01-07-2022 09:43 AM
Hello, i am writing on behalf of a friend and I as we have been having trouble establishing a site to site vpn between our 2 servers. Hoping if someone can shine a light on something we are missing.
We have the VPN UP but the our server hosts are not communicating with each other.
When he sends a ping to me i do see my decap traffic increment, but nothing on my end increments when i try to send a ping his direction.
We are both using 2901 Routers running Version 15.7 for this task and my half of the config is below. Our configs are mirrored exactly.
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
lifetime 10800
crypto isakmp key g3tc0nn3ct3d address [his wan ip]
crypto ipsec transform-set vpn esp-aes esp-sha-hmac
mode tunnel
crypto map vpn 10 ipsec-isakmp
set peer [his wan ip]
set transform-set vpn
match address vpn
Extended IP access list vpn
10 permit ip host 192.168.1.252 host 192.168.254.52 log
interface GigabitEthernet0/0
description To Comcast
ip address [my wan]
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map vpn
ip route 192.168.254.52 255.255.255.255 g0/0
Thank you for any tips provided
Solved! Go to Solution.
01-07-2022 09:48 AM
@comenyi1 I can see you've got nat enabled, ensure traffic between the 2 hosts/networks 192.168.1.252 and 192.168.254.52 is not translated. Modify the NAT acl to deny this traffic, ensure this is above the networks you do want to be translated.
Why have a specific static route to the /32, surely the default route goes out g0/0 anyway. If so you can remove.
Also remove "log" from the crypto ACL "vpn".
01-07-2022 09:48 AM
@comenyi1 I can see you've got nat enabled, ensure traffic between the 2 hosts/networks 192.168.1.252 and 192.168.254.52 is not translated. Modify the NAT acl to deny this traffic, ensure this is above the networks you do want to be translated.
Why have a specific static route to the /32, surely the default route goes out g0/0 anyway. If so you can remove.
Also remove "log" from the crypto ACL "vpn".
01-07-2022 10:55 AM
Hi Rob, so for NAT, i had just a single permit statement for my private network, did you mean for me to specify the two hosts in this NAT ACL like how i have expressed below?
5 deny ip host 192.168.1.252 host 192.168.254.52
10 permit ip 192.168.1.0 0.0.0.255 any
Regarding the static route, i threw that in there while troubleshooting along with the log on the acl vpn
Thanks
01-07-2022 10:59 AM
@comenyi1 yes that NAT rule statement should suffice, just mirror the crypto ACL.
01-07-2022 12:58 PM
Thank you this worked! We never thought of NAT or saw anything in our debug to point us in that direction. Much appreciated!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide