Quantcast
Channel: Comments on: Lan-to-Lan IPSEC VPN Between Cisco Routers – Configuration Example
Viewing all 51 articles
Browse latest View live

By: Steve

November 16, 2009, 1:32 am
$
0
0

Thanks for the reply.

first of all the the static route can be removed that I know but it should not interfer with the config rigth?

The tunnel does not come up it stays down.
And I get the error which I can’t find the answer to
“No peer struct to get peer description”

So there is not even a chance to check traffic or ping because the tunnel stays down.
It only works for me when I put in permit ip any any.

So that is what I can’t figure out.Why it only works with the permit ip any any and not with the rule intended for this acl.

regards,

Steve

Search

By: BlogAdmin

November 16, 2009, 2:20 am
$
0
0
can you send us a debug output. Use "<strong>debug crypto isakmp</strong>" and then clear the VPN tunnel using: <strong>clear crypto isakmp sa</strong> <strong>clear crypto ipsec sa</strong> Then send over the debug output.

By: Steve

November 16, 2009, 2:54 am
$
0
0

Ok Blogadmin thanks very much for the time and support.

I figured out what the problem was. When configured as it should with the correct acl for the crypto map, the vpn stayed down until I generated traffic from the source behind the vpn router. In my case the vpn came up without errors when I generated traffic from the 172.16.10.2. So all a long my problem why the vpn stayed down was that there was no traffic.

thnanks agian,

Steve

By: Aline

January 12, 2011, 5:07 am
$
0
0

I would like to know if someone already configured a VPN with two links balanced. How can I configure if the interfaces were FastEthernet, because I can´t configure multilink and I´ll have two ip address and I need one ip address to configure the peer of VPN.

By: Dave

May 29, 2011, 10:51 pm
$
0
0

There should not be any problem to configure VPN if the two interfaces were fastethernet

By: Kunal

August 9, 2011, 6:18 pm
$
0
0

I have followed this guide as well as several others and setup both my routers according to them but for some reason I cannot see any connection when I do show crypto isakmp sa. I have tried sending traffic from pc’s connected to the lan interfaces but nothing ever comes up. I have the map set on the correct interface and do get the message isakmp is on but neither side shows anything.

By: Kunal

August 9, 2011, 6:51 pm
$
0
0

This is the config for the above mentioned question:

version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router_A
!
boot-start-marker
boot-end-marker
!
memory-size iomem 10
no aaa new-model
ip subnet-zero
ip cef
!
ip dhcp pool LANClients
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
!
ip audit po max-events 100
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
crypto isakmp key cisco123 address aaa.bbb.ccc.ddd
!
crypto ipsec transform-set aes-sha-transform esp-aes 256 esp-sha-hmac
!
crypto map aesmap 10 ipsec-isakmp
set peer aaa.bbb.ccc.ddd
set transform-set aes-sha-transform
match address acl_vpn
!
interface Ethernet0/0
description connected to Internet
ip address ddd.ccc.bbb.aaa 255.255.255.224
ip nat outside
half-duplex
crypto map aesmap
!
interface Ethernet0/1
description connected to EthernetLAN
ip address 192.168.2.1 255.255.255.0
ip nat inside
half-duplex
!
router rip
version 2
passive-interface Ethernet0/0
network 192.168.2.0
no auto-summary
!
ip nat pool POOL1 ddd.ccc.bbb.aaa ddd.ccc.bbb.aaa prefix-length 30
ip nat inside source list 1 interface Ethernet0/0 overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
!
ip access-list extended acl_nat
deny ip 192.168.2.0 0.0.0.255 10.141.185.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended acl_vpn
permit ip 192.168.2.0 0.0.0.255 10.141.185.0 0.0.0.255
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 10.141.0.0 0.0.255.255

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router_B
!
boot-start-marker
boot-end-marker
!
memory-size iomem 10
no aaa new-model
ip subnet-zero
ip cef
!
ip dhcp excluded-address 10.141.185.1 10.141.185.99
ip dhcp excluded-address 10.141.185.150 10.141.185.255
!
ip dhcp pool Clients
network 10.141.185.0 255.255.255.0
default-router 10.141.185.1
!
ip audit po max-events 100
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
crypto isakmp key cisco123 address ddd.ccc.bbb.aaa
!
crypto ipsec transform-set aes-sha-transform esp-aes 256 esp-sha-hmac
!
crypto map aesmap 10 ipsec-isakmp
set peer ddd.ccc.bbb.aaa
set transform-set aes-sha-transform
match address acl_vpn
!
interface Ethernet0/0
description connected to Internet
ip address aaa.bbb.ccc.ddd 255.255.255.192
ip nat outside
half-duplex
crypto map aesmap
!
interface Ethernet0/1
description connected to EthernetLAN
ip address 10.141.185.1 255.255.255.0
ip nat inside
half-duplex
!
ip nat pool POOL1 aaa.bbb.ccc.ddd aaa.bbb.ccc.ddd prefix-length 30
ip nat inside source list 1 interface Ethernet0/0 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
!
ip access-list extended acl_nat
deny ip 10.141.185.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 10.141.185.0 0.0.0.255 any
ip access-list extended acl_vpn
permit ip 10.141.185.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 1 permit 10.141.0.0 0.0.255.255
access-list 1 permit 192.168.0.0 0.0.255.255
!

By: Blog Admin

August 10, 2011, 11:49 am
$
0
0

My friend you have not followed exactly the configuration as shown on my post. You must exclude the vpn traffic from nat.

ip nat inside source list acl_nat interface Ethernet0/0 overload

Search

By: Kunal

August 12, 2011, 9:21 pm
$
0
0

Admin,

Thanks for the quick reply.

I would like to say I am brand new to Cisco IOS so please forgive my stupidity (past or future).

I added the entry on both routers and still have no activity.
The command show crypto isakmp sa still shows blank. Ive tried sending ping packets to initiate traffic but no luck. Is there anything else I have to do on the routers themselves?

By: SamAwatif

September 15, 2011, 12:26 pm
$
0
0

Man Many Many Thanks, I was Confused as to how to go about Allowing IPsec Tunnel While using NAT Since IPsec traffic can’t be natted, I’ve read other blogs but coudn’t get my head around it :-( but your descritption & config made it a breath..GOD BLESS :-)

By: BlogAdmin

November 13, 2009, 2:14 am
$
0
0

You must have identical but mirrored access lists on the two end ipsec routers. If on the first router you have “permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255″ then on the second router you must have “permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255″.

Make sure also that you reference the correct acl name inside your crypto map.

By: Steve

November 13, 2009, 4:39 am
$
0
0

Hi thnx for the response. I have the correct acl in de crypto mapand they are mirrored, but still I get the error “No peer struct to get peer description” And it only works when I set the acl to permit ip any any and it works fine then but it should work with the acl as the example but it doesn’t.
Don’t know what I’m missing.

regards,

steve

By: BlogAdmin

November 13, 2009, 6:31 am
$
0
0

Steve,

Can you please post the part of your configuration related to the ipsec vpn? I need to see it in order to help you.

Thanks

By: Steve

November 15, 2009, 12:52 pm
$
0
0

Router-A

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router A
!
boot-start-marker
boot-end-marker
resource policy
!
no aaa new-model
memory-size iomem 15
no network-clock-participate slot 1
no network-clock-participate wic 0
ip subnet-zero
no ip dhcp use vrf connected
ip vrf vpn
ip cef
no ip ips deny-action ips-interface
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ********** address 80.x.x.x
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 80.x.x.x
set transform-set 3DES-SHA-compression
set pfs group2
match address Crypto-list
!
!
!
!
interface FastEthernet0/0
description connected to Internet
ip address 81.x.x.x 255.255.255.248
duplex auto
speed auto
crypto map VPN-Map-1
!
!
interface FastEthernet0/1
description connected to EthernetLAN
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
!
ip default-gateway 81.x.x.x
ip classless
ip route 0.0.0.0 0.0.0.0 81.x.x.x
!
!
ip http server
no ip http secure-server
!
ip access-list extended Crypto-list
WITH THIS LINE IS DOES NOT WORK
permit ip 10.10.10.0 0.0.0.255 172.16.10.0 0.0.0.255
wITH THIS LINE IS WORKS
permit ip any any

ip access-list extended Internet-inbound-ACL
permit udp host 80.x.x.x any eq isakmp
permit esp host 80.x.x.x any
permit udp host 80.x.x.x any eq non500-isakmp
permit ahp host 80.x.x.x any
!
control-plane
!

Router-B

version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router B
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
no ip dhcp use vrf connected
!
ip tcp synwait-time 10
no ip ips deny-action ips-interface
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ******** address 81.x.x.x
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 81.x.x.x
set transform-set 3DES-SHA-compression
set pfs group2
match address Crypto-list
!
!
!
interface FastEthernet0/0
description connected to Internet
ip address 80.x.x.x 255.255.255.224
ip virtual-reassembly
speed auto
full-duplex
crypto map VPN-Map-1
!
interface FastEthernet0/1
description connected to EthernetLAN
ip address 172.16.10.1 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
!
!
ip default-gateway 80.x.x.x
ip classless
ip route 0.0.0.0 0.0.0.0 80.x.x.x
ip route 172.16.10.2 255.255.255.255 FastEthernet0/1
!
ip http server
no ip http secure-server
!
ip access-list extended Crypto-list

WITH THIS LINE IT DOES NOT WORK
permit ip 172.16.10.0 0.0.0.255 10.10.10.0 0.0.0.255

WITH THIS LINE IT WORKS
permit ip any any

ip access-list extended Internet-inbound-ACL
permit udp host 81.X.X.X any eq isakmp
permit esp host 81.x.x.x any
permit udp host 81.x.x.x any eq non500-isakmp
permit ahp host 81.x.x.x any
!
logging trap debugging

control-plane

!
scheduler allocate 4000 1000
end

By: BlogAdmin

November 15, 2009, 9:59 pm
$
0
0

The only strange thing on your configuration is the static route on RouterB which points to an internal host:
ip route 172.16.10.2 255.255.255.255 FastEthernet0/1
The above is not required. Other than that everything else looks ok. When you say it does not work what do you mean? The tunnel does not come up? The traffic does not pass through the tunnel? How do you test if it works or not? Using just ping? Try to send actual traffic from one subnet to the other and not just pinging. Let me know how it goes.

Search

By: Gagan

February 25, 2013, 12:13 am
$
0
0

im very new to cisco Can you help me on this i have to configure site to site vpn with 2 cisco router. Router A using ADSL internet connection (Dynamic IP Address, ADSL modem lan port connected to fe0) connected on fe0 in brigemode. Router A Internal Subnet 172.16.1.0/24 Connected on fe1. Router B using Broadband (RJ45) internet connection (Dynamic IP Address) connected on Fe0. Router B Internal Subnet 192.168.1.0/24 connected on fe1 . both router hav nat overload enabled.
Thanks

By: Blog Admin

February 25, 2013, 1:22 am

By: Tim

December 19, 2013, 8:16 pm
$
0
0

Hi i followed the instructions, once i got UP-Idle, once i cleared the session the status went from negotiating to DOWN and i keep getting: No peer struct to get peer description

can you please shed some light?

By: Blog Admin

December 19, 2013, 9:31 pm
$
0
0

Tim,
This might have to do with your VPN ACL which is applied in the crypto map. The two VPN ALCs on the two sites must be exactly mirror of each other.

Post the config here to take a look.

Harris

By: Tim

December 19, 2013, 9:41 pm
$
0
0

Hi Harris,

Thanks, for the quick replay, even Cisco Tac wouldn’t had responded so fast :)
I’m sure your way works well, but after going back and forth all day, i chose a different path and it does not requires a NAT/ACL..

Created a tunnel interface and defined a static route using tunnel0 int.

I’ll try your method on my other two routers in my LAB! SO i can get both methods working for my own knowledge..

based on this Cisco doc.
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_ipsec_virt_tunnl.html#wp1110852

Viewing all 51 articles
Browse latest View live
Search