Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

2621xm vpn help

Status
Not open for further replies.
tom11011

tom11011

MIS
Oct 12, 2001
537
US
Hi, I simply can't get my vpn working with the remote site. I'll post their requirements and then my config for troubleshooting. Doing a 'show crypto ipsec sa' and 'show crypto isakmp sa' show nothing, I believe there is no tunnel at all.

Requirements:

Authentication Method Pre-shared Key
Encryption Scheme IKE
Diffie-Hellman Group Group 2
Encryption Algorithm 3DES
Hashing Algorithm SHA-1
Main or Aggressive Mode Main
Lifetime (for renegotiation) 28800 sec
Encapsulation (ESP or AH) ESP
Encryption Algorithm 3DES
Authentication Algorithm SHA-1
Perfect Forward Secrecy NO PFS
Lifetime (for renegotiation) 3600 sec
Lifesize in KB (for renegotiation) N/A
Key Exchange For Subnets? Yes

My config
---------

version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router
!
enable secret 5 $1$//Q3$
!
username north password 1E1801387A
clock timezone est -5
clock summer-time edt recurring
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key KEYXXX address 12.xx.xx.9
!
!
crypto ipsec transform-set Netd-policy esp-3des esp-sha-hmac
!
crypto map netd 10 ipsec-isakmp
set peer 12.xx.xx.9
set transform-set Netd-policy
match address 100
!
call rsvp-sync
!
!
!
!
!
!

interface FastEthernet0/0
ip address 66.xx.25.193 255.255.255.224
duplex auto
speed auto
crypto map netd
!
interface Serial0/0
ip address 66.xx.24.90 255.255.255.252
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 66.xx.xx.89
ip http server
!
access-list 100 permit ip host 66.xx.xx.193 host 12.xx.xx.151
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password 7 02140B4E1
login
!
ntp server 198.30.92.2
end
 
Sort by date Sort by votes
Here is an added thought.

The vpn terminates at the router. The resource the other party needs to get to is on the aux port.

So, essentially, they peer to our ethernet interface on the router, but also use that same address for the resources of the aux port (port 2065).

Is this allowed? Does this have anything to do with setting a loopback address?

Basically, there is nothing behind the router the other party is accessing.
 
Upvote 0 Downvote
Just a guess but it could be to do with where you have the tunnel terminated on FastEthernet0 since your default is on Serial0.
So basically any traffic being originated is going out the serial and not passing through the ethernet therefore not setting the tunnel up.

Try setting the crypto map netd on Serial0 vs the FastEthernet
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
206
Jared R
Jared R
quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
66
quazimotto
quazimotto
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat
Replies
1
Views
148
BIS
BIS
bfordz
  • Locked
  • Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
101
bfordz
bfordz
DigiByte34
  • Locked
  • Question
Need Help Cisco AAA to any RADIUS Software
Replies
9
Views
202
DigiByte34
DigiByte34

Part and Inventory Search

Sponsor

Back
Top