This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Site2Site VPN Using Cisco C2800/C2900 and SG115 can't communicate eachother.

Hi

I setup Site-to-site VPN by IPSec using C2821 and SG115.
It looks like to be connected from looking Site-to-site VPN Tunnel Status.
but, it can't response by ping ,eachother.
And ,this situation is reproducted when using C2921 instead of C2821.

don't you have any ideas that I should do to solve this trouble? please.


[Base information: IP address]
  Cisco's connected Grobal IP adress  : 10.10.10.10
  Cisco sides Local IP address            : 192.168.14.0/24
  SG115's connected Grobal IP adress : 20.20.20.20 
  SG115 sides Local IP address           : 192.168.3.0/24

[config of C2800]
crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 5
lifetime 7800
crypto isakmp key pre-share-Key address 20.20.20.20 no-xauth
!
!
crypto ipsec transform-set TUNNEL1 esp-aes 256 esp-md5-hmac
!
crypto map TUNNEL 10 ipsec-isakmp
set peer 20.20.20.20
set transform-set TUNNEL1
set pfs group5
match address 102
!
interface GigabitEthernet0/0
no ip address
ip nbar protocol-discovery
ip virtual-reassembly max-reassemblies 128
duplex auto
speed 100
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1
ip address 192.168.14.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly max-reassemblies 1024
encapsulation ppp
ip tcp adjust-mss 1398
dialer pool 1
dialer idle-timeout 0
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname ************.net
ppp chap password 0 ***********
crypto map TUNNEL

access-list 102 permit ip 192.168.14.0 0.0.0.255 192.168.3.0 0.0.0.255

 

[SG115 Setting]

Using Default policy [AES 256 PFS] and Setting RemoteGateway like this.

 

[Live Log of SG115]

2017:04:09-12:16:05 kpr002 pluto[2976]: "S_CiscoVPNConnection" #305: ignoring informational payload, type NO_PROPOSAL_CHOSEN
2017:04:09-12:17:15 kpr002 pluto[2976]: "S_CiscoVPNConnection" #341: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
2017:04:09-12:17:15 kpr002 pluto[2976]: "S_CiscoVPNConnection" #341: starting keying attempt 338 of an unlimited number
2017:04:09-12:17:15 kpr002 pluto[2976]: "S_CiscoVPNConnection" #342: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #341 {using isakmp#305}
2017:04:09-12:17:16 kpr002 pluto[2976]: "S_CiscoVPNConnection" #342: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
2017:04:09-12:17:16 kpr002 pluto[2976]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="CiscoVPNConnection" address="116.58.175.67" local_net="192.168.3.0/24" remote_net="192.168.14.0/24"
2017:04:09-12:17:16 kpr002 pluto[2976]: "S_CiscoVPNConnection" #342: sent QI2, IPsec SA established {ESP=>0xe6dadc37 <0x2215776e DPD}
2017:04:09-13:03:17 kpr002 pluto[2976]: "S_CiscoVPNConnection" #343: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #342 {using isakmp#305}
2017:04:09-13:03:18 kpr002 pluto[2976]: "S_CiscoVPNConnection" #343: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
2017:04:09-13:03:18 kpr002 pluto[2976]: "S_CiscoVPNConnection" #343: sent QI2, IPsec SA established {ESP=>0xf4695a03 <0x22294345 DPD}


This thread was automatically locked due to age.
Parents Reply
  • Thank you for response.

     

     

    Louis-M said:

    Have you created a firewall rule on the UTM to allow traffic?

    Actually, No. 

    I don't setup firewall rule especially, but I filled checkbox of [Automatic firewall rules].

     

    Now, Automatic firewall rule is like that.

     

    Regards.

Children