Cisco 1700 Site-Site VPN

Hello,
I'm trying to set up a Site to Site VPN with two Cisco 1700 Routers. But
I didn't get it to fly. When the tunnel ist setup the routing doesn't
work or other things.
Here is what I want to do:
192.168.4.0/24 -- RouterA --- INTERNET --- RouterB -- 192.168.6.0/24
Router A and Router B have a static IP. Lets Say IPA and IPB.
Here is my config of RouterB. RouterA locks mostly the same except it
does Dialup so the interface on the outside is Dialer0.
I didn't find the failer. Can someone plz help me out?
Router config from Router B
============================
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname RouterB
!
boot system flash c1700-k9o3sy7-mz.122-11.t11.bin
logging buffered 4096 debugging
aaa new-model
!
!
aaa authentication login local_auth local
aaa session-id common
enable secret 5 SECPASSWORD
!
username USER password 0 PASSWORD
memory-size iomem 25
ip subnet-zero
!
!
ip dhcp excluded-address 192.168.6.1 192.168.6.20
!
ip dhcp pool dhcpKoeln
network 192.168.6.0 255.255.255.0
default-router 192.168.6.1
!
ip audit notify log
ip audit po max-events 100
ip ssh authentication-retries 4
!
!
crypto isakmp policy 110
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key KEY123 address IPA
!
!
crypto ipsec transform-set mine esp-3des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer IPA
set transform-set mine
match address 102
!
interface Ethernet0
description ContactLAN-Koeln
ip address 192.168.6.1 255.255.255.0
half-duplex
no cdp enable
!
interface FastEthernet0
ip address IPB 255.255.252.0
speed auto
no cdp enable
crypto map mymap
!
ip classless
ip route 0.0.0.0 0.0.0.0 IPB-Gateway
ip route 192.168.4.0 255.255.255.0 IPA
no ip http server
ip pim bidir-enable
!
!
access-list 102 permit ip 192.168.6.0 0.0.0.255 192.168.4.0 0.0.0.255
no cdp run
!
!
end
Reply to
Alexander Grümmer
Loading thread data ...
Alexander Grümmer schrieb:
Most probably you have private LAN ip addresses on both sides and NAT/PAT to the public interface's ip address. Then you'll need to exclude the traffic for the tunnel to the remote side from NAT.
Reply to
Uli Link
Uli Link schrieb:
I have only nat on one side. I have the following nat configuration:
interface Dialer0 ip nat outside
interface FastEthernet0 description CONTACT-AC ip address 192.168.4.1 255.255.255.0 ip nat inside
ip nat inside source list 1 interface Dialer0 overload access-list 1 permit 192.168.4.0 0.0.0.255
Is that so far right?
I now have changed my config to match the "Site-to-Site VPN Busisness Scenarios" from the Cisco IOS Enterprise VPN Configuration Guide.
I can now do Ping from 192.168.4.111 to 192.168.6.1
traceroute
When I want to ping from 192.168.6.1 to 192.168.4.111
RouterK#ping 192.168.6.111
The trace looks like this:
in the router a I only have this nat translation:
that apreas when I do the ping from 192.168.4.111 to 192.168.6.1
a ping in the other directions stops. ;(
SETUP ====== 192.168.4.0 -|RouterAC|- IPB --INTERNET-- IPA -|RouterK|-192.168.6.0
I post again the complete config of my routers:
RouterAC ========
RouterAC#show run Building configuration...
Current configuration : 2330 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname RouterAC ! logging buffered 4096 debugging aaa new-model ! ! aaa authentication login local_auth local aaa session-id common enable secret 5 ! username password 0 memory-size iomem 20 ip subnet-zero ! ! ip domain-name ip name-server 194.8.194.60 ip name-server 213.168.112.60 ! ip audit notify log ip audit po max-events 100 ip ssh time-out 120 ip ssh authentication-retries 4 vpdn enable ! vpdn-group 1 request-dialin protocol pppoe ! ! crypto isakmp policy 1 authentication pre-share lifetime 84600 crypto isakmp key test12345 address IPA ! ! crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac mode transport crypto mib ipsec flowmib history tunnel size 200 crypto mib ipsec flowmib history failure size 200 ! ! crypto map s1first local-address Dialer0 crypto map s1first 1 ipsec-isakmp set peer IPA set transform-set proposal1 match address 101 ! ! ! ! interface Tunnel0 bandwidth 180 ip address 172.17.3.3 255.255.255.0 tunnel source IPB tunnel destination IPA crypto map s1first ! interface Ethernet0 description DSL-AC no ip address half-duplex pppoe enable pppoe-client dial-pool-number 1 no cdp enable ! interface FastEthernet0 description CONTACT-AC ip address 192.168.4.1 255.255.255.0 ip nat inside no keepalive speed auto full-duplex no cdp enable ! interface Dialer0 ip address negotiated ip mtu 1492 ip nat outside encapsulation ppp no ip mroute-cache dialer pool 1 dialer idle-timeout 0 dialer persistent dialer-group 1 no cdp enable ppp authentication pap callin ppp pap sent-username @netcologne.de password 7 ! ip nat inside source list 1 interface Dialer0 overload no ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 192.168.6.0 255.255.255.0 Tunnel0 no ip http server no ip pim bidir-enable ! access-list 1 permit 192.168.4.0 0.0.0.255 access-list 101 permit gre host IPB host IPA no cdp run ! banner login ^C Dies ist der Router der Firma Contact Personal Service in AACHEN ^C ! line con 0 line aux 0 line vty 0 4 login authentication local_auth transport input ssh ! end
RouterK: ========
RouterK#show run Building configuration...
Current configuration : 1695 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname RouterK ! boot system flash c1700-k9o3sy7-mz.122-11.t11.bin logging buffered 4096 debugging aaa new-model ! ! aaa authentication login SSH local aaa session-id common enable secret 5 $1$jdEd$JQFMcFNXV/8IhxCZ9O/3s1 ! username ice password 0 alex123 memory-size iomem 25 ip subnet-zero ! ! ip domain name contactpersonal.de ip dhcp excluded-address 192.168.6.1 192.168.6.20 ! ip dhcp pool dhcpKoeln network 192.168.6.0 255.255.255.0 default-router 192.168.6.1 ! ip audit notify log ip audit po max-events 100 ip ssh authentication-retries 4 ! ! crypto isakmp policy 1 authentication pre-share lifetime 84600 crypto isakmp key test12345 address IPB ! ! crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac mode transport ! crypto map s1first local-address FastEthernet0 crypto map s1first 1 ipsec-isakmp set peer 87.78.66.88 set transform-set proposal1 match address 101 ! ! ! ! interface Tunnel1 bandwidth 180 ip address 172.17.3.6 255.255.255.0 tunnel source IPA tunnel destination IPB crypto map s1first ! interface Ethernet0 ip address 192.168.6.1 255.255.255.0 no keepalive full-duplex no cdp enable ! interface FastEthernet0 ip address IPA 255.255.252.0 no ip mroute-cache no keepalive speed auto no cdp enable ! ip classless ip route 0.0.0.0 0.0.0.0 137.226.28.1 ip route 192.168.4.0 255.255.255.0 Tunnel1 no ip http server ip pim bidir-enable ! ! access-list 101 permit gre host IPA host IPB no cdp run ! ! line con 0 line aux 0 line vty 0 4 transport input ssh ! end
Reply to
Alexander Gr=F

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.