Recently I setup 3 or 4 site to site ipsec vpn’s on some cisco ISR routers (887’s and 1921’s) and while I have done this a few times before and I know the fundamental steps for the configuration I was caught out a few times not being able to bring the tunnel up on the first attempt. I found that when I was interrupted in the middle of the config, I forgot where I was up to or I started to jump around config tasks instead of going back and taking a logical approach.
In the most recent instance I decided to make a few notes of basic troubleshooting steps I took to resolve the issue and so I didn’t forget I decided to blog them for next time and here they are:
Phase 1 Tunnel
- Check that both routers can ping the peers public IP address
- Check the policy encryption type is the same on both routers
- Check the transform set is using the same encryption type on both routers
- Check the crypto map peer ip addresses are the same
- Check the crypto map on each router is referencing the correct ACL
- Check each ACL to confirm that it is correctly matching the interesting traffic
Just a basic checklist for the next time your tunnel wont come up.