Hello all,
I am trying to learn a little more about IPSec VPN's using Cisco equipment. I am using a 2651 and a 1751, both with a VPN accelerator card. The 2600 is using c2600-ik9o3s-mz.122-15.T2 and the 1700 is using c1700-k9o3sy7-mz.122-15.T17. Using the Cisco SDM configurator tool I setup a site-to-site VPN using a pre-share key on the central end as well as a easy VPN server so clients could connect. On the remote end I setup the same site-to-site connection. After all of this the clients are able to connect and ping various addressed without a problem, but the site-to-site connection is still having problems. I have been through it several times, both in CLI and SDM and cannot see what is probably obviously wrong. What am I missing? The configs are as follows.
(I have the two routers connected together in my lab with a cisco 3550 switch and separated by VLANS. VLAN 1 is my central internal VLAN, VLAN 2 is the 'Internet' VLAN, and VLAN 3 is the remote Internal VLAN)
-----------------------------------------------------Start Central Config
!version 12.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Central_Router ! logging queue-limit 100 enable password cisco ! username ***** privilege 15 password 0 ***** aaa new-model ! ! aaa authentication login sdm_vpn_xauth_ml_1 local aaa authorization network sdm_vpn_group_ml_1 local aaa session-id common ip subnet-zero ! ! ! ip audit notify log ip audit po max-events 100 ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key ********* address 38.116.128.50 crypto isakmp client configuration address-pool local VPNClient-Pool crypto isakmp xauth timeout 15
! crypto isakmp client configuration group VPNClients key ********* (different from other PSK) pool VPNClient-Pool acl 100 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA reverse-route ! crypto dynamic-map SDM_DYNMAP_2 1 set transform-set ESP-3DES-SHA1 match address 101 ! ! crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65534 ipsec-isakmp dynamic SDM_DYNMAP_2 crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! ! ! ! ! ! ! ! no voice hpi capture buffer no voice hpi capture destination ! ! mta receive maximum-recipients 0 ! ! ! ! interface FastEthernet0/0 description Central Internal ip address 192.168.100.1 255.255.255.0 ip nat inside duplex auto speed auto ! interface FastEthernet0/1 description Central External ip address 38.116.128.49 255.255.255.240 ip nat outside duplex auto speed auto crypto map SDM_CMAP_1 ! ip local pool VPNClient-Pool 192.168.1.1 192.168.1.254 ip nat inside source route-map nonat interface FastEthernet0/1 overload ip http server no ip http secure-server ip classless ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 permanent ! ! ! access-list 100 remark SDM_ACL Category=4 access-list 100 permit ip 192.168.100.0 0.0.0.255 any access-list 101 remark SDM_ACL Category=4 access-list 101 remark IPSec Rule access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 110 remark SDM_ACL Category=18 access-list 110 remark IPSec Rule access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 110 permit ip 192.168.100.0 0.0.0.255 any access-list 115 remark SDM_ACL Category=16 access-list 115 permit ip 192.168.100.0 0.0.0.255 192.168.6.0 0.0.0.255 ! route-map nonat permit 10 match ip address 110 ! radius-server authorization permit missing Service-Type call rsvp-sync ! ! mgcp profile default ! ! ! dial-peer cor custom ! ! ! ! ! line con 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 ! ! end
------------------------------------------------------------------------Start Remote Config
!version 12.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Remote-Router ! logging queue-limit 100 ! username ***** privilege 15 password 0 ***** memory-size iomem 25 ip subnet-zero ! ! ! ip audit notify log ip audit po max-events 100 ! ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key ********* address 38.116.128.49 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to 38.116.128.49 set peer 38.116.128.49 set transform-set ESP-3DES-SHA match address 100 ! ! ! ! interface FastEthernet0/0 no ip address speed auto ! interface FastEthernet0/0.2 description Remote External encapsulation dot1Q 2 ip address 38.116.128.50 255.255.255.240 ip nat outside crypto map SDM_CMAP_1 ! interface FastEthernet0/0.3 description Remote Internal encapsulation dot1Q 3 ip address 192.168.6.1 255.255.255.0 ip nat inside ! ip nat inside source route-map nonat interface FastEthernet0/0.2 overload ip classless ip route 0.0.0.0 0.0.0.0 FastEthernet0/0.2 permanent ip http server no ip http secure-server ! ! ! access-list 100 remark SDM_ACL Category=4 access-list 100 remark IPSec Rule access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.100.0 0.0.0.255 access-list 110 remark SDM_ACL Category=18 access-list 110 remark IPSec Rule access-list 110 deny ip 192.168.6.0 0.0.0.255 192.168.100.0 0.0.0.255 access-list 110 permit ip 192.168.6.0 0.0.0.255 any access-list 115 remark SDM_ACL Category=16 access-list 115 permit ip 192.168.6.0 0.0.0.255 192.168.100.0 0.0.0.255 ! route-map nonat permit 10 match ip address 110 ! ! line con 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 logging synchronous login local ! end
Your input is greatly apprieciated, Jim