I have 2 1811 routers on 2 different ISP's that I am trying to get a test site to site VPN setup. I have tried the SDM/CCP wizard and also followed a few different sites, the last one being this one:
The 2 routers can't ping eachother. Main router is on a 172.27.0.0 network, while remote router is going to be a 10.0.0.0 network.
RPUBLIC IP is this router below's Public IP, MPUBLICIP is the main site Publiv IP.
Here is the remote router:
Building configuration...
Current configuration : 5431 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco1811East
!
boot-start-marker
warm-reboot
boot-end-marker
!
no logging buffered
enable secret 5 ***************
enable password ***********
!
no aaa new-model
!
resource policy
!
memory-size iomem 20
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.1.255
ip dhcp excluded-address 10.0.3.255 10.0.255.254
!
ip dhcp pool Eastside10
network 10.0.0.0 255.255.0.0
dns-server 10.0.0.1
default-router 10.0.0.1
domain-name dw.local
lease 7
!
!
ip domain name dw.local
ip name-server 4.2.2.1
ip inspect name SDM_Low tcp
ip inspect name SDM_Low udp
ip inspect name SDM_Low http
ip address-pool dhcp-pool
!
!
crypto pki trustpoint TP-self-signed-975937829
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-975937829
revocation-check none
rsakeypair TP-self-signed-975937829
!
!
crypto pki certificate chain TP-self-signed-975937829
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 39373539 33373832 39301E17 0D313030 36313431 33353734
335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3937 35393337
38323930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
BF517672 2F294F99 A4011D7E 5A5A79E8 81060533 839F479D CFAF3D8A 3174F1AB
22D9B365 4D1B9399 430F3C5D 9C4FCE6D E4C18BC0 2C06E716 792FAE4F 6EAD063E
E47F68B3 42E676C5 E6F94E1D F16C9ACA 495921DD 34F7F3E0 EF293F34 B39D5D03
51DCE7B8 DF46896E 0A2527F7 45780136 C2CD4CCB 41B04EE9 214B75C3 3416C393
02030100 01A37630 74300F06 03551D13 0101FF04 05300301 01FF3021 0603551D
11041A30 18821643 6973636F 31383131 45617374 2E64772E 6C6F6361 6C301F06
03551D23 04183016 8014576B 8CFADD07 96165FCD 07DB6502 690282DB 3FFF301D
0603551D 0E041604 14576B8C FADD0796 165FCD07 DB650269 0282DB3F FF300D06
092A8648 86F70D01 01040500 03818100 8F364314 727B8E4D C3491574 493988B5
CF5A2DE1 874981B7 FBF902B0 BB098D03 407C2538 227053B5 2CC21693 7DA7E081
BDDD2526 9F8A2C7A 8DB396C0 2BFFB6A7 134150A2 472097DE 10A87CE6 5549C4B6
54CC5C9C F0ED4398 D9EA4BA4 2A632ABF C4B765A4 6283BAA0 23E6AA93 C93B5BCC
AEB2ADE2 61DEA44D 140B030A FE4C0878
quit
username admin privilege 15 password 0 **********
!
!
!
crypto isakmp policy 9
hash md5
authentication pre-share
crypto isakmp key ********* address MPUBLICIP
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
!
crypto map CRYPTOMAP 10 ipsec-isakmp
set peer MPUBLICIP
set transform-set TSET
match address 111
!
!
!
!
interface FastEthernet0
description $ETH-WAN$
ip address RPUBLICIP 255.255.255.248
ip access-group 101 in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect SDM_Low out
ip virtual-reassembly
duplex auto
speed auto
crypto map CRYPTOMAP
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
ip address 10.0.0.1 255.255.0.0
ip access-group sdm_vlan1_in in
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
interface Async1
no ip address
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 RPUBLICIP
!
ip dns server
ip dns primary dw.local soa ns.dw.local helpdesk.domain.com 21600 900 7776000 86400
!
ip http server
ip http authentication local
ip http secure-server
ip nat pool ISP1 172.27.0.0 172.27.255.255 netmask 255.255.0.0
ip nat pool ISP11 RPUBLICIP RPUBLICIP netmask 255.255.255.255
ip nat inside source list 101 interface FastEthernet0 overload
!
ip access-list extended sdm_vlan1_in
remark SDM_ACL Category=1
deny ip host 255.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
permit ip any any
!
access-list 101 remark CCP_ACL Category=19
access-list 101 permit ahp host MPUBLICIP host RPUBLICIP
access-list 101 permit esp host MPUBLICIP host RPUBLICIP
access-list 101 permit udp host MPUBLICIP host RPUBLICIP eq isakmp
access-list 101 permit udp host MPUBLICIP host RPUBLICIP eq non500-isakmp
access-list 101 permit ip 0.0.0.0 255.255.0.0 0.0.0.0 255.0.0.0
access-list 101 permit tcp any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit tcp any host RPUBLICIP eq www
access-list 101 permit udp host 4.2.2.1 eq domain any
access-list 101 permit icmp any host RPUBLICIP
access-list 101 permit udp any eq domain host RPUBLICIP
access-list 101 permit ip any host RPUBLICIP
access-list 101 deny tcp any any
access-list 111 permit ip 0.0.0.0 255.0.0.0 0.0.0.0 255.255.0.0
!
!
!
!
!
!
control-plane
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
password **********
login local
transport input telnet ssh
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
The 2 routers can't ping eachother. Main router is on a 172.27.0.0 network, while remote router is going to be a 10.0.0.0 network.
RPUBLIC IP is this router below's Public IP, MPUBLICIP is the main site Publiv IP.
Here is the remote router:
Building configuration...
Current configuration : 5431 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco1811East
!
boot-start-marker
warm-reboot
boot-end-marker
!
no logging buffered
enable secret 5 ***************
enable password ***********
!
no aaa new-model
!
resource policy
!
memory-size iomem 20
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.1.255
ip dhcp excluded-address 10.0.3.255 10.0.255.254
!
ip dhcp pool Eastside10
network 10.0.0.0 255.255.0.0
dns-server 10.0.0.1
default-router 10.0.0.1
domain-name dw.local
lease 7
!
!
ip domain name dw.local
ip name-server 4.2.2.1
ip inspect name SDM_Low tcp
ip inspect name SDM_Low udp
ip inspect name SDM_Low http
ip address-pool dhcp-pool
!
!
crypto pki trustpoint TP-self-signed-975937829
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-975937829
revocation-check none
rsakeypair TP-self-signed-975937829
!
!
crypto pki certificate chain TP-self-signed-975937829
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 39373539 33373832 39301E17 0D313030 36313431 33353734
335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3937 35393337
38323930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
BF517672 2F294F99 A4011D7E 5A5A79E8 81060533 839F479D CFAF3D8A 3174F1AB
22D9B365 4D1B9399 430F3C5D 9C4FCE6D E4C18BC0 2C06E716 792FAE4F 6EAD063E
E47F68B3 42E676C5 E6F94E1D F16C9ACA 495921DD 34F7F3E0 EF293F34 B39D5D03
51DCE7B8 DF46896E 0A2527F7 45780136 C2CD4CCB 41B04EE9 214B75C3 3416C393
02030100 01A37630 74300F06 03551D13 0101FF04 05300301 01FF3021 0603551D
11041A30 18821643 6973636F 31383131 45617374 2E64772E 6C6F6361 6C301F06
03551D23 04183016 8014576B 8CFADD07 96165FCD 07DB6502 690282DB 3FFF301D
0603551D 0E041604 14576B8C FADD0796 165FCD07 DB650269 0282DB3F FF300D06
092A8648 86F70D01 01040500 03818100 8F364314 727B8E4D C3491574 493988B5
CF5A2DE1 874981B7 FBF902B0 BB098D03 407C2538 227053B5 2CC21693 7DA7E081
BDDD2526 9F8A2C7A 8DB396C0 2BFFB6A7 134150A2 472097DE 10A87CE6 5549C4B6
54CC5C9C F0ED4398 D9EA4BA4 2A632ABF C4B765A4 6283BAA0 23E6AA93 C93B5BCC
AEB2ADE2 61DEA44D 140B030A FE4C0878
quit
username admin privilege 15 password 0 **********
!
!
!
crypto isakmp policy 9
hash md5
authentication pre-share
crypto isakmp key ********* address MPUBLICIP
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
!
crypto map CRYPTOMAP 10 ipsec-isakmp
set peer MPUBLICIP
set transform-set TSET
match address 111
!
!
!
!
interface FastEthernet0
description $ETH-WAN$
ip address RPUBLICIP 255.255.255.248
ip access-group 101 in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect SDM_Low out
ip virtual-reassembly
duplex auto
speed auto
crypto map CRYPTOMAP
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
ip address 10.0.0.1 255.255.0.0
ip access-group sdm_vlan1_in in
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
interface Async1
no ip address
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 RPUBLICIP
!
ip dns server
ip dns primary dw.local soa ns.dw.local helpdesk.domain.com 21600 900 7776000 86400
!
ip http server
ip http authentication local
ip http secure-server
ip nat pool ISP1 172.27.0.0 172.27.255.255 netmask 255.255.0.0
ip nat pool ISP11 RPUBLICIP RPUBLICIP netmask 255.255.255.255
ip nat inside source list 101 interface FastEthernet0 overload
!
ip access-list extended sdm_vlan1_in
remark SDM_ACL Category=1
deny ip host 255.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
permit ip any any
!
access-list 101 remark CCP_ACL Category=19
access-list 101 permit ahp host MPUBLICIP host RPUBLICIP
access-list 101 permit esp host MPUBLICIP host RPUBLICIP
access-list 101 permit udp host MPUBLICIP host RPUBLICIP eq isakmp
access-list 101 permit udp host MPUBLICIP host RPUBLICIP eq non500-isakmp
access-list 101 permit ip 0.0.0.0 255.255.0.0 0.0.0.0 255.0.0.0
access-list 101 permit tcp any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit tcp any host RPUBLICIP eq www
access-list 101 permit udp host 4.2.2.1 eq domain any
access-list 101 permit icmp any host RPUBLICIP
access-list 101 permit udp any eq domain host RPUBLICIP
access-list 101 permit ip any host RPUBLICIP
access-list 101 deny tcp any any
access-list 111 permit ip 0.0.0.0 255.0.0.0 0.0.0.0 255.255.0.0
!
!
!
!
!
!
control-plane
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
password **********
login local
transport input telnet ssh
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end