Solved

Cant get IPSEC to work

Posted on 2006-10-31
5
197 Views
Last Modified: 2011-09-20
Have a VPN setup between 2 cisco routers. I'm using a pre-shared key and i have defined the interesting traffic with an ACL on each respective router.

The routers can ping each other, however, the clients from one side cannot ping the clients on the other side. It looks like IPSEC is not working.


Diagram is something like this:

NY 192.168.3.1-------------------------------------192.168.1.1  SanFran
0
Comment
Question by:dissolved
  • 3
5 Comments
 

Author Comment

by:dissolved
Comment Utility
Sh run for New York


NY#sh run
Building configuration...

Current configuration : 1216 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname NY
!
logging rate-limit console 10 except errors
enable secret 5 $1$kprY$RN4NWD24I3TSc0qTVz3oo0
!
ip subnet-zero
no ip finger
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 100
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key vpntime address 192.168.1.1
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 20 esp-des esp-sha-hmac
!
crypto map SanFran 120 ipsec-isakmp
 set peer 192.168.1.1
 set transform-set 20
 set pfs group2
 match address 105
!
!
!
!
interface Ethernet0
 description internal
 ip address 10.10.3.1 255.0.0.0
!
interface Serial0
 description Connected to 2500B
 ip address 192.168.3.1 255.255.0.0
 encapsulation ppp
 crypto map SanFran
!
interface Serial1
 ip address 68.34.76.5 255.255.0.0
 shutdown
!
ip kerberos source-interface any
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip http server
!
access-list 105 permit ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255 log
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password xxxxxxx
 login
!
end

NY#
0
 

Author Comment

by:dissolved
Comment Utility
Sh run for San Francisco

SanFran#sh run
Building configuration...

Current configuration : 1298 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname SanFran
!
logging rate-limit console 10 except errors
enable secret 5 $1$A9jO$0STiEhn2rxouPfSLSX7c01
!
ip subnet-zero
no ip finger
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 100
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key vpntime address 192.168.3.1
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 20 esp-des esp-sha-hmac
!
crypto map NY 120 ipsec-isakmp
 set peer 192.168.3.1
 set transform-set 20
 set pfs group2
 match address 105
!
!
!
!
interface Ethernet0
 description internal
 ip address 10.10.1.1 255.0.0.0
!
interface Serial0
 description Connected to Router A
 ip address 192.168.1.1 255.255.0.0
 encapsulation ppp
 no fair-queue
 clockrate 2000000
 crypto map NY
!
interface Serial1
 description Connected_to_firewall
 ip address 68.34.76.6 255.255.0.0
 shutdown
 clockrate 2000000
!
ip kerberos source-interface any
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.3.1
ip http server
!
access-list 105 permit ip 10.10.1.0 0.0.0.255 10.10.3.0 0.0.0.255
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password xxxxx
 login
!
end

SanFran#
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 450 total points
Comment Utility
Duplicate post...
http://www.experts-exchange.com/Hardware/Routers/Q_22044141.html

You have to change the subnet masks on the E0 interfaces else both ends are in the same 10.0/8 network
0
 
LVL 8

Assisted Solution

by:nitadmin
nitadmin earned 50 total points
Comment Utility
lrmore is right. You can't have the same network address on both sides of your vpn tunnel.
You have to put them into different subnets.

Cheers,
NITADMIN
0
 

Author Comment

by:dissolved
Comment Utility
Got it to work. Just for future reference:  
The way I have it setup is IPSEC in tunnel mode. How would I specficy transport mode? At what point of the configuration can you choose this??

Thanks
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now