I'm trying to create a VPN on two Cisco 3825's, on the same ISP in order to have access to eachother's network.
On each side, I have them built as follows: Site WTC Inside network 192.168.1.0/24 192.168.2.0/24 Site RPA Inside network 192.168.3.0/24 192.168.4.0/24 WTC: crypto isakmp policy 11 encr 3des hash md5 authentication pre-share group 2 lifetime 28800 crypto isakmp key <SECRETKEY-MATCHES> address 208.123.206.17 crypto isakmp nat keepalive 30 ! ! crypto ipsec transform-set MYSET esp-3des esp-md5-hmac ! crypto map VPNMAP 10 ipsec-isakmp description Connection to WTC set peer 208.123.206.17 set transform-set MYSET match address 110 reverse-route static interface GigabitEthernet0/0 crypto map VPNMAP ip route 192.168.4.0 255.255.255.0 GigabitEthernet0/0 access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255 access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 120 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 120 permit ip 192.168.2.0 0.0.0.255 any route-map nonat permit 10 match ip address 120 RPA: crypto isakmp policy 11 encr 3des hash md5 authentication pre-share group 2 lifetime 28800 crypto isakmp key <SECRETKEY-MATCHES> address 66.135.65.98 crypto isakmp nat keepalive 30 ! ! crypto ipsec transform-set MYSET esp-3des esp-md5-hmac ! crypto map VPNMAP 10 ipsec-isakmp description Connection to WTC set peer 66.135.65.98 set transform-set MYSET match address 110 reverse-route static ! ! interface GigabitEthernet0/0 crypto map VPNMAP ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/0 ip route 192.168.2.0 255.255.255.0 GigabitEthernet0/0 access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 120 deny ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 120 permit ip 192.168.4.0 0.0.0.255 any route-map nonat permit 10 match ip address 120 The tunnel will not establish ... Yesterday it did come up, but would not pass traffic. Today, it's showing down on both sides: cpe-rpa-kal-gw-01#show crypto ses Crypto session current status Interface: GigabitEthernet0/0 Session status: DOWN Peer: (gi0/0 of WTC) port 500 IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 192.168.1.0/255.255.255.0 Active SAs: 0, origin: crypto map IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0 192.168.1.0/255.255.255.0 Active SAs: 0, origin: crypto map IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 192.168.2.0/255.255.255.0 Active SAs: 0, origin: crypto map IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0 192.168.2.0/255.255.255.0 Active SAs: 0, origin: crypto map cpe-rpa-kal-gw-01# Logs for RPA show when I remove 'crypto map VPNMAP' from gi0/0 and put it back: *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event - create for 66.135.65.98 *May 1 15:20:28.427: IPSEC(rte_mgr): Route add Peer 66.135.65.98 , Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1 *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Added 192.168.1.0 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1 *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event - create for 66.135.65.98 *May 1 15:20:28.427: IPSEC(rte_mgr): Route add Peer 66.135.65.98 , Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1 *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Added 192.168.2.0 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1 *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event - create for 66.135.65.98 *May 1 15:20:28.427: IPSEC(rte_mgr): Route add Peer 66.135.65.98 , Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1 *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on GigabitEthernet0/0 *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event - create for 66.135.65.98 *May 1 15:20:28.427: IPSEC(rte_mgr): Route add Peer 66.135.65.98 , Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1 *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on GigabitEthernet0/0 *May 1 15:20:28.431: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON *May 1 15:20:34.539: No peer struct to get peer description *May 1 15:20:34.539: No peer struct to get peer description *May 1 15:20:34.539: No peer struct to get peer description *May 1 15:20:34.539: No peer struct to get peer description cpe-rpa-kal-gw-01# cpe-rpa-kal-gw-01#show cry ses Crypto session current status Interface: GigabitEthernet0/0 Session status: DOWN Peer: 66.135.65.98 port 500 IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 192.168.1.0/255.255.255.0 Active SAs: 0, origin: crypto map IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0 192.168.1.0/255.255.255.0 Active SAs: 0, origin: crypto map IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 192.168.2.0/255.255.255.0 Active SAs: 0, origin: crypto map IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0 192.168.2.0/255.255.255.0 Active SAs: 0, origin: crypto map cpe-rpa-kal-gw-01# Anyone see what I might be doing wrong? _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/