dissolved
asked on
VPN help please (almost got it)
I have a lab VPN setup like this
(e0) NY-Router (s0)------------------- (s0) SanFran-Router (e0)
Configuration as follows:
NY-ROUTER:
e0: 10.10.3.1 /8
s0 192.168.3.1 /16
SanFran-Router:
e0: 10.10.1.1 /8
s0: 192.168.1.1 /16
Notes:
-The two routers can ping each other just fine, so connectivity is there
-The NY-ROUTER clients can ping the NY-ROUTER
-The SanFran-ROUTER clients can ping the SanFran-Router
-None of the NY-ROUTER clients can ping the SanFran-Router clients, vice versa
I will post some sh crypto commands soon
(e0) NY-Router (s0)------------------- (s0) SanFran-Router (e0)
Configuration as follows:
NY-ROUTER:
e0: 10.10.3.1 /8
s0 192.168.3.1 /16
SanFran-Router:
e0: 10.10.1.1 /8
s0: 192.168.1.1 /16
Notes:
-The two routers can ping each other just fine, so connectivity is there
-The NY-ROUTER clients can ping the NY-ROUTER
-The SanFran-ROUTER clients can ping the SanFran-Router
-None of the NY-ROUTER clients can ping the SanFran-Router clients, vice versa
I will post some sh crypto commands soon
ASKER
SHOW COMMANDS FROM SANFRAN ROUTER
BOTTOM_SANFRAN#sh crypto ipsec transform-set
Transform set 20: { esp-des esp-sha-hmac }
will negotiate = { Tunnel, },
BOTTOM_SANFRAN#sh crypto isakmp policy
Protection suite of priority 100
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 3600 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
BOTTOM_SANFRAN#
BOTTOM_SANFRAN#sh crypto map
Crypto Map "NY" 120 ipsec-isakmp
Peer = 192.168.3.1
Extended IP access list 105
access-list 105 permit ip 10.10.1.0 0.0.0.255 10.10.3.0 0.0.0.255
access-list 105 permit ip 10.10.3.0 0.0.0.255 10.10.3.0 0.0.0.255
Current peer: 192.168.3.1
Security association lifetime: 4608000 kilobytes/1800 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={ 20, }
Interfaces using crypto map NY:
Serial0
BOTTOM_SANFRAN#sh crypto ipsec sa
interface: Serial0
Crypto map tag: NY, local addr. 192.168.1.1
local ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0 /0)
remote ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0 /0)
current_peer: 192.168.3.1
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.3.1
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0 /0)
remote ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0 /0)
current_peer: 192.168.3.1
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.3.1
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
BOTTOM_SANFRAN#
BOTTOM_SANFRAN#sh crypto ipsec transform-set
Transform set 20: { esp-des esp-sha-hmac }
will negotiate = { Tunnel, },
BOTTOM_SANFRAN#sh crypto isakmp policy
Protection suite of priority 100
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 3600 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
BOTTOM_SANFRAN#
BOTTOM_SANFRAN#sh crypto map
Crypto Map "NY" 120 ipsec-isakmp
Peer = 192.168.3.1
Extended IP access list 105
access-list 105 permit ip 10.10.1.0 0.0.0.255 10.10.3.0 0.0.0.255
access-list 105 permit ip 10.10.3.0 0.0.0.255 10.10.3.0 0.0.0.255
Current peer: 192.168.3.1
Security association lifetime: 4608000 kilobytes/1800 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={ 20, }
Interfaces using crypto map NY:
Serial0
BOTTOM_SANFRAN#sh crypto ipsec sa
interface: Serial0
Crypto map tag: NY, local addr. 192.168.1.1
local ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0
remote ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0
current_peer: 192.168.3.1
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.3.1
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0
remote ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0
current_peer: 192.168.3.1
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.3.1
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
BOTTOM_SANFRAN#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>eg: PC at NY side tries to send traffic to _any IP_ in the 10.x.x.x range
Sorry, to clarify: "any IP in the 10.x.x.x range with a /8 netmask, or any IP in the 10.10.x.x range with a /16 netmask".
cheers
Sorry, to clarify: "any IP in the 10.x.x.x range with a /8 netmask, or any IP in the 10.10.x.x range with a /16 netmask".
cheers
ASKER
thanks, I changed the internal IPs on both sides. Seemed to do the trick
ASKER
TOP_NY# sh crypto ipsec transform-set
Transform set 20: { esp-des esp-sha-hmac }
will negotiate = { Tunnel, },
TOP_NY#sh crypto isakmp policy
Protection suite of priority 100
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
TOP_NY#sh cryp map
Crypto Map "SanFran" 120 ipsec-isakmp
Peer = 192.168.1.1
Extended IP access list 105
access-list 105 permit ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255
Current peer: 192.168.1.1
Security association lifetime: 4608000 kilobytes/1800 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={ 20, }
Interfaces using crypto map SanFran:
Serial0
Interfaces using crypto map sanFran:
TOP_NY#sh crypto ipsec sa
interface: Serial0
Crypto map tag: SanFran, local addr. 192.168.3.1
local ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0
remote ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0
current_peer: 192.168.1.1
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.3.1, remote crypto endpt.: 192.168.1.1
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0
remote ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0
current_peer: 192.168.1.1
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.3.1, remote crypto endpt.: 192.168.1.1
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas: