB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    -------------------------------------------------------------
    D71A4111 82E83B6B 447C3530 91EED074 47F339DE BECD
    quit
    dot11 syslog
    !
    dot11 ssid Lievin
    vlan 1
    authentication open
    authentication key-management wpa
    guest-mode
    infrastructure-ssid optional
    wpa-psk ascii 0 xxxxxxx
    !
    no ip source-route
    !
    !
    ip cef
    no ip domain lookup
    ip domain name xxxxxx
    ip name-server 192.168.1.x
    ip name-server 80.10.246.2
    !
    !
    !
    username aramys privilege 15 secret 5 $1$Lv3Y$6DXkmcQpaFjqv.IwmMWLy.
    !
    !
    crypto isakmp policy 1
    encr aes
    authentication pre-share
    group 5
    lifetime 28800
    crypto isakmp key xxxxxx address 80.x.x.x
    crypto isakmp fragmentation
    crypto isakmp invalid-spi-recovery
    crypto isakmp keepalive 20 periodic
    crypto isakmp nat keepalive 20
    !
    crypto ipsec security-association idle-time 86400
    !
    crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
    !
    crypto map SDM_CMAP_1 1 ipsec-isakmp
    description tunnel vers Lens
    set peer 80.x.x.x
    set transform-set esp-aes-sha
    match address 101
    !
    archive
    log config
    hidekeys
    !
    !
    !
    bridge irb
    !
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
    no ip address
    duplex auto
    speed auto
    pppoe enable group global
    pppoe-client dial-pool-number 1
    !
    interface Dot11Radio0
    no ip address
    !
    encryption vlan 1 mode ciphers tkip
    !
    broadcast-key vlan 1 change 30
    !
    !
    ssid Lievin
    !
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root
    !
    interface Dot11Radio0.1
    encapsulation dot1Q 1 native
    no cdp enable
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
    no ip address
    ip tcp adjust-mss 1452
    bridge-group 1
    !
    interface Dialer0
    ip address negotiated
    ip mtu 1452
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap pap callin
    ppp chap hostname fti/xxxxx
    ppp chap password 0 xxxxx
    ppp pap sent-username fti/xxxxx password 0 xxxxx
    crypto map SDM_CMAP_1
    !
    interface BVI1
    ip address 192.168.1.254 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1412
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 193.253.160.3
    ip route 0.0.0.0 0.0.0.0 80.x.x.x
    !
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat source static tcp 192.168.1.254 25 interface Dialer0 25
    ip nat source static tcp 192.168.1.254 443 interface Dialer0 443
    ip nat inside source static tcp 192.168.x.x 80 interface Dialer0 80
    ip nat inside source static tcp 192.168.x.x 3389 interface Dialer0 3389
    ip nat inside source static tcp 192.168.x.x 25 interface Dialer0 25
    ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
    !
    access-list 1 permit 192.168.1.0 0.0.0.255
    access-list 100 permit ip 192.168.1.0 0.0.0.255 any
    access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 101 deny ip 192.168.1.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    no cdp run
    route-map SDM_RMAP_1 permit 1
    match ip address 100
    !
    !
    control-plane
    !
    bridge 1 protocol ieee
    bridge 1 route ip
    !
    line con 0
    login local
    no modem enable
    line aux 0
    line vty 0 4
    access-class 23 in
    privilege level 15
    login local
    transport input telnet ssh
    !
    scheduler max-task-time 5000

    Lens:

    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname Lens
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 52000
    !
    no aaa new-model
    clock timezone PCTime 1
    clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
    !
    crypto pki trustpoint TP-self-signed-2475623011
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-2475623011
    revocation-check none
    rsakeypair TP-self-signed-2475623011
    !
    !
    crypto pki certificate chain TP-self-signed-2475623011
    certificate self-signed 01
    30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    ---------------------------------------------------------------------
    B4E6B3BF DF300723 86EF1441 4293FC38 67D76938
    quit
    dot11 syslog
    !
    dot11 ssid AllianceLens
    vlan 1
    authentication open
    authentication key-management wpa
    guest-mode
    infrastructure-ssid optional
    wpa-psk ascii 0 xxxxx
    !
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.2.1 192.168.2.9
    ip dhcp excluded-address 192.168.2.51 192.168.2.254
    !
    ip dhcp pool sdm-pool
    import all
    network 192.168.2.0 255.255.255.0
    dns-server 192.168.1.x 80.10.246.2
    default-router 192.168.2.254
    !
    !
    ip cef
    ip domain name xxxxxx
    ip name-server 192.168.1.x
    ip name-server 80.10.246.2
    !
    !
    !
    username aramys privilege 15 secret 5 $1$Y5y3$WE37AMPgScQ354Mdq3BQY.
    !
    !
    crypto isakmp policy 1
    encr aes
    authentication pre-share
    group 5
    lifetime 28800
    crypto isakmp key xxxxxx address 80.x.x.x
    crypto isakmp fragmentation
    crypto isakmp invalid-spi-recovery
    crypto isakmp keepalive 20 periodic
    crypto isakmp nat keepalive 20
    !
    crypto ipsec security-association idle-time 86400
    !
    crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
    !
    crypto map SDM_CMAP_1 1 ipsec-isakmp
    set peer 80.x.x.x
    set transform-set esp-aes-sha
    match address 101
    !
    archive
    log config
    hidekeys
    !
    !
    !
    bridge irb
    !
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
    description $ETH-WAN$
    no ip address
    duplex auto
    speed auto
    pppoe enable group global
    pppoe-client dial-pool-number 1
    !
    interface Dot11Radio0
    no ip address
    !
    encryption vlan 1 mode ciphers tkip
    !
    broadcast-key vlan 1 change 30
    !
    !
    ssid AllianceLens
    !
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root
    !
    interface Dot11Radio0.1
    encapsulation dot1Q 1 native
    no cdp enable
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
    no ip address
    ip tcp adjust-mss 1452
    bridge-group 1
    !
    interface Dialer0
    ip address negotiated
    ip mtu 1452
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap pap callin
    ppp chap hostname fti/xxxxxx
    ppp chap password 0 xxxxxx
    ppp pap sent-username fti/xxxxx password 0 xxxxx
    crypto map SDM_CMAP_1
    !
    interface BVI1
    ip address 192.168.2.254 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1412
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 193.253.160.3
    ip route 0.0.0.0 0.0.0.0 80.x.x.x
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat source static tcp 192.168.2.254 443 interface Dialer0 443
    ip nat source static tcp 192.168.2.254 25 interface Dialer0 25
    ip nat inside source static tcp 192.168.2.254 80 interface Dialer0 80
    ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
    !
    access-list 1 remark INSIDE_IF=BVI1
    access-list 1 remark CCP_ACL Category=2
    access-list 1 permit 192.168.2.0 0.0.0.255
    access-list 100 remark CCP_ACL Category=18
    access-list 100 permit ip 192.168.2.0 0.0.0.255 any
    access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 101 deny ip 192.168.2.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    no cdp run
    route-map SDM_RMAP_1 permit 1
    match ip address 100
    !
    !
    control-plane
    !
    bridge 1 protocol ieee
    bridge 1 route ip
    !
    line con 0
    login local
    no modem enable
    line aux 0
    line vty 0 4
    access-class 23 in
    privilege level 15
    login local
    transport input telnet ssh
    !
    scheduler max-task-time 5000

  • #2
    Re: VPN doesn't turn to state up.

    It looks like there's no traffic going trough..
    in the upper network asset,
    Please copy paste

    conf t
    int Di0
    ip access-group 100 in

    this allows traffic from the B-end network over to the A-End network

    and on the lowerconfig (other ACL number)

    conf t
    int Di0
    ip access-group 101 in

    that should do the trick

    Comment

    Working...
    X