VPN between Cisco 837 and cisco 837 with IP static and ip dinamic

Discussion in 'Cisco' started by lyvicro@hotmail.com, Dec 14, 2005.

  1. Guest

    I have two routers cisco 837 (Router A), cisco 837 (RouterB).
    In the router A I have one ADSL without an static ip public and the
    router B with Static public.

    The router B is no conected to ADSL I pass the ip public with a Router
    Cisco 7204 with and line popint to point.

    the error, in the ipsec, I have to the conexion the router A to the
    router B is:


    Mar 1 01:02:38.031: CryptoEngine0: validate proposal request
    *Mar 1 01:02:38.031: IPSEC(validate_transform_proposal): invalid local
    address xx.xx.xx.xx
    *Mar 1 01:02:38.031: ISAKMP (0:1): IPSec policy invalidated proposal
    *Mar 1 01:02:38.031: ISAKMP (0:1): phase 2 SA policy not acceptable!

    The configuration of the routers is

    Router A

    Current configuration : 2826 bytes
    !
    version 12.2
    no service pad
    service timestamps debug datetime msec localtime
    service timestamps log datetime msec localtime
    service password-encryption
    !
    hostname RTP0987
    !
    memory-size iomem 5
    logging buffered 32768 debugging
    !
    ip subnet-zero
    no ip source-route
    no ip bootp server
    ip audit notify log
    ip audit po max-events 100
    !
    crypto isakmp policy 1
    hash md5
    authentication pre-share
    crypto isakmp key cisco123 address ip_public_router B
    !
    !
    crypto ipsec transform-set rtpset esp-des esp-md5-hmac
    !
    crypto map rtp 1 ipsec-isakmp
    set peer ip_public router B
    set transform-set rtpset
    match address 115
    !
    !
    !
    !
    interface Ethernet0
    ip address 10.19.87.201 255.255.255.0
    ip nat inside
    no cdp enable
    standby 1 ip 10.19.87.2
    standby 1 priority 110
    standby 1 preempt
    standby 1 track ATM0
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    no ip redirects
    no ip proxy-arp
    load-interval 30
    no atm ilmi-keepalive
    bundle-enable
    dsl operating-mode ansi-dmt
    dsl power-cutback 0
    hold-queue 224 in
    !
    interface ATM0.1 point-to-point
    ip address ip_public
    ip nat outside
    pvc 0/33
    vbr-nrt 320 320 1
    inarp 1
    no ilmi manage
    oam-pvc manage
    encapsulation aal5snap
    !
    crypto map rtp
    !
    ip nat inside source route-map nonat interface ATM0.1 overload
    ip nat inside source static tcp 10.19.87.201 23 interface ATM0.1 23
    ip classless
    ip route 0.0.0.0 0.0.0.0 ATM0.1
    no ip http server
    !
    !
    access-list 115 permit ip 10.19.87.0 0.0.0.255 192.168.201.0 0.0.0.255
    access-list 115 deny ip 10.19.87.0 0.0.0.255 any
    access-list 120 deny ip 10.19.87.0 0.0.0.255 192.168.201.0 0.0.0.255
    access-list 120 permit ip 10.19.87.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    no cdp run
    route-map nonat permit 10
    match ip address 120
    !




    ROUTER B


    !
    version 12.3
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname VPN_CISCO837
    !
    !
    no aaa new-model
    ip subnet-zero
    !
    ip audit notify log
    ip audit po max-events 100
    ip ssh break-string
    no ftp-server write-enable
    !
    !
    !
    crypto isakmp policy 1
    hash md5
    authentication pre-share
    crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
    !
    !
    crypto ipsec transform-set rtpset esp-des esp-md5-hmac
    !
    crypto dynamic-map rtpmap 10
    set transform-set rtpset
    match address 115
    !
    !
    crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap
    !
    crypto map rtpmap local-address Loopback0
    !
    !
    !
    !
    interface Loopback0
    ip address ip_publica
    ip nat inside
    !
    interface Ethernet0
    ip address 192.168.201.8 255.255.255.0
    no ip redirects
    ip nat outside
    ip route-cache same-interface
    ip policy route-map nat
    crypto map rtptrans
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    shutdown
    no atm ilmi-keepalive
    dsl operating-mode auto
    dsl power-cutback 0
    !
    ip nat inside source route-map nonat interface Loopback0 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 192.168.201.2
    ip route 10.200.0.0 255.255.0.0 192.168.201.1
    ip route ip_publica 255.255.255.255 192.168.201.2 -> I pass the ip
    public to the another router
    no ip http server
    no ip http secure-server
    !
    access-list 115 permit ip 192.168.201.0 0.0.0.255 10.19.87.0 0.0.0.255
    access-list 115 deny ip 192.168.201.0 0.0.0.255 any
    access-list 120 deny ip 192.168.201.0 0.0.0.255 10.19.87.0 0.0.0.255
    access-list 120 permit ip 192.168.201.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    arp 192.168.201.1 0102.0304.0511 ARPA
    route-map nonat permit 10
    match ip address 120
    !
    route-map nat permit 10
    match ip address 115
    set interface Loopback0
    !




    Only works with two ip_public static if I put in the router B

    crypto map rtpset local-address Loopback0
    crypto map rtpset 20 ipsec-isakmp
    set peer ip_public router A
    set transform-set rtpset
    match address 115


    Works, but I need that works with a dinamyc ip in the router A
    too work if the router B is conected to One ADSL but is not my case
    In the router B I use the same inteface to ipsec and the LAN

    Any body can help me

    Thank you
     
    , Dec 14, 2005
    #1
    1. Advertising

  2. AM Guest

    wrote:

    > I have two routers cisco 837 (Router A), cisco 837 (RouterB).
    > In the router A I have one ADSL without an static ip public and the
    > router B with Static public.
    >
    > The router B is no conected to ADSL I pass the ip public with a Router
    > Cisco 7204 with and line popint to point.
    >
    > the error, in the ipsec, I have to the conexion the router A to the
    > router B is:
    >
    >
    > Mar 1 01:02:38.031: CryptoEngine0: validate proposal request
    > *Mar 1 01:02:38.031: IPSEC(validate_transform_proposal): invalid local
    > address xx.xx.xx.xx
    > *Mar 1 01:02:38.031: ISAKMP (0:1): IPSec policy invalidated proposal
    > *Mar 1 01:02:38.031: ISAKMP (0:1): phase 2 SA policy not acceptable!
    >



    Try to use the same ACL 115 (only the first statement no both).

    Alex
     
    AM, Dec 14, 2005
    #2
    1. Advertising

  3. Guest

    Which router the A or the B

    Do you say?

    access-list 115 permit ip 192.168.201.0 0.0.0.255 10.19.87.0 0.0.0.255
     
    , Dec 14, 2005
    #3
  4. AM Guest

    wrote:
    > Which router the A or the B
    >
    > Do you say?
    >
    > access-list 115 permit ip 192.168.201.0 0.0.0.255 10.19.87.0 0.0.0.255


    Yes try to use that one both on A and B

    Alex.
     
    AM, Dec 15, 2005
    #4
  5. Guest

    Ho Alex

    I try it but don't work
     
    , Dec 15, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Confused

    Cisco 837-837 VPN

    Confused, Jul 9, 2003, in forum: Cisco
    Replies:
    0
    Views:
    1,731
    Confused
    Jul 9, 2003
  2. Suppa Lamah
    Replies:
    8
    Views:
    1,636
  3. Anthony
    Replies:
    7
    Views:
    939
  4. Alistair Young
    Replies:
    2
    Views:
    4,500
  5. franah
    Replies:
    2
    Views:
    417
    swapnendu
    Sep 29, 2006
Loading...

Share This Page