Microsoft
Software
Hardware
Network
Question : Cisco - Site to Site VPN - IPSEC
Hi All,
I am trying to create a Cisco Site to Site VPN using IPSEC. I have setup our HQ router but cannot get it to answer the IPSEC request. Im pretty sure is something to do with the Access-List but just dont know what.
The remote router is a Netgear DG834G and when connecting says:
Sun, 2010-06-20 14:27:03 - [HeadOffice] initiating Main Mode
Sun, 2010-06-20 14:27:13 - [HeadOffice] STATE_MAIN_I1: retransmission; will wait 20s for response
Sun, 2010-06-20 14:27:33 - [HeadOffice] STATE_MAIN_I1: retransmission; will wait 40s for response
Sun, 2010-06-20 14:28:13 - [HeadOffice] max number of retransmissions reached STATE_MAIN_I1. No acceptable response to our first IKE message
Netgear are telling us this is because of an issue at the remote end.
Someone said I need to add an extended list of (Or similar)
permit udp host 87.102.119.130 any eq isakmp
permit esp host 87.102.119.130 any
I just dont know where:(
Here is the Cisco Router Config
Building configuration...
Current configuration : 6907 bytes
!
! Last configuration change at 00:24:24 UTC Mon Mar 1 1993 by cisc0adm1n
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname NDB-GW1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 **************************
******
!
username cisc0adm1n privilege 15 password 7 **********************
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
aaa session-id common
ip subnet-zero
no ip source-route
ip cef
ip tcp synwait-time 10
!
!
ip inspect name ndbfw cuseeme timeout 3600
ip inspect name ndbfw rcmd timeout 3600
ip inspect name ndbfw realaudio timeout 3600
ip inspect name ndbfw udp timeout 15
ip inspect name ndbfw tcp timeout 3600
ip inspect name ndbfw h323 timeout 3600
ip inspect name ndbfw ftp timeout 3600
ip inspect name ndbfw icmp timeout 3600
ip inspect name ndbfw sip timeout 3600
ip inspect name ndbfw rtsp timeout 3600
!
ip audit po max-events 100
no ip bootp server
ip domain name ndb-europe.local
ip name-server 212.50.160.100
ip name-server 213.249.130.100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ************* address 87.122.112.130
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 87.122.112.130
set transform-set AES-SHA-compression
set pfs group2
match address Crypto-list
!
!
!
interface Null0
no ip unreachables
!
interface ATM0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 1/50
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0/0
description Inside Ethernet LAN
ip address 10.10.1.1 255.255.0.0 secondary
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
load-interval 30
full-duplex
no cdp enable
hold-queue 100 out
!
interface TokenRing0/0
no ip address
shutdown
ring-speed 16
no cdp enable
!
interface Serial1/0
no ip address
shutdown
no cdp enable
!
interface Serial1/1
no ip address
shutdown
no cdp enable
!
interface Serial1/2
no ip address
shutdown
no cdp enable
!
interface Serial1/3
no ip address
shutdown
no cdp enable
!
interface Dialer0
description Outside Connection to Internet
bandwidth 960
ip address 77.122.112.81 255.255.255.248
ip access-group 110 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect ndbfw out
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname USER
ppp chap password 7 *******************
crypto map VPN-Map-1
!
ip nat inside source list 4 interface Dialer0 overload
ip nat inside source static udp 192.168.0.12 2727 77.122.112.81 2727 extendable
ip nat inside source static udp 192.168.0.12 5082 77.122.112.81 5082 extendable
ip nat inside source static tcp 192.168.0.15 80 77.122.112.81 80 extendable
ip nat inside source static tcp 192.168.0.15 8088 77.122.112.81 8088 extendable
ip nat inside source static 192.168.0.10 77.122.112.82
ip nat inside source static tcp 192.168.0.17 8080 77.122.112.81 8080 extendable
ip nat inside source static udp 192.168.0.17 514 77.122.112.81 514 extendable
ip nat inside source static udp 192.168.0.17 162 77.122.112.81 162 extendable
ip nat inside source static 192.168.0.12 77.122.112.83
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
ip dns server
!
ip access-list extended Crypto-list
permit ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255
ip access-list extended Ipsec-Crypto-List
permit ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255
!
logging trap debugging
logging 192.168.0.17
access-list 4 remark NAT-ACL
access-list 4 permit 192.168.0.0 0.0.0.255
access-list 4 permit 10.10.0.0 0.0.255.255
access-list 110 permit tcp any any eq domain
access-list 110 permit udp any any eq domain
access-list 110 permit tcp any host 77.122.112.81 eq www
access-list 110 permit tcp any host 77.122.112.81 eq 8088
access-list 110 permit tcp any host 77.122.112.81 eq 443
access-list 110 permit tcp any host 77.122.112.81 eq 8080
access-list 110 permit udp any host 77.122.112.81 eq syslog
access-list 110 permit udp any host 77.122.112.81 eq snmptrap
access-list 110 permit tcp any host 77.122.112.82 eq 1723
access-list 110 permit tcp any host 77.122.112.82 eq 4125
access-list 110 permit tcp any host 77.122.112.82 eq 443
access-list 110 permit tcp any host 77.122.112.82 eq 444
access-list 110 permit tcp any host 77.122.112.82 eq 993
access-list 110 permit tcp any host 77.122.112.82 eq smtp
access-list 110 permit tcp any host 77.122.112.82 eq 8019
access-list 110 permit udp any host 77.122.112.82 eq 8019
access-list 110 permit gre any host 77.122.112.82
access-list 110 permit tcp any host 77.122.112.83 eq 2727
access-list 110 permit tcp any host 77.122.112.83 eq 5082
access-list 110 permit udp any host 77.122.112.83 range 5060 5062
access-list 110 permit udp any host 77.122.112.83 range 10000 20000
access-list 110 permit gre any any
access-list 110 deny ip any any log
no cdp run
!
snmp-server community ndbsnmp RO
snmp-server location Comms Rack - Suite 29
snmp-server contact NDB Support
snmp-server chassis-id Cisco 2600 Router
snmp-server enable traps snmp linkdown linkup coldstart warmstart
snmp-server host 192.168.0.17 version 2c ndbsnmp
!
banner motd ^CC
**************************
**
* WARNING BANNER *
**************************
**
WARNING - Authorized Access only
The owner and any subsidiary companies, has proprietary rights
over this system and data. Unauthorized access is unlawful and may
result in legal proceedings.
All access to this system is monitored.
^C
!
line con 0
privilege level 15
transport preferred all
transport output all
line aux 0
transport input telnet ssh
transport output all
line vty 0 4
privilege level 15
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
ntp master
!
end
Wonder if somebody could point me in the right direction?
Cheers
Si
Answer : Cisco - Site to Site VPN - IPSEC
on the remote end (Non cisco)
enable PFS
or on the Cisco side:
crypto map VPN-Map-1 10 ipsec-isakmp
no set pfs group2
Billy
Random Solutions
Connecting Outlook 2007 to Exchange 2010 a Password is required each time outlook is opened
PHP Frameworks: is there a way to document class information?
Using the Plugin More Fields and having trouble with Post Types
C++ Assigne multi word input into single string fiield
SharePoint-sending email
Network problem
A vbs script help
Windows VPN through Cisco 1721
DFS Replication Configuration Sources
need script to run as administrator ipconfig release/renew and flushdns with password encrypted