Solved

Cant get IPSEC to work

Posted on 2006-10-31
5
210 Views
Last Modified: 2011-09-20
Have a VPN setup between 2 cisco routers. I'm using a pre-shared key and i have defined the interesting traffic with an ACL on each respective router.

The routers can ping each other, however, the clients from one side cannot ping the clients on the other side. It looks like IPSEC is not working.


Diagram is something like this:

NY 192.168.3.1-------------------------------------192.168.1.1  SanFran
0
Comment
Question by:dissolved
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 

Author Comment

by:dissolved
ID: 17844509
Sh run for New York


NY#sh run
Building configuration...

Current configuration : 1216 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname NY
!
logging rate-limit console 10 except errors
enable secret 5 $1$kprY$RN4NWD24I3TSc0qTVz3oo0
!
ip subnet-zero
no ip finger
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 100
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key vpntime address 192.168.1.1
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 20 esp-des esp-sha-hmac
!
crypto map SanFran 120 ipsec-isakmp
 set peer 192.168.1.1
 set transform-set 20
 set pfs group2
 match address 105
!
!
!
!
interface Ethernet0
 description internal
 ip address 10.10.3.1 255.0.0.0
!
interface Serial0
 description Connected to 2500B
 ip address 192.168.3.1 255.255.0.0
 encapsulation ppp
 crypto map SanFran
!
interface Serial1
 ip address 68.34.76.5 255.255.0.0
 shutdown
!
ip kerberos source-interface any
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip http server
!
access-list 105 permit ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255 log
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password xxxxxxx
 login
!
end

NY#
0
 

Author Comment

by:dissolved
ID: 17844516
Sh run for San Francisco

SanFran#sh run
Building configuration...

Current configuration : 1298 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname SanFran
!
logging rate-limit console 10 except errors
enable secret 5 $1$A9jO$0STiEhn2rxouPfSLSX7c01
!
ip subnet-zero
no ip finger
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 100
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key vpntime address 192.168.3.1
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 20 esp-des esp-sha-hmac
!
crypto map NY 120 ipsec-isakmp
 set peer 192.168.3.1
 set transform-set 20
 set pfs group2
 match address 105
!
!
!
!
interface Ethernet0
 description internal
 ip address 10.10.1.1 255.0.0.0
!
interface Serial0
 description Connected to Router A
 ip address 192.168.1.1 255.255.0.0
 encapsulation ppp
 no fair-queue
 clockrate 2000000
 crypto map NY
!
interface Serial1
 description Connected_to_firewall
 ip address 68.34.76.6 255.255.0.0
 shutdown
 clockrate 2000000
!
ip kerberos source-interface any
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.3.1
ip http server
!
access-list 105 permit ip 10.10.1.0 0.0.0.255 10.10.3.0 0.0.0.255
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password xxxxx
 login
!
end

SanFran#
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 450 total points
ID: 17847066
Duplicate post...
http://www.experts-exchange.com/Hardware/Routers/Q_22044141.html

You have to change the subnet masks on the E0 interfaces else both ends are in the same 10.0/8 network
0
 
LVL 8

Assisted Solution

by:nitadmin
nitadmin earned 50 total points
ID: 17847639
lrmore is right. You can't have the same network address on both sides of your vpn tunnel.
You have to put them into different subnets.

Cheers,
NITADMIN
0
 

Author Comment

by:dissolved
ID: 17869732
Got it to work. Just for future reference:  
The way I have it setup is IPSEC in tunnel mode. How would I specficy transport mode? At what point of the configuration can you choose this??

Thanks
0

Featured Post

Report: Liquid Web beats Amazon, Rackspace & More

A study by performance analyst firm Cloud Spectator finds that Liquid Web beats rivals Amazon, Rackspace and DigitalOcean when it comes to website and cloud application performance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question