VPN help please (almost got it)

I have a lab VPN setup like this


(e0) NY-Router (s0)-------------------  (s0) SanFran-Router (e0)

Configuration as follows:

NY-ROUTER:
e0: 10.10.3.1 /8
s0  192.168.3.1 /16

SanFran-Router:
e0:  10.10.1.1 /8
s0:  192.168.1.1 /16


Notes:
-The two routers can ping each other just fine, so connectivity is there
-The NY-ROUTER clients can ping the NY-ROUTER
-The SanFran-ROUTER clients can ping the SanFran-Router
-None of the NY-ROUTER clients can ping the SanFran-Router clients, vice versa

I will post some sh crypto commands soon
dissolvedAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
lrmooreConnect With a Mentor Commented:
Assuming that these are back-to-back in a lab
Do you have routes set up?

TOP_NY
 ip route 10.10.3.0 255.255.255.0 192.168.1.1

BOTTOM_SANFRAN
 ip route 10.10.1.0 255.255.255.0 192.168.1.2

>e0: 10.10.3.1 /8
>s0  192.168.3.1 /16

You can't have a /8 mask on E0 and expect to route somewhere else
Use a /24 mask on both E0's
Use a /30 mask on both S0's

NY
 e0: 10.10.1.1 255.255.255.0
 S0:192.168.1.1 255.255.255.252

SANFRAN
e0: 10.10.3.0 255.255.255.0
S0: 192.168.1.2 255.255.255.252
0
 
dissolvedAuthor Commented:
NY SHOW COMMANDS:




TOP_NY# sh crypto ipsec transform-set
Transform set 20: { esp-des esp-sha-hmac  }
   will negotiate = { Tunnel,  },


TOP_NY#sh crypto isakmp policy
Protection suite of priority 100
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit



TOP_NY#sh cryp map
Crypto Map "SanFran" 120 ipsec-isakmp
        Peer = 192.168.1.1
        Extended IP access list 105
            access-list 105 permit ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255
         Current peer: 192.168.1.1
        Security association lifetime: 4608000 kilobytes/1800 seconds
        PFS (Y/N): Y
        DH group:  group2
        Transform sets={ 20, }
        Interfaces using crypto map SanFran:
                Serial0
        Interfaces using crypto map sanFran:




TOP_NY#sh crypto ipsec sa

interface: Serial0
    Crypto map tag: SanFran, local addr. 192.168.3.1

   local  ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0/0)
   current_peer: 192.168.1.1
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.3.1, remote crypto endpt.: 192.168.1.1
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:


   local  ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0/0)
   current_peer: 192.168.1.1
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.3.1, remote crypto endpt.: 192.168.1.1
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

0
 
dissolvedAuthor Commented:
SHOW COMMANDS FROM SANFRAN ROUTER




BOTTOM_SANFRAN#sh crypto ipsec transform-set
Transform set 20: { esp-des esp-sha-hmac  }
   will negotiate = { Tunnel,  },



BOTTOM_SANFRAN#sh crypto isakmp policy
Protection suite of priority 100
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               3600 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit
BOTTOM_SANFRAN#



BOTTOM_SANFRAN#sh crypto map
Crypto Map "NY" 120 ipsec-isakmp
        Peer = 192.168.3.1
        Extended IP access list 105
            access-list 105 permit ip 10.10.1.0 0.0.0.255 10.10.3.0 0.0.0.255
            access-list 105 permit ip 10.10.3.0 0.0.0.255 10.10.3.0 0.0.0.255
        Current peer: 192.168.3.1
        Security association lifetime: 4608000 kilobytes/1800 seconds
        PFS (Y/N): Y
        DH group:  group2
        Transform sets={ 20, }
        Interfaces using crypto map NY:
                Serial0




BOTTOM_SANFRAN#sh crypto ipsec sa

interface: Serial0
    Crypto map tag: NY, local addr. 192.168.1.1

   local  ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0/0)
   current_peer: 192.168.3.1
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.3.1
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:


   local  ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0/0)
   current_peer: 192.168.3.1
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.3.1
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:


BOTTOM_SANFRAN#


0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
calvinetterConnect With a Mentor Commented:
Yep, classic IP overlap situation - as long as both remote LANs are using a /8 netmask (or even a /16 netmask in this case) you'll hit a routing loop.  
  eg: PC at NY side tries to send traffic to _any IP_ in the 10.x.x.x range, the NY router looks at the destination IP & sends it back out e0, right back to the same LAN, since the router treats it as local traffic.

cheers
0
 
calvinetterCommented:
>eg: PC at NY side tries to send traffic to _any IP_ in the 10.x.x.x range
   Sorry, to clarify:  "any IP in the 10.x.x.x range with a /8 netmask, or any IP in the 10.10.x.x range with a /16 netmask".

cheers
0
 
dissolvedAuthor Commented:
thanks, I changed the internal IPs on both sides. Seemed to do the trick
0
All Courses

From novice to tech pro — start learning today.