1. Home
  2. Cisco Systems
  3. 877 VPN problem to 837

877 VPN problem to 837

Hi

I am pulling my hair out here :)

Have two Cisco small office ADSL routers, 837 and 877 Cisco 837 router has been tested and works well with site to site ipsec VPN to other routers. But not the new 877 router i got.

Problem: Cisco 877 is also able to establish ike negotiation and successfully initate ipsec, however there is no data going through it. it seems like some problm with ACL and i desperately need help. Config for both routers is below. It definitely works for 827 and 837 routers, but i think i think i may be missing something because IOS in 877 router is new.

837 configuration ---------------------------------------- version: 12.3(2)XC2

crypto isakmp policy 140

hash md5

authentication pre-share

lifetime 3600

crypto isakmp key 0 mysecretkey address 165.228.212.18

!

crypto ipsec transform-set allsites esp-des esp-md5-hmac

!

crypto map vpnmap 140 ipsec-isakmp

set peer 165.228.212.18

set security-association lifetime seconds 28800

set transform-set allsites

set pfs group1

match address 140

!

interface Ethernet0

ip address 192.168.3.1 255.255.255.0

ip nat inside

ip tcp adjust-mss 1452

hold-queue 100 out

!

interface Dialer1

ip address 203.142.244.16 255.255.255.0

crypto map vpnmap

!

ip nat inside source list 102 interface Dialer1 overload access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.190.0 0.0.0.255 log

access-list 102 permit ip 192.168.3.0 0.0.0.255 any

access-list 140 permit ip 192.168.3.0 0.0.0.255 192.168.190.0 0.0.0.255

dialer-list 1 protocol ip permit

877 configuration ----------------------------------------

version: 12.3(8r)YI2

crypto isakmp policy 140

hash md5

authentication pre-share

lifetime 3600

crypto isakmp key 0 mysecretkey address 203.142.244.16

!

crypto ipsec transform-set allsites esp-des esp-md5-hmac

!

crypto map vpnmap 140 ipsec-isakmp

set peer 203.142.244.16

set security-association lifetime seconds 28800

set transform-set allsites

set pfs group1

match address 140

!

interface Vlan1

ip address 192.168.190.1 255.255.255.0

ip nat inside

ip tcp adjust-mss 1452

hold-queue 100 out

!

interface Dialer1

ip address 165.228.212.18 255.255.255.0

crypto map vpnmap

!

ip nat inside source list 102 interface Dialer1 overload access-list 102 deny ip 192.168.190.0 0.0.0.255 192.168.3.0 0.0.0.255 log

access-list 102 permit ip 192.168.190.0 0.0.0.255 any

access-list 140 permit ip 192.168.190.0 0.0.0.255 192.168.3.0 0.0.0.255

dialer-list 1 protocol ip permit

Reply to
Igor
Loading thread data ...

Hi Igor,

You may wish to investigate Cisco 800 Router Documentation:

formatting link
as well as the Cisco 877 Config Wizard:

formatting link
Hope this helps.

Brad Reese BradReese.Com - Cisco Repair

formatting link
Hendersonville Road, Suite 17 Asheville, North Carolina USA 28803 USA & Canada: 877-549-2680 International: 828-277-7272 Fax: 775-254-3558 AIM: R2MGrant BradReese.Com - Cisco Power Supply Headquarters
formatting link

Reply to
www.BradReese.Com

On both routers use:

debug crypto isakmp debug crypto ipsec

then

clear crypto sa

to make sure all VPN stuff is cleared and do a ping or whatever is appropriate to bring up the VPN. The routers will spit out several thousand lines of debug to the console and a close inspection of this should show where the problem lies.

JR

Reply to
John Rennie

I agree.

As a confidence booster, I use 837 and 877 and have no issue with crypto.

The config that you have posted looks OK. I use different parameters,

crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2

crypto isakmp key xxx address 8..... crypto isakmp key xxx address 8..... ! ! crypto ipsec transform-set Home esp-3des esp-md5-hmac

! crypto map Home 2 ipsec-isakmp set peer 8....... set transform-set Home match address 110

This works.

I do notice that you have pretty old 877 software. Much as I hate the idea of "blind" upgrades I do get the idea there there have been some issues with

870 software. So, why not try a re-grade.

12.4(9)T1 is the latest.

You might add to the debugs debug crypto isakmp error debug crypto ipsec error

If you can possibly compare a working crypto set with a broken one then yuo might get an idea of what is wrong.

sh cry ip sa

WHAT YOU ARE ENCRYPTING local ident (addr/mask/prot/port): (8...9/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (8...4/255.255.255.255/47/0)

When the tunnel is UP you get something like this FOR EACH DIRECTION inbound esp sas: spi: 0x9163F57(152452951) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2006, flow_id: C83X_MBRD:6, crypto map: Home sa timing: remaining key lifetime (k/sec): (4424389/509) IV size: 8 bytes replay detection support: Y Status: ACTIVE

Also chek that you NAT is OK (your config looks OK) sh ip nat tr

Reply to
Bod43

I enabled debug

But strange thing is on either routers it does not show any debugging for IPSEC

Reply to
Igor

You do need to know how to drive debug, it is not entirely obvious, until you know:-)

Debug output goes to the logging "system" lets call it.

The logging system then sends it to whatever places are configured and you then can view it there.

To see logging on a telnet session (strictly, any vty session) you have to have:-

conf t logg monitor debug ! this is the ("not configured" default) end

Then you need to enter the

terminal monitor

command on the sesion that you want to have the logging output sent to.

Alternatively:

conf t logg buffered 60000 debug end

and then sh log

Or both.

Read the cisco debugging advice regarding CPU. It is possible to stop a router from functioning such that it requires a power cycle if you turn on debugging.

I know 'cos I have done it.

BTW term no mon turns it off and not as might be expected no term mon

Reply to
Bod43

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.