VPN and Leased Line

[araitsar]

Hi,

I am unable to establish a VPN connection over a Leased line internet connection.
Please check the following configuration.

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key 6 ****** address 212.xx.xx.xx
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set um_vpn esp-3des esp-md5-hmac
!
crypto map um_vpn 10 ipsec-isakmp
set peer 212.xx.xx.xx
set transform-set um_vpn
match address 110
!
!
!
interface FastEthernet0/0 (Public IP)
ip address 213.YY.YY.Y1 255.255.255.248
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1 (Local Network IP)
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0/0 (Local Leased Line IP)
ip address 192.168.ZZ.ZZ2 255.255.255.252
ip nat outside
ip virtual-reassembly
crypto map um_vpn
!
ip route 0.0.0.0 0.0.0.0 192.168.ZZ.ZZ1
ip route 10.XX.XX.XX 255.255.255.255 212.XX.XX.XX
!
ip http server
no ip http secure-server
!
access-list 110 permit ip host 213.YY.YY.Y2 host 10.XX.XX.XX
!
-----
Router#sh crypto isa sa
dst src state conn-id slot status
212.35.66.55 192.168.ZZ.ZZ2 MM_NO_STATE 0 0 ACTIVE
-----

Thanks in Advance

 

[unclerico]

your crypto acl needs to contain the source and destination networks behind the vpn devices. in this case 192.168.10/24 is on one side and it looks like the other side is a 10. network. your acl should be something like:

access-list 110 permit ip 192.168.10.0 0.0.0.255 10.0.0.0 0.255.255.255

the 10. network is the code above may not necessarily be what your remote subnet is so you'll need to change it. the remote vpn device needs to have a crypto acl that is a mirror opposite of this one.

also, your peer configuration can't be right. your s0/0/0 address is 192.168.x.x which is a private ip address. you'll never establish an SA

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)