Configuring ipsec vpn

[paybar]

I have some problems with the configuration of a ipsec VPN between a cisco 827 router and a Sonicwall 4060.
The status of the tunnels is ok (IKE and IPSEC), but hosts doesn´t comunicate.
The problem is problaby the nat or any access list, could someone help me??

Regards

This is the configuration:

---------------------------------------------------------------------------------------------------------------
Current configuration : 1762 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname testing
!
enable secret 5 $1$tCeE$HbJVPnsXI0t5yO/BzN.Zu/
!
no aaa new-model
ip subnet-zero
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 15
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key 0 password address 83.97.195.248
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set strongsha esp-3des esp-sha-hmac
!
crypto map tosonicwall 15 ipsec-isakmp
set peer 83.97.195.248
set transform-set strongsha
match address 115
!
!
!
!
interface Ethernet0
ip address 192.168.2.1 255.255.255.0
ip nat inside
no ip mroute-cache
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address 217.127.73.218 255.255.255.192
ip nat outside
pvc 8/32
encapsulation aal5snap
!
crypto map tosonicwall
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet3
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet4
no ip address
shutdown
duplex auto
speed auto
!
ip nat inside source list 101 interface ATM0.1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
no ip http server
no ip http secure-server
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 115 permit ip 192.168.2.0 0.0.0.255 172.16.0.0 0.0.0.255
no cdp run
!
line con 0
no modem enable
line aux 0
line vty 0 4
password ---------
login
!
scheduler max-task-time 5000
!
end

 

[JOAMON]

Sure you supposed to be using group 2. Only seen this in VPN client setups. Usually group1 for IPSEC VPN connections. Check sonicwall for the DH type it is using. Also make sure the keys are correct on both ends as they are case sensative.

 

[JOAMON]

Did you check the sonicwall firewall log to see if it is an issue. Maybe it is killin the traffic.

 

[paybar]

Thanks Joamon, the tunnel apperas fine, the problem could be with the acl´s over the nat. I have to check this.

Thanks

Regards

 

[JOAMON]

Try this. Need to deny nat to remote subnet.




access-list 101 deny ip 192.168.2.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any

 

[paybar]

Thanks Joamon, other thing then i have to route the traffic without nat, isn´t it? with a crypto map o something like this, tomorrow I will try this.

Thanks mate

regards

 

[JOAMON]

No. You only have the one path to the internet so everything goes that way.
That this does:
access-list 101 deny ip 192.168.2.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
is the first line denys nat to the remote subnet and access-list 115 sends it over the VPN.
The second line then allows nat to everywhere else.
Remember that the access list is order specific so your deny in this case must be before the permit.

 

[paybar]

Thanks Joamon,

The routers finally linked fine.

Regards