BobSutan
[H]F Junkie
- Joined
- Apr 5, 2000
- Messages
- 12,121
I cannot get a VPN tunnel interface to come up on two Cisco devices. One is a 6509 using a SPA card and VRF mode, the other is a 3825 with nothing special going on. I'm trying to establish a Virtual Tunnel Interface on the 6509 utilizing VRF and the SPA, but I'm at my wits end on this one. Google has failed. Cisco has failed. Cisco's rep I spoke with said it's possible, but I can't make it work. If I can't get this operational by the end of the week I need to find another job because I don't need this kind of frustration in my life.
Oh, and this is just a simple peer to peer VPN. The devices are directly connected as follows:
Loop1 - 6509 - FA1/0 ---[Tunnel]--- FA 1/0 - 3825 - Loop 1
FA1/0 on 6509: 192.168.1.1 /24
FA1/0 on 3825: 192.168.1.2 /24
Loop1 on 6509: 10.1.0.1/32
Loop1 on 3825: 10.2.0.1/32
Tunnel0 on 6509: 192.168.2.1/31
Tunnel0 on 3825: 192.168.2.2/31
Here is what I remember of the config off the top of my head:
6509
3825
**Edit**
Ignore these configs since I'm no longer using crypto maps at all since VTIs don't implement them.
Oh, and this is just a simple peer to peer VPN. The devices are directly connected as follows:
Loop1 - 6509 - FA1/0 ---[Tunnel]--- FA 1/0 - 3825 - Loop 1
FA1/0 on 6509: 192.168.1.1 /24
FA1/0 on 3825: 192.168.1.2 /24
Loop1 on 6509: 10.1.0.1/32
Loop1 on 3825: 10.2.0.1/32
Tunnel0 on 6509: 192.168.2.1/31
Tunnel0 on 3825: 192.168.2.2/31
Here is what I remember of the config off the top of my head:
6509
Code:
access-list 110 permit ip 10.2.0.1 host 10.1.0.1 host
access-list 110 permit ip 10.1.0.1 host 10.2.0.1 host
access-list 110 permit icmp 10.2.0.1 host 10.1.0.1 host
access-list 110 permit icmp 10.1.0.1 host 10.2.0.1 host
Crypto isakmp policy 1
encr aes
authentication pre-share
group 2
Crypto isakmp key vpntunnelkey address 0.0.0.0
crypto ipsec transform-set VPNTFSET esp-3des esp-sha-hmac
Crypto map VPNMAP ipsec-isakmp
set peer 192.168.1.2
set transform set VPNTFSET
match address 110
interface Fa1/0
crypto map VPNMAP
3825
Code:
access-list 110 permit ip 10.2.0.1 host 10.1.0.1 host
access-list 110 permit ip 10.1.0.1 host 10.2.0.1 host
access-list 110 permit icmp 10.2.0.1 host 10.1.0.1 host
access-list 110 permit icmp 10.1.0.1 host 10.2.0.1 host
Crypto isakmp policy 1
encr aes
authentication pre-share
group 2
Crypto isakmp key vpntunnelkey address 0.0.0.0
crypto ipsec transform-set VPNTFSET esp-3des esp-sha-hmac
Crypto map VPNMAP ipsec-isakmp
set peer 192.168.1.1
set transform set VPNTFSET
match address 110
interface Fa1/0
crypto map VPNMAP
**Edit**
Ignore these configs since I'm no longer using crypto maps at all since VTIs don't implement them.