VPN between Cisco 837 and cisco 837 with IP static and ip di
DComTalk.com Forum Index DComTalk.com
Discussion of VoIP, VPN, Video Conferencen, DSL and other data commucations.
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web dcomtalk.com
VPN between Cisco 837 and cisco 837 with IP static and ip di

 
Post new topic   Reply to topic    DComTalk.com Forum Index -> Cisco
Author Message
lyvicro@hotmail.com
Guest
Posted: Thu Dec 15, 2005 12:01 am    Post subject: VPN between Cisco 837 and cisco 837 with IP static and ip di Reply with quote
I have two routers cisco 837 (Router A), cisco 837 (RouterB).
In the router A I have one ADSL without an static ip public and the
router B with Static public.

The router B is no conected to ADSL I pass the ip public with a Router
Cisco 7204 with and line popint to point.

the error, in the ipsec, I have to the conexion the router A to the
router B is:


Mar 1 01:02:38.031: CryptoEngine0: validate proposal request
*Mar 1 01:02:38.031: IPSEC(validate_transform_proposal): invalid local
address xx.xx.xx.xx
*Mar 1 01:02:38.031: ISAKMP (0:1): IPSec policy invalidated proposal
*Mar 1 01:02:38.031: ISAKMP (0:1): phase 2 SA policy not acceptable!

The configuration of the routers is

Router A

Current configuration : 2826 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname RTP0987
!
memory-size iomem 5
logging buffered 32768 debugging
!
ip subnet-zero
no ip source-route
no ip bootp server
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address ip_public_router B
!
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
!
crypto map rtp 1 ipsec-isakmp
set peer ip_public router B
set transform-set rtpset
match address 115
!
!
!
!
interface Ethernet0
ip address 10.19.87.201 255.255.255.0
ip nat inside
no cdp enable
standby 1 ip 10.19.87.2
standby 1 priority 110
standby 1 preempt
standby 1 track ATM0
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip proxy-arp
load-interval 30
no atm ilmi-keepalive
bundle-enable
dsl operating-mode ansi-dmt
dsl power-cutback 0
hold-queue 224 in
!
interface ATM0.1 point-to-point
ip address ip_public
ip nat outside
pvc 0/33
vbr-nrt 320 320 1
inarp 1
no ilmi manage
oam-pvc manage
encapsulation aal5snap
!
crypto map rtp
!
ip nat inside source route-map nonat interface ATM0.1 overload
ip nat inside source static tcp 10.19.87.201 23 interface ATM0.1 23
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
no ip http server
!
!
access-list 115 permit ip 10.19.87.0 0.0.0.255 192.168.201.0 0.0.0.255
access-list 115 deny ip 10.19.87.0 0.0.0.255 any
access-list 120 deny ip 10.19.87.0 0.0.0.255 192.168.201.0 0.0.0.255
access-list 120 permit ip 10.19.87.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
route-map nonat permit 10
match ip address 120
!




ROUTER B


!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname VPN_CISCO837
!
!
no aaa new-model
ip subnet-zero
!
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
!
crypto dynamic-map rtpmap 10
set transform-set rtpset
match address 115
!
!
crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap
!
crypto map rtpmap local-address Loopback0
!
!
!
!
interface Loopback0
ip address ip_publica
ip nat inside
!
interface Ethernet0
ip address 192.168.201.8 255.255.255.0
no ip redirects
ip nat outside
ip route-cache same-interface
ip policy route-map nat
crypto map rtptrans
hold-queue 100 out
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
dsl power-cutback 0
!
ip nat inside source route-map nonat interface Loopback0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.201.2
ip route 10.200.0.0 255.255.0.0 192.168.201.1
ip route ip_publica 255.255.255.255 192.168.201.2 -> I pass the ip
public to the another router
no ip http server
no ip http secure-server
!
access-list 115 permit ip 192.168.201.0 0.0.0.255 10.19.87.0 0.0.0.255
access-list 115 deny ip 192.168.201.0 0.0.0.255 any
access-list 120 deny ip 192.168.201.0 0.0.0.255 10.19.87.0 0.0.0.255
access-list 120 permit ip 192.168.201.0 0.0.0.255 any
dialer-list 1 protocol ip permit
arp 192.168.201.1 0102.0304.0511 ARPA
route-map nonat permit 10
match ip address 120
!
route-map nat permit 10
match ip address 115
set interface Loopback0
!




Only works with two ip_public static if I put in the router B

crypto map rtpset local-address Loopback0
crypto map rtpset 20 ipsec-isakmp
set peer ip_public router A
set transform-set rtpset
match address 115


Works, but I need that works with a dinamyc ip in the router A
too work if the router B is conected to One ADSL but is not my case
In the router B I use the same inteface to ipsec and the LAN

Any body can help me

Thank you
Back to top
AM
Guest
Posted: Thu Dec 15, 2005 12:06 am    Post subject: Re: VPN between Cisco 837 and cisco 837 with IP static and i Reply with quote
lyvicro@hotmail.com wrote:

Quote:
I have two routers cisco 837 (Router A), cisco 837 (RouterB).
In the router A I have one ADSL without an static ip public and the
router B with Static public.

The router B is no conected to ADSL I pass the ip public with a Router
Cisco 7204 with and line popint to point.

the error, in the ipsec, I have to the conexion the router A to the
router B is:


Mar 1 01:02:38.031: CryptoEngine0: validate proposal request
*Mar 1 01:02:38.031: IPSEC(validate_transform_proposal): invalid local
address xx.xx.xx.xx
*Mar 1 01:02:38.031: ISAKMP (0:1): IPSec policy invalidated proposal
*Mar 1 01:02:38.031: ISAKMP (0:1): phase 2 SA policy not acceptable!



Try to use the same ACL 115 (only the first statement no both).

Alex
Back to top
lyvicro@hotmail.com
Guest
Posted: Thu Dec 15, 2005 12:12 am    Post subject: Re: VPN between Cisco 837 and cisco 837 with IP static and i Reply with quote
Which router the A or the B

Do you say?

access-list 115 permit ip 192.168.201.0 0.0.0.255 10.19.87.0 0.0.0.255
Back to top
AM
Guest
Posted: Thu Dec 15, 2005 4:06 pm    Post subject: Re: VPN between Cisco 837 and cisco 837 with IP static and i Reply with quote
lyvicro@hotmail.com wrote:
Quote:
Which router the A or the B

Do you say?

access-list 115 permit ip 192.168.201.0 0.0.0.255 10.19.87.0 0.0.0.255

Yes try to use that one both on A and B

Alex.
Back to top
lyvicro@hotmail.com
Guest
Posted: Fri Dec 16, 2005 3:10 am    Post subject: Re: VPN between Cisco 837 and cisco 837 with IP static and i Reply with quote
Ho Alex

I try it but don't work
Back to top
 
Post new topic   Reply to topic    DComTalk.com Forum Index -> Cisco All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




VoIP Solutions: Telephone Systems Electronics Satellite TV Tech & Gadgets
Powered by phpBB