Answer the question
In order to leave comments, you need to log in
T
T
topbanana2014-07-03 09:26:44
topbanana, 2014-07-03 09:26:44
Why the tunnel between cisco rv320 and cisco 871 does not rise?
Hello!
I'm trying to set up a site-to-site vpn tunnel between cisco rv320 and cisco 871 using several manuals, and something doesn't work.
The scheme of a network here such:
On cisco 871 dyndns is configured, there also I try to be connected.
Settings on RV320:
On 871 I prescribe this:
crypto isakmp policy 1
encr 3des
authentication pre-share
lifetime 28800
crypto isakmp key preshared-key address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
!
crypto dynamic-map hq-vpn 10
set security-association lifetime seconds 28800
set transform-set MYSET
match address 100
!
crypto map VPNMAP 1 ipsec-isakmp dynamic hq-vpn
!
interface FastEthernet4
crypto map VPNMAP
!
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255When trying to ping 871 from a computer connected to the RV320, the tunnel fails.
What am I doing wrong?
1 answer(s)
@topbanana
320 is connected via tp-link, because the provider distributes the Internet via pptp, and 320 is not able to connect like that.
UPD.
Rearranged crypto map from FE4 to Dialer0, debug gave me another error
Then I changed the transform-set to what is written in the debug, the tunnel seems to have risen.
But the ping doesn't work.
T
topbanana, 2014-07-04 @topbanana
enabled deb crypto ipsec and deb crypto isakmp, enabled general log on RV320 for IPSec & PPTP VPN and for SSL VPN.
RV320 writes only this in the logs
871 writes this:
Jul 4 14:38:08.250: ISAKMP:(1012):atts are acceptable.
Jul 4 14:38:08.250: IPSEC(validate_proposal_request): proposal part #1
Jul 4 14:38:08.250: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 93.190.176.206, remote= 93.190.178.205,
local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),
protocol= AH, transform= ah-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Jul 4 14:38:08.250: IPSEC(validate_proposal_request): proposal part #2
Jul 4 14:38:08.254: IPSEC(validate_proposal_request): proposal part #2,
(key eng. msg.) INBOUND local= 93.190.176.206, remote= 93.190.178.205,
local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Jul 4 14:38:08.254: IPSEC(crypto_ipsec_process_proposal): invalid local address 93.190.176.206
Jul 4 14:38:08.254: ISAKMP:(1012): IPSec policy invalidated proposal
Jul 4 14:38:08.254: ISAKMP:(1012): phase 2 SA policy not acceptable! (local 93.190.176.206 remote 93.190.178.205)
Jul 4 14:38:08.254: ISAKMP: set new node 680991999 to QM_IDLE
Jul 4 14:38:08.254: ISAKMP:(1012):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 2
spi 2204243888, message ID = 680991999320 is connected via tp-link, because the provider distributes the Internet via pptp, and 320 is not able to connect like that.
UPD.
Rearranged crypto map from FE4 to Dialer0, debug gave me another error
Jul 4 15:08:33.746: IPSEC(crypto_ipsec_process_proposal): transform proposal not supported for identity:
{ah-sha-hmac esp-aes 256 esp-sha-hmac }Then I changed the transform-set to what is written in the debug, the tunnel seems to have risen.
But the ping doesn't work.
Similar questions
V
P
A
.
I
IT_S_M2021-10-08 14:42:42
CheckPoint Edpoint Security does not see the certificates on the token?
0Reply
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question