site to site VPN

i can't make this working. I have no idea why.

 

I have configured couple site to site VPNs, but this one I can't get working.

 

R8

Router#show run

Building configuration...

 

Current configuration : 1296 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

!

boot system c2600-advipservicesk9-mz.124-15.T1.bin

!

!

!

!

!

!

no ip cef

no ipv6 cef

!

!

!

!

crypto isakmp policy 5

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp key battlefieldjenej address 50.50.50.1

!

!

!

crypto ipsec transform-set FILIP esp-3des esp-md5-hmac

!

crypto map PETR 1 ipsec-isakmp

set peer 50.50.50.1

set transform-set FILIP

match address R1_TO_R3

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface FastEthernet0/0

ip address 60.60.60.2 255.0.0.0

ip nat outside

duplex auto

speed auto

crypto map PETR

!

interface FastEthernet0/1

ip address 192.168.200.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

ip nat inside source list 101 interface FastEthernet0/0 overload

ip classless

ip route 50.0.0.0 255.0.0.0 60.60.60.1

!

ip flow-export version 9

!

!

ip access-list extended R1_TO_R3

permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 101 deny ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 101 permit ip 192.168.200.0 0.0.0.255 any

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

 

 

 

 

R7

Router#show run

Building configuration...

 

Current configuration : 1286 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

!

boot system c2600-advipservicesk9-mz.124-15.T1.bin

!

!

!

!

!

!

no ip cef

no ipv6 cef

!

!

!

!

crypto isakmp policy 5

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp key battlefieldjenej address 60.60.60.2

!

!

!

crypto ipsec transform-set FILIP esp-3des esp-md5-hmac

!

crypto map PETR 1 ipsec-isakmp

set peer 60.60.60.2

set transform-set FILIP

match address R1_TO_R3

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface FastEthernet0/0

ip address 50.50.50.1 255.0.0.0

ip nat outside

duplex auto

speed auto

crypto map PETR

!

interface FastEthernet0/1

ip address 192.168.100.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface Vlan1

no ip address

!

ip nat inside source list 101 interface FastEthernet0/0 overload

ip classless

ip route 60.0.0.0 255.0.0.0 50.50.50.2

!

ip flow-export version 9

!

!

ip access-list extended R1_TO_R3

permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 101 permit ip 192.168.100.0 0.0.0.255 any

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

Comments

  • On a fast look, crypto configuration looks correct, and also traffic to be IPsec protected is excluded from the NAT process; if the attached config also outlines your routing,the problem is that cyrpto does not even kick in, as you don't have routing for the VPN protecetd subnets of 1992.168.100.0/24 and 192.168.200.0/24. If routing is being done by other means, check if it fails on Phase1 or Phase2.

  • I agree with Cristian - whats triggering the site to site traffic to route to each other?  Replace your static with default routes and this should be fine. Whats the outcome of sh crypto isakmp sa?  If theres nothing there then its not even trying.  You can confirm that with a debug on crypto isakmp.  Or create tunnels and route over those and use the GRE traffic as the triggers for the VPN creation.

  • yess guys. you're right. I was missing a default route. I can't believe I made this mistake. Thank you

Sign In or Register to comment.