Solved

VPN help please (almost got it)

Posted on 2006-10-31
6
268 Views
Last Modified: 2010-04-17
I have a lab VPN setup like this


(e0) NY-Router (s0)-------------------  (s0) SanFran-Router (e0)

Configuration as follows:

NY-ROUTER:
e0: 10.10.3.1 /8
s0  192.168.3.1 /16

SanFran-Router:
e0:  10.10.1.1 /8
s0:  192.168.1.1 /16


Notes:
-The two routers can ping each other just fine, so connectivity is there
-The NY-ROUTER clients can ping the NY-ROUTER
-The SanFran-ROUTER clients can ping the SanFran-Router
-None of the NY-ROUTER clients can ping the SanFran-Router clients, vice versa

I will post some sh crypto commands soon
0
Comment
Question by:dissolved
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 

Author Comment

by:dissolved
ID: 17844225
NY SHOW COMMANDS:




TOP_NY# sh crypto ipsec transform-set
Transform set 20: { esp-des esp-sha-hmac  }
   will negotiate = { Tunnel,  },


TOP_NY#sh crypto isakmp policy
Protection suite of priority 100
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit



TOP_NY#sh cryp map
Crypto Map "SanFran" 120 ipsec-isakmp
        Peer = 192.168.1.1
        Extended IP access list 105
            access-list 105 permit ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255
         Current peer: 192.168.1.1
        Security association lifetime: 4608000 kilobytes/1800 seconds
        PFS (Y/N): Y
        DH group:  group2
        Transform sets={ 20, }
        Interfaces using crypto map SanFran:
                Serial0
        Interfaces using crypto map sanFran:




TOP_NY#sh crypto ipsec sa

interface: Serial0
    Crypto map tag: SanFran, local addr. 192.168.3.1

   local  ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0/0)
   current_peer: 192.168.1.1
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.3.1, remote crypto endpt.: 192.168.1.1
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:


   local  ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0/0)
   current_peer: 192.168.1.1
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.3.1, remote crypto endpt.: 192.168.1.1
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

0
 

Author Comment

by:dissolved
ID: 17844245
SHOW COMMANDS FROM SANFRAN ROUTER




BOTTOM_SANFRAN#sh crypto ipsec transform-set
Transform set 20: { esp-des esp-sha-hmac  }
   will negotiate = { Tunnel,  },



BOTTOM_SANFRAN#sh crypto isakmp policy
Protection suite of priority 100
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               3600 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit
BOTTOM_SANFRAN#



BOTTOM_SANFRAN#sh crypto map
Crypto Map "NY" 120 ipsec-isakmp
        Peer = 192.168.3.1
        Extended IP access list 105
            access-list 105 permit ip 10.10.1.0 0.0.0.255 10.10.3.0 0.0.0.255
            access-list 105 permit ip 10.10.3.0 0.0.0.255 10.10.3.0 0.0.0.255
        Current peer: 192.168.3.1
        Security association lifetime: 4608000 kilobytes/1800 seconds
        PFS (Y/N): Y
        DH group:  group2
        Transform sets={ 20, }
        Interfaces using crypto map NY:
                Serial0




BOTTOM_SANFRAN#sh crypto ipsec sa

interface: Serial0
    Crypto map tag: NY, local addr. 192.168.1.1

   local  ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0/0)
   current_peer: 192.168.3.1
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.3.1
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:


   local  ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0/0)
   current_peer: 192.168.3.1
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.3.1
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:


BOTTOM_SANFRAN#


0
 
LVL 79

Accepted Solution

by:
lrmoore earned 400 total points
ID: 17846974
Assuming that these are back-to-back in a lab
Do you have routes set up?

TOP_NY
 ip route 10.10.3.0 255.255.255.0 192.168.1.1

BOTTOM_SANFRAN
 ip route 10.10.1.0 255.255.255.0 192.168.1.2

>e0: 10.10.3.1 /8
>s0  192.168.3.1 /16

You can't have a /8 mask on E0 and expect to route somewhere else
Use a /24 mask on both E0's
Use a /30 mask on both S0's

NY
 e0: 10.10.1.1 255.255.255.0
 S0:192.168.1.1 255.255.255.252

SANFRAN
e0: 10.10.3.0 255.255.255.0
S0: 192.168.1.2 255.255.255.252
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 20

Assisted Solution

by:calvinetter
calvinetter earned 100 total points
ID: 17847518
Yep, classic IP overlap situation - as long as both remote LANs are using a /8 netmask (or even a /16 netmask in this case) you'll hit a routing loop.  
  eg: PC at NY side tries to send traffic to _any IP_ in the 10.x.x.x range, the NY router looks at the destination IP & sends it back out e0, right back to the same LAN, since the router treats it as local traffic.

cheers
0
 
LVL 20

Expert Comment

by:calvinetter
ID: 17847524
>eg: PC at NY side tries to send traffic to _any IP_ in the 10.x.x.x range
   Sorry, to clarify:  "any IP in the 10.x.x.x range with a /8 netmask, or any IP in the 10.10.x.x range with a /16 netmask".

cheers
0
 

Author Comment

by:dissolved
ID: 17869716
thanks, I changed the internal IPs on both sides. Seemed to do the trick
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DHCP Server 14 110
Hit router interface limit 7 76
Cisco Edge Routers for BGP 6 115
wifi security 11 43
While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question