we currently have one tunnel up and running and need to bring up another tunnel. i keep getting this error Tunnel Rejected: IKE peer does not match remote peer as defined in L2L policy
IKE peer address: 12.x.x.182, Remote peer address: 172.x.x.251 the 12.x.x.182 is the public and 172.x.x.251 is the other tunnel. i dont have a full config because when it didnt work i reloaded but here is what i want to add.
config t
int vlan 1201
ip address 12.x.x.182 255.255.255.252
end
make sure this takes before moving on
Create access-list for new tunnel
*************************************************************
access-list crypto12 line 1 extended permit ip object-group YOUNLocal any
access-list nonatInet extended permit ip 172.x.x.0 255.255.255.0 any
access-list extended permit icmp any any
access-list extended permit tcp host 69.x.x.7 any eq 50 log informational interval 300
access-list extended permit tcp host 69.x.x.7 any eq 51 log informational interval 300
access-list extended permit udp host 69.x.x.7 any eq isakmp log informational interval 300
access-list extended permit ip host 172.x.x.0 any log informational interval 300
access-list extended permit icmp 172.x.x.0 255.255.0.0 any
access-list extended deny ip 14.2.6.0 255.255.255.0 any log informational interval 300
access-list extended deny ip 127.0.0.0 255.255.255.0 any log informational interval 300
access-list extended deny ip 10.0.0.0 255.255.255.0 any log informational interval 300
access-list extended deny ip 0.0.0.0 255.0.0.0 any log informational interval 300
access-list extended deny ip 192.168.0.0 255.255.0.0 any log informational interval 300
access-list extended deny ip 192.0.2.0 255.255.255.0 any log informational interval 300
access-list extended deny ip 169.254.0.0 255.255.0.0 any log informational interval 300
access-list extended deny ip 224.0.0.0 224.0.0.0 any log informational interval 300
access-list extended deny ip host 255.255.255.255 any log informational interval 300
access-list extended deny icmp any any echo log informational interval 300
access-list extended deny icmp any any redirect log informational interval 300
access-list extended deny icmp any any mask-request log informational interval 300
access-list extended permit ip host 172.x.x.0 interface YOUNNetwork log informational interval 300
make sure these rules take before moving on
access-group in interface Internet
nat (YOIIIIetwork) 1 access-list nonatInet
************************************************************
Create the new routes and new tunnel with below commands
no route YIII 0.0.0.0 0.0.0.0 172.x.x.251 1
route YIII 0.0.0.0 0.0.0.0 172.x.x.251 1 track 1
route Internet 0.0.0.0 0.0.0.0 12.x.x.181 254
sla monitor 123
type echo protocal ipIcmpEcho 12.x.x.181 interface Internet
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
crypto ipsec transform-set esp-3des esp-md5-hmac
crypto map Inet 12 match address crypto12
crypto map Inet 12 set peer 69.x.x.7
crypto map Inet 12 set transform-set crypto map Inet interface Internet
crypto isakmp enable Internet
crypto isakmp policy 12
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 69.x.x.7 type ipsec-l2l
tunnel-group 69.x.x.7 ipsec-attributes
pre-shared-key *
IKE peer address: 12.x.x.182, Remote peer address: 172.x.x.251 the 12.x.x.182 is the public and 172.x.x.251 is the other tunnel. i dont have a full config because when it didnt work i reloaded but here is what i want to add.
config t
int vlan 1201
ip address 12.x.x.182 255.255.255.252
end
make sure this takes before moving on
Create access-list for new tunnel
*************************************************************
access-list crypto12 line 1 extended permit ip object-group YOUNLocal any
access-list nonatInet extended permit ip 172.x.x.0 255.255.255.0 any
access-list extended permit icmp any any
access-list extended permit tcp host 69.x.x.7 any eq 50 log informational interval 300
access-list extended permit tcp host 69.x.x.7 any eq 51 log informational interval 300
access-list extended permit udp host 69.x.x.7 any eq isakmp log informational interval 300
access-list extended permit ip host 172.x.x.0 any log informational interval 300
access-list extended permit icmp 172.x.x.0 255.255.0.0 any
access-list extended deny ip 14.2.6.0 255.255.255.0 any log informational interval 300
access-list extended deny ip 127.0.0.0 255.255.255.0 any log informational interval 300
access-list extended deny ip 10.0.0.0 255.255.255.0 any log informational interval 300
access-list extended deny ip 0.0.0.0 255.0.0.0 any log informational interval 300
access-list extended deny ip 192.168.0.0 255.255.0.0 any log informational interval 300
access-list extended deny ip 192.0.2.0 255.255.255.0 any log informational interval 300
access-list extended deny ip 169.254.0.0 255.255.0.0 any log informational interval 300
access-list extended deny ip 224.0.0.0 224.0.0.0 any log informational interval 300
access-list extended deny ip host 255.255.255.255 any log informational interval 300
access-list extended deny icmp any any echo log informational interval 300
access-list extended deny icmp any any redirect log informational interval 300
access-list extended deny icmp any any mask-request log informational interval 300
access-list extended permit ip host 172.x.x.0 interface YOUNNetwork log informational interval 300
make sure these rules take before moving on
access-group in interface Internet
nat (YOIIIIetwork) 1 access-list nonatInet
************************************************************
Create the new routes and new tunnel with below commands
no route YIII 0.0.0.0 0.0.0.0 172.x.x.251 1
route YIII 0.0.0.0 0.0.0.0 172.x.x.251 1 track 1
route Internet 0.0.0.0 0.0.0.0 12.x.x.181 254
sla monitor 123
type echo protocal ipIcmpEcho 12.x.x.181 interface Internet
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
crypto ipsec transform-set esp-3des esp-md5-hmac
crypto map Inet 12 match address crypto12
crypto map Inet 12 set peer 69.x.x.7
crypto map Inet 12 set transform-set crypto map Inet interface Internet
crypto isakmp enable Internet
crypto isakmp policy 12
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 69.x.x.7 type ipsec-l2l
tunnel-group 69.x.x.7 ipsec-attributes
pre-shared-key *