Question : Cisco - Site to Site VPN - IPSEC

Hi All,

I am trying to create a Cisco Site to Site VPN using IPSEC. I have setup our HQ router but cannot get it to answer the IPSEC request. Im pretty sure is something to do with the Access-List but just dont know what.

The remote router is a Netgear DG834G and when connecting says:

Sun, 2010-06-20 14:27:03 - [HeadOffice] initiating Main Mode
Sun, 2010-06-20 14:27:13 - [HeadOffice] STATE_MAIN_I1: retransmission; will wait 20s for response
Sun, 2010-06-20 14:27:33 - [HeadOffice] STATE_MAIN_I1: retransmission; will wait 40s for response
Sun, 2010-06-20 14:28:13 - [HeadOffice] max number of retransmissions reached STATE_MAIN_I1.  No acceptable response to our first IKE message

Netgear are telling us this is because of an issue at the remote end.

Someone said I need to add an extended list of (Or similar)
 permit udp host 87.102.119.130 any eq isakmp
 permit esp host 87.102.119.130 any

I just dont know where:(

Here is the Cisco Router Config

Building configuration...

Current configuration : 6907 bytes
!
! Last configuration change at 00:24:24 UTC Mon Mar 1 1993 by cisc0adm1n
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname NDB-GW1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 ********************************
!
username cisc0adm1n privilege 15 password 7 **********************
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
aaa session-id common
ip subnet-zero
no ip source-route
ip cef
ip tcp synwait-time 10
!
!
ip inspect name ndbfw cuseeme timeout 3600
ip inspect name ndbfw rcmd timeout 3600
ip inspect name ndbfw realaudio timeout 3600
ip inspect name ndbfw udp timeout 15
ip inspect name ndbfw tcp timeout 3600
ip inspect name ndbfw h323 timeout 3600
ip inspect name ndbfw ftp timeout 3600
ip inspect name ndbfw icmp timeout 3600
ip inspect name ndbfw sip timeout 3600
ip inspect name ndbfw rtsp timeout 3600
!
ip audit po max-events 100
no ip bootp server
ip domain name ndb-europe.local
ip name-server 212.50.160.100
ip name-server 213.249.130.100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ************* address 87.122.112.130
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
!
crypto map VPN-Map-1 10 ipsec-isakmp
 set peer 87.122.112.130
 set transform-set AES-SHA-compression
 set pfs group2
 match address Crypto-list
!
!
!
interface Null0
 no ip unreachables
!
interface ATM0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0/0.1 point-to-point
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 pvc 1/50
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Ethernet0/0
 description Inside Ethernet LAN
 ip address 10.10.1.1 255.255.0.0 secondary
 ip address 192.168.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip route-cache flow
 load-interval 30
 full-duplex
 no cdp enable
 hold-queue 100 out
!
interface TokenRing0/0
 no ip address
 shutdown
 ring-speed 16
 no cdp enable
!
interface Serial1/0
 no ip address
 shutdown
 no cdp enable
!
interface Serial1/1
 no ip address
 shutdown
 no cdp enable
!
interface Serial1/2
 no ip address
 shutdown
 no cdp enable
!
interface Serial1/3
 no ip address
 shutdown
 no cdp enable
!
interface Dialer0
 description Outside Connection to Internet
 bandwidth 960
 ip address 77.122.112.81 255.255.255.248
 ip access-group 110 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect ndbfw out
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname USER
 ppp chap password 7 *******************
 crypto map VPN-Map-1
!
ip nat inside source list 4 interface Dialer0 overload
ip nat inside source static udp 192.168.0.12 2727 77.122.112.81 2727 extendable
ip nat inside source static udp 192.168.0.12 5082 77.122.112.81 5082 extendable
ip nat inside source static tcp 192.168.0.15 80 77.122.112.81 80 extendable
ip nat inside source static tcp 192.168.0.15 8088 77.122.112.81 8088 extendable
ip nat inside source static 192.168.0.10 77.122.112.82
ip nat inside source static tcp 192.168.0.17 8080 77.122.112.81 8080 extendable
ip nat inside source static udp 192.168.0.17 514 77.122.112.81 514 extendable
ip nat inside source static udp 192.168.0.17 162 77.122.112.81 162 extendable
ip nat inside source static 192.168.0.12 77.122.112.83
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
ip dns server
!
ip access-list extended Crypto-list
 permit ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255
ip access-list extended Ipsec-Crypto-List
 permit ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255
!
logging trap debugging
logging 192.168.0.17
access-list 4 remark NAT-ACL
access-list 4 permit 192.168.0.0 0.0.0.255
access-list 4 permit 10.10.0.0 0.0.255.255
access-list 110 permit tcp any any eq domain
access-list 110 permit udp any any eq domain
access-list 110 permit tcp any host 77.122.112.81 eq www
access-list 110 permit tcp any host 77.122.112.81 eq 8088
access-list 110 permit tcp any host 77.122.112.81 eq 443
access-list 110 permit tcp any host 77.122.112.81 eq 8080
access-list 110 permit udp any host 77.122.112.81 eq syslog
access-list 110 permit udp any host 77.122.112.81 eq snmptrap
access-list 110 permit tcp any host 77.122.112.82 eq 1723
access-list 110 permit tcp any host 77.122.112.82 eq 4125
access-list 110 permit tcp any host 77.122.112.82 eq 443
access-list 110 permit tcp any host 77.122.112.82 eq 444
access-list 110 permit tcp any host 77.122.112.82 eq 993
access-list 110 permit tcp any host 77.122.112.82 eq smtp
access-list 110 permit tcp any host 77.122.112.82 eq 8019
access-list 110 permit udp any host 77.122.112.82 eq 8019
access-list 110 permit gre any host 77.122.112.82
access-list 110 permit tcp any host 77.122.112.83 eq 2727
access-list 110 permit tcp any host 77.122.112.83 eq 5082
access-list 110 permit udp any host 77.122.112.83 range 5060 5062
access-list 110 permit udp any host 77.122.112.83 range 10000 20000
access-list 110 permit gre any any
access-list 110 deny   ip any any log
no cdp run
!
snmp-server community ndbsnmp RO
snmp-server location Comms Rack - Suite 29
snmp-server contact NDB Support
snmp-server chassis-id Cisco 2600 Router
snmp-server enable traps snmp linkdown linkup coldstart warmstart
snmp-server host 192.168.0.17 version 2c ndbsnmp
!
banner motd ^CC

****************************
*      WARNING BANNER      *
****************************

WARNING - Authorized Access only

The owner and any subsidiary companies, has proprietary rights
over this system and data. Unauthorized access is unlawful and may
result in legal proceedings.

All access to this system is monitored.
^C
!
line con 0
 privilege level 15
 transport preferred all
 transport output all
line aux 0
 transport input telnet ssh
 transport output all
line vty 0 4
 privilege level 15
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
ntp master
!
end

Wonder if somebody could point me in the right direction?

Cheers
Si

Answer : Cisco - Site to Site VPN - IPSEC

on the remote end (Non cisco)
enable PFS

or on the Cisco side:
crypto map VPN-Map-1 10 ipsec-isakmp
 no  set pfs group2

Billy
Random Solutions  
 
programming4us programming4us