IPSEC Between Two Routers

[vtgman]

I need some assistance. My router lost its configuration and I can not get the tunnel to come back up. I have attached the configuration between router A and router B. Anyones help would be much appreciated.

Router A
Verison 12.2
service timestamps debug uptime
serive timestamps log uptime
service password-encryption

hostname router A

memory-size iomem 15
ip subnet-zero

ip name-server 206.X.X.X

ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3

crypto isakmp policy 1
hash md5
authentications pre-share
crypto isakmp key beep1 address 216.X.X.23

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map router B ipsec-isakmp
set peer 216.X.X.23
set transform-set myset
match address 115


interface ethernet0
ip address 68.X.X.114 255.255.X.X
ip nat outside
no ip route-cache
no ip mrouter-chace
half-duplex
crypto map router B

Interface fastethernet0
ip address 10.33.0.200 255.255.240.0
ip helper-address 10.33.16.0
ip helper-address 10.33.16.2
ip helper-address 10.33.16.3
ip helper-address 10.33.16.4
ip nat inside
speed auto

ip nat inside source route-map nonat interface Etherner0 overload
ip classess
ip router 0.0.0.0 0.0.0.0 68.X.X.113
no ip http sever
ip pim bidir-enable

logging history debugging
logging trap debugging
logging source-interface Ethernet0
access-list 110 deny ip 10.33.0.0 0.0.0.255 10.33.16.0 0.0.0.255
access-list 110 permit ip 10.33.0.0 0.0.0.255 10.33.16.0 0.0.0.255
access-list 115 permit ip 10.33.0.0 0.0.0.255 10.33.16.0 0.0.0.255

route-map nonat permit 10
match ip address 110

line con 0
exec-timeout 0 0

Router B
Verison 12.3
service timestamps debug uptime
serive timestamps log uptime
service password-encryption

hostname router B

boot-start-marker
boot-end-marker

no ip cef
ip audit notify log
ip audit po max events 100
no ftp-server write enable

crypto isakmp policy 1
hash md5
authentications pre-share
group 2
lifetime 3600
crypto isakmp key beep1 address 68.X.X.114

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map router A ipsec-isakmp
set peer 68.X.X.114
set transform-set myset
match address 115


interface ethernet0
ip address 216.X.X.23 255.255.X.X
ip nat outside
no ip route-cache
no ip mrouter-chace
half-duplex
crypto map router A

Interface fastethernet0
ip address 10.33.16.1 255.255.40.0
ip helper-address 10.33.0.0
ip helper-address 10.33.0.254
ip nat inside
speed auto

ip nat inside source route-map nonat interface Etherner0 overload
ip classess
ip router 0.0.0.0 0.0.0.0 Ethernet0
no ip http sever
ip pim bidir-enable

logging history debugging
logging trap debugging
logging source-interface Ethernet0
access-list 110 deny ip 10.33.0.0 0.0.0.255 10.33.16.0 0.0.0.255
access-list 110 permit ip 10.33.0.0 0.0.0.255 10.33.16.0 0.0.0.255
access-list 115 permit ip 10.33.0.0 0.0.0.255 10.33.16.0 0.0.0.255

route-map nonat permit 10
match ip address 110

line con 0
exec-timeout 0 0

 

[sbonete]

Please, could you provide more details about the underlaying problem?
Does the routers work fine for internet browsing but not for the the VPN traffic or neither?

Do you need all the traffic going over the VPN tunnel?

I can see a cuple of points that could be preventing you to reach internet from those devices. Please update.

Regards.

Samuel Bonete.

 

[vtgman]

Router B can get to the internet. Router A is just for a VPN back to the main office. I just need traffic (work traffic) to get back on router A

 

[themut]

What is the output from the "show crypto isakmp sa" and "show crypto ipsec sa" from both routers?

 

[vtgman]

there was no out put they just do not connect at all

 

[themut]

The "show crypto isakmp sa" output should have given you an output if you don't get an output then I would look into debugs. The debugs would be:

debug crypto isakmp
debug crypto ipsec

The link below will help you understand the debug output:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

 

[JOAMON]

Hello....

Looks pretty good....one thing caught my eye....

Look at crypto isakmp policy 1 on both routers.

Router A has default: Diffie-Hellman group: #1 (768 bit)

Router B has iffie-Hellman group: #2 (1024 bit)

Hope this is useful

 

[saintsec]

dont know if you got this working yet, but your access-list 115 is symetric, so youll only be encrypting traffic one way, not bidirectional

saint

 

[JOAMON]

Also take a look at access-list 110...

Reads:



access-list 110 deny ip 10.33.0.0 0.0.0.255 10.33.16.0 0.0.0.255
access-list 110 permit ip 10.33.0.0 0.0.0.255 10.33.16.0 0.0.0.255

The mask should be:
10.33.0.0 0.0.255.255 10.33.16.0 0.0.0.255

The way it is now will look for only network 10.33.0.XXX when it should look for 10.33.xxx.xxx. It is ignoring your network because it does not match.