Interesting about the IOS version. When I looked at your configs what jumped out was that the transform name was "vpn" and the crypto map was named "ramco-vpn" yet the crypto map name applied to the outside interfaces was "vpn". I'd expect "ramco-vpn". Also on RouterHQ Fa0 I didn't understand why the line "ip policy route-map nonat" was there. Glad that you got it working.
> -----Original Message----- > From: Mark Odette II [mailto:[EMAIL PROTECTED]] > Sent: Monday, April 22, 2002 2:58 PM > To: [EMAIL PROTECTED] > Subject: RE: Router to Router VPNs- Longish [7:42245] > I was using 12.2.8T, and then tried 12.2.8T1 on the 1720, > with 12.2.6c on > the other end. > > I decided that maybe I should try making both ends run the > same version of > IOS as much as possible, so I roll back the 1720 to > 12.1.5YB5, and planned > to roll back the other end too to 12.1.5. > Just for grins, I try my extended ping again to see if the > tunnel will come > up and allow successful traffic back-n-forth. > Wouldn't you know it, the silly thing works now! > > So, a word to the wise for those wanting to do a VPN between > a 1700 series > router and anything else.... Stay away from 12.2.8 code!! > > now to "burn-test" the config and see how stable the VPN stays. :) > -----Original Message----- > From: Mark Odette II [mailto:[EMAIL PROTECTED]] > Sent: April 22, 2002 10:52 > To: [EMAIL PROTECTED] > Subject: Router to Router VPNs- Longish [7:42245] > > > Hey folks, I am in a quandary, and am wondering if someone on > the list has > done this and figured out a working config. > > I've been challenged with putting a VPN together between two > sites, and it > shouldn't be a problem, as it seems to be a straight forward > config, and > I've used the example off of CCO. > > The problem is, I can't seem to pass traffic successfully > across the VPN. :( > > Attached is the config for both ends of the network setup. > As far as I > know, as long as I've met the following criteria, this should work: > > 1. Both ends have to have a public static address for at > least the Router. > 2. Either end can have a static NAT for an extra inside host, > such as a WWW > server. 3. The VPN tunnel should work, no matter what type of > "outside" > interface the Crypto map is applied to; if regular private to > public net > connectivity works using NAT Overload, then End to End Tunnel > termination > should work so long as the access-lists are done right. > > And... this is what I've done for my Routers: > > RouterHQ# > > version 12.2 ! crypto > isakmp policy 10 > hash md5 authentication pre-share crypto isakmp key vpn address > yy.yy.yy.220 ! ! crypto ipsec transform-set vpn esp-des esp-md5-hmac ! > crypto map ramco-vpn 10 ipsec-isakmp set peer yy.yy.yy.220 set > transform-set vpn match address 101 ! ! bridge irb ! ! > ! > interface FastEthernet0 > description connected to Private LAN Block > ip address 192.168.10.1 255.255.255.0 > ip directed-broadcast > ip nat inside > ip policy route-map nonat > no ip mroute-cache > no keepalive > speed auto > full-duplex > ! > interface BVI1 > mtu 1492 > ip address xx.xx.xx.121 255.255.255.248 > ip nat outside > crypto map vpn > ! > ip nat inside source route-map nonat interface BVI1 overload > ip nat inside source static 192.168.10.122 xx.xx.xx.122 > extendable ip nat > inside source static 192.168.10.6 xx.xx.xx.124 extendable ip > classless ip > route 0.0.0.0 0.0.0.0 xx.xx.xx.126 (ISP END of circuit) no ip > http server ! > ! logging history debugging logging trap debugging > access-list 101 permit ip > 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255 > access-list 123 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255 > access-list 123 permit ip 192.168.10.0 0.0.0.255 any > ! > route-map nonat permit 10 > match ip address 123 > and the other end of the tunnel..... > > RouterBO# > version 12.2 > crypto isakmp policy 10 > hash md5 > authentication pre-share > crypto isakmp key vpn address xx.xx.xx.121 > ! > ! > crypto ipsec transform-set vpn esp-des esp-md5-hmac > ! > crypto map ramco-vpn 10 ipsec-isakmp > set peer xx.xx.xx.121 > set transform-set vpn > match address 110 > ! > ! > ! > ! > interface Ethernet0 > ip address yy.yy.yy.220 255.255.252.0 > ip nat outside > ip route-cache same-interface > crypto map vpn > ! > interface Ethernet1 > description connected to LAN > ip address 192.168.1.1 255.255.255.0 > ip nat inside > ! > router rip > version 2 > passive-interface Ethernet0 > network 192.168.1.0 > no auto-summary > ! > ip nat pool 2514-nat-pool yy.yy.yy.220 yy.yy.yy.220 netmask > 255.255.252.0 ip > nat inside source route-map nonat pool 2514-nat-pool overload > ip classless > ip route 0.0.0.0 0.0.0.0 Ethernet0 no ip http server ! logging history > debugging logging trap debugging logging source-interface Ethernet0 > access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255 > access-list 150 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255 > access-list 150 permit ip 192.168.1.0 0.0.0.255 any > route-map nonat permit 10 > match ip address 150 > > Any insight/help you can provide would be greatly appreciated. > > Thanks, > Mark Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42271&t=42245 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
