Solved

VPN help please (almost got it)

Posted on 2006-10-31

Routers

2 solutions

Medium Priority

270 Views

Last Modified: 2010-04-17

I have a lab VPN setup like this

(e0) NY-Router (s0)------------------- (s0) SanFran-Router (e0)

Configuration as follows:

NY-ROUTER:
e0: 10.10.3.1 /8
s0 192.168.3.1 /16

SanFran-Router:
e0: 10.10.1.1 /8
s0: 192.168.1.1 /16

Notes:
-The two routers can ping each other just fine, so connectivity is there
-The NY-ROUTER clients can ping the NY-ROUTER
-The SanFran-ROUTER clients can ping the SanFran-Router
-None of the NY-ROUTER clients can ping the SanFran-Router clients, vice versa

I will post some sh crypto commands soon

Comment

Question by:dissolved

[X]

Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

Help others & share knowledge
Earn cash & points
Learn & ask questions

Join The Community

6 Comments

Author Comment

by:dissolved

ID: 178442252006-10-31

NY SHOW COMMANDS:

TOP_NY# sh crypto ipsec transform-set
Transform set 20: { esp-des esp-sha-hmac }
will negotiate = { Tunnel, },

TOP_NY#sh crypto isakmp policy
Protection suite of priority 100
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit

TOP_NY#sh cryp map
Crypto Map "SanFran" 120 ipsec-isakmp
Peer = 192.168.1.1
Extended IP access list 105
access-list 105 permit ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255
Current peer: 192.168.1.1
Security association lifetime: 4608000 kilobytes/1800 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={ 20, }
Interfaces using crypto map SanFran:
Serial0
Interfaces using crypto map sanFran:

TOP_NY#sh crypto ipsec sa

interface: Serial0
Crypto map tag: SanFran, local addr. 192.168.3.1

local ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0/0)
current_peer: 192.168.1.1
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.3.1, remote crypto endpt.: 192.168.1.1
path mtu 1500, media mtu 1500
current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0/0)
current_peer: 192.168.1.1
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.3.1, remote crypto endpt.: 192.168.1.1
path mtu 1500, media mtu 1500
current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Author Comment

by:dissolved

ID: 178442452006-10-31

SHOW COMMANDS FROM SANFRAN ROUTER

BOTTOM_SANFRAN#sh crypto ipsec transform-set
Transform set 20: { esp-des esp-sha-hmac }
will negotiate = { Tunnel, },

BOTTOM_SANFRAN#sh crypto isakmp policy
Protection suite of priority 100
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 3600 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
BOTTOM_SANFRAN#

BOTTOM_SANFRAN#sh crypto map
Crypto Map "NY" 120 ipsec-isakmp
Peer = 192.168.3.1
Extended IP access list 105
access-list 105 permit ip 10.10.1.0 0.0.0.255 10.10.3.0 0.0.0.255
access-list 105 permit ip 10.10.3.0 0.0.0.255 10.10.3.0 0.0.0.255
Current peer: 192.168.3.1
Security association lifetime: 4608000 kilobytes/1800 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={ 20, }
Interfaces using crypto map NY:
Serial0

BOTTOM_SANFRAN#sh crypto ipsec sa

interface: Serial0
Crypto map tag: NY, local addr. 192.168.1.1

local ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0/0)
current_peer: 192.168.3.1
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.3.1
path mtu 1500, media mtu 1500
current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0/0)
current_peer: 192.168.3.1
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.3.1
path mtu 1500, media mtu 1500
current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

BOTTOM_SANFRAN#

LVL 79

Accepted Solution

by:lrmoore

lrmoore earned 1600 total points

ID: 178469742006-10-31

Assuming that these are back-to-back in a lab
Do you have routes set up?

TOP_NY
ip route 10.10.3.0 255.255.255.0 192.168.1.1

BOTTOM_SANFRAN
ip route 10.10.1.0 255.255.255.0 192.168.1.2

>e0: 10.10.3.1 /8
>s0 192.168.3.1 /16

You can't have a /8 mask on E0 and expect to route somewhere else
Use a /24 mask on both E0's
Use a /30 mask on both S0's

NY
e0: 10.10.1.1 255.255.255.0
S0:192.168.1.1 255.255.255.252

SANFRAN
e0: 10.10.3.0 255.255.255.0
S0: 192.168.1.2 255.255.255.252

LVL 20

Assisted Solution

by:calvinetter

calvinetter earned 400 total points

ID: 178475182006-10-31

Yep, classic IP overlap situation - as long as both remote LANs are using a /8 netmask (or even a /16 netmask in this case) you'll hit a routing loop.
eg: PC at NY side tries to send traffic to _any IP_ in the 10.x.x.x range, the NY router looks at the destination IP & sends it back out e0, right back to the same LAN, since the router treats it as local traffic.

cheers

LVL 20

Expert Comment

by:calvinetter

ID: 178475242006-10-31

>eg: PC at NY side tries to send traffic to _any IP_ in the 10.x.x.x range
Sorry, to clarify: "any IP in the 10.x.x.x range with a /8 netmask, or any IP in the 10.10.x.x range with a /16 netmask".

cheers

Author Comment

by:dissolved

ID: 178697162006-11-03

thanks, I changed the internal IPs on both sides. Seemed to do the trick

Featured Post

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

L2 WAN Routing Design for QoS- Hub and Spoke Using EIGRP Distribute-list with Route-map

Article by: rauenpc

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.

How To Establish a Dial Out IPSec VPN from a Draytek Vigor Router to a Cyberoam UTM

Article by: John

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices

Setup Mikrotik routers with OSPF… Part 1

Video by: Dirk

After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…