• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 229
  • Last Modified:

Cant get IPSEC to work

Have a VPN setup between 2 cisco routers. I'm using a pre-shared key and i have defined the interesting traffic with an ACL on each respective router.

The routers can ping each other, however, the clients from one side cannot ping the clients on the other side. It looks like IPSEC is not working.


Diagram is something like this:

NY 192.168.3.1-------------------------------------192.168.1.1  SanFran
0
dissolved
Asked:
dissolved
  • 3
2 Solutions
 
dissolvedAuthor Commented:
Sh run for New York


NY#sh run
Building configuration...

Current configuration : 1216 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname NY
!
logging rate-limit console 10 except errors
enable secret 5 $1$kprY$RN4NWD24I3TSc0qTVz3oo0
!
ip subnet-zero
no ip finger
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 100
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key vpntime address 192.168.1.1
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 20 esp-des esp-sha-hmac
!
crypto map SanFran 120 ipsec-isakmp
 set peer 192.168.1.1
 set transform-set 20
 set pfs group2
 match address 105
!
!
!
!
interface Ethernet0
 description internal
 ip address 10.10.3.1 255.0.0.0
!
interface Serial0
 description Connected to 2500B
 ip address 192.168.3.1 255.255.0.0
 encapsulation ppp
 crypto map SanFran
!
interface Serial1
 ip address 68.34.76.5 255.255.0.0
 shutdown
!
ip kerberos source-interface any
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip http server
!
access-list 105 permit ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255 log
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password xxxxxxx
 login
!
end

NY#
0
 
dissolvedAuthor Commented:
Sh run for San Francisco

SanFran#sh run
Building configuration...

Current configuration : 1298 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname SanFran
!
logging rate-limit console 10 except errors
enable secret 5 $1$A9jO$0STiEhn2rxouPfSLSX7c01
!
ip subnet-zero
no ip finger
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 100
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key vpntime address 192.168.3.1
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 20 esp-des esp-sha-hmac
!
crypto map NY 120 ipsec-isakmp
 set peer 192.168.3.1
 set transform-set 20
 set pfs group2
 match address 105
!
!
!
!
interface Ethernet0
 description internal
 ip address 10.10.1.1 255.0.0.0
!
interface Serial0
 description Connected to Router A
 ip address 192.168.1.1 255.255.0.0
 encapsulation ppp
 no fair-queue
 clockrate 2000000
 crypto map NY
!
interface Serial1
 description Connected_to_firewall
 ip address 68.34.76.6 255.255.0.0
 shutdown
 clockrate 2000000
!
ip kerberos source-interface any
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.3.1
ip http server
!
access-list 105 permit ip 10.10.1.0 0.0.0.255 10.10.3.0 0.0.0.255
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password xxxxx
 login
!
end

SanFran#
0
 
lrmooreCommented:
Duplicate post...
http://www.experts-exchange.com/Hardware/Routers/Q_22044141.html

You have to change the subnet masks on the E0 interfaces else both ends are in the same 10.0/8 network
0
 
nitadminCommented:
lrmore is right. You can't have the same network address on both sides of your vpn tunnel.
You have to put them into different subnets.

Cheers,
NITADMIN
0
 
dissolvedAuthor Commented:
Got it to work. Just for future reference:  
The way I have it setup is IPSEC in tunnel mode. How would I specficy transport mode? At what point of the configuration can you choose this??

Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now