VPN help please (almost got it)
I have a lab VPN setup like this
(e0) NY-Router (s0)------------------- (s0) SanFran-Router (e0)
Configuration as follows:
NY-ROUTER:
e0: 10.10.3.1 /8
s0 192.168.3.1 /16
SanFran-Router:
e0: 10.10.1.1 /8
s0: 192.168.1.1 /16
Notes:
-The two routers can ping each other just fine, so connectivity is there
-The NY-ROUTER clients can ping the NY-ROUTER
-The SanFran-ROUTER clients can ping the SanFran-Router
-None of the NY-ROUTER clients can ping the SanFran-Router clients, vice versa
I will post some sh crypto commands soon
(e0) NY-Router (s0)------------------- (s0) SanFran-Router (e0)
Configuration as follows:
NY-ROUTER:
e0: 10.10.3.1 /8
s0 192.168.3.1 /16
SanFran-Router:
e0: 10.10.1.1 /8
s0: 192.168.1.1 /16
Notes:
-The two routers can ping each other just fine, so connectivity is there
-The NY-ROUTER clients can ping the NY-ROUTER
-The SanFran-ROUTER clients can ping the SanFran-Router
-None of the NY-ROUTER clients can ping the SanFran-Router clients, vice versa
I will post some sh crypto commands soon
NY SHOW COMMANDS:
TOP_NY# sh crypto ipsec transform-set
Transform set 20: { esp-des esp-sha-hmac }
will negotiate = { Tunnel, },
TOP_NY#sh crypto isakmp policy
Protection suite of priority 100
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
TOP_NY#sh cryp map
Crypto Map "SanFran" 120 ipsec-isakmp
Peer = 192.168.1.1
Extended IP access list 105
access-list 105 permit ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255
Current peer: 192.168.1.1
Security association lifetime: 4608000 kilobytes/1800 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={ 20, }
Interfaces using crypto map SanFran:
Serial0
Interfaces using crypto map sanFran:
TOP_NY#sh crypto ipsec sa
interface: Serial0
Crypto map tag: SanFran, local addr. 192.168.3.1
local ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0
remote ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0
current_peer: 192.168.1.1
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.3.1, remote crypto endpt.: 192.168.1.1
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0
remote ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0
current_peer: 192.168.1.1
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.3.1, remote crypto endpt.: 192.168.1.1
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
TOP_NY# sh crypto ipsec transform-set
Transform set 20: { esp-des esp-sha-hmac }
will negotiate = { Tunnel, },
TOP_NY#sh crypto isakmp policy
Protection suite of priority 100
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
TOP_NY#sh cryp map
Crypto Map "SanFran" 120 ipsec-isakmp
Peer = 192.168.1.1
Extended IP access list 105
access-list 105 permit ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255
Current peer: 192.168.1.1
Security association lifetime: 4608000 kilobytes/1800 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={ 20, }
Interfaces using crypto map SanFran:
Serial0
Interfaces using crypto map sanFran:
TOP_NY#sh crypto ipsec sa
interface: Serial0
Crypto map tag: SanFran, local addr. 192.168.3.1
local ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0
remote ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0
current_peer: 192.168.1.1
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.3.1, remote crypto endpt.: 192.168.1.1
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0
remote ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0
current_peer: 192.168.1.1
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.3.1, remote crypto endpt.: 192.168.1.1
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
SHOW COMMANDS FROM SANFRAN ROUTER
BOTTOM_SANFRAN#sh crypto ipsec transform-set
Transform set 20: { esp-des esp-sha-hmac }
will negotiate = { Tunnel, },
BOTTOM_SANFRAN#sh crypto isakmp policy
Protection suite of priority 100
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 3600 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
BOTTOM_SANFRAN#
BOTTOM_SANFRAN#sh crypto map
Crypto Map "NY" 120 ipsec-isakmp
Peer = 192.168.3.1
Extended IP access list 105
access-list 105 permit ip 10.10.1.0 0.0.0.255 10.10.3.0 0.0.0.255
access-list 105 permit ip 10.10.3.0 0.0.0.255 10.10.3.0 0.0.0.255
Current peer: 192.168.3.1
Security association lifetime: 4608000 kilobytes/1800 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={ 20, }
Interfaces using crypto map NY:
Serial0
BOTTOM_SANFRAN#sh crypto ipsec sa
interface: Serial0
Crypto map tag: NY, local addr. 192.168.1.1
local ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0
remote ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0
current_peer: 192.168.3.1
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.3.1
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0
remote ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0
current_peer: 192.168.3.1
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.3.1
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
BOTTOM_SANFRAN#
BOTTOM_SANFRAN#sh crypto ipsec transform-set
Transform set 20: { esp-des esp-sha-hmac }
will negotiate = { Tunnel, },
BOTTOM_SANFRAN#sh crypto isakmp policy
Protection suite of priority 100
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 3600 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
BOTTOM_SANFRAN#
BOTTOM_SANFRAN#sh crypto map
Crypto Map "NY" 120 ipsec-isakmp
Peer = 192.168.3.1
Extended IP access list 105
access-list 105 permit ip 10.10.1.0 0.0.0.255 10.10.3.0 0.0.0.255
access-list 105 permit ip 10.10.3.0 0.0.0.255 10.10.3.0 0.0.0.255
Current peer: 192.168.3.1
Security association lifetime: 4608000 kilobytes/1800 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={ 20, }
Interfaces using crypto map NY:
Serial0
BOTTOM_SANFRAN#sh crypto ipsec sa
interface: Serial0
Crypto map tag: NY, local addr. 192.168.1.1
local ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0
remote ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0
current_peer: 192.168.3.1
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.3.1
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0
remote ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0
current_peer: 192.168.3.1
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.3.1
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
BOTTOM_SANFRAN#
Assuming that these are back-to-back in a lab
Do you have routes set up?
TOP_NY
ip route 10.10.3.0 255.255.255.0 192.168.1.1
BOTTOM_SANFRAN
ip route 10.10.1.0 255.255.255.0 192.168.1.2
>e0: 10.10.3.1 /8
>s0 192.168.3.1 /16
You can't have a /8 mask on E0 and expect to route somewhere else
Use a /24 mask on both E0's
Use a /30 mask on both S0's
NY
e0: 10.10.1.1 255.255.255.0
S0:192.168.1.1 255.255.255.252
SANFRAN
e0: 10.10.3.0 255.255.255.0
S0: 192.168.1.2 255.255.255.252
Do you have routes set up?
TOP_NY
ip route 10.10.3.0 255.255.255.0 192.168.1.1
BOTTOM_SANFRAN
ip route 10.10.1.0 255.255.255.0 192.168.1.2
>e0: 10.10.3.1 /8
>s0 192.168.3.1 /16
You can't have a /8 mask on E0 and expect to route somewhere else
Use a /24 mask on both E0's
Use a /30 mask on both S0's
NY
e0: 10.10.1.1 255.255.255.0
S0:192.168.1.1 255.255.255.252
SANFRAN
e0: 10.10.3.0 255.255.255.0
S0: 192.168.1.2 255.255.255.252
Not the solution you were looking for? Getting a personalized solution is easy.
Ask the Experts
Yep, classic IP overlap situation - as long as both remote LANs are using a /8 netmask (or even a /16 netmask in this case) you'll hit a routing loop.
eg: PC at NY side tries to send traffic to _any IP_ in the 10.x.x.x range, the NY router looks at the destination IP & sends it back out e0, right back to the same LAN, since the router treats it as local traffic.
cheers
eg: PC at NY side tries to send traffic to _any IP_ in the 10.x.x.x range, the NY router looks at the destination IP & sends it back out e0, right back to the same LAN, since the router treats it as local traffic.
cheers
Thanks for using Experts Exchange.
Create a free account to continue.
Limited access with a free account allows you to:
- View three pieces of content (articles, solutions, posts, and videos)
- Ask the experts questions (counted toward content limit)
- Customize your dashboard and profile
*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.