Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cant get IPSEC to work

Posted on 2006-10-31
5
Medium Priority
?
222 Views
Last Modified: 2011-09-20
Have a VPN setup between 2 cisco routers. I'm using a pre-shared key and i have defined the interesting traffic with an ACL on each respective router.

The routers can ping each other, however, the clients from one side cannot ping the clients on the other side. It looks like IPSEC is not working.


Diagram is something like this:

NY 192.168.3.1-------------------------------------192.168.1.1  SanFran
0
Comment
Question by:dissolved
  • 3
5 Comments
 

Author Comment

by:dissolved
ID: 17844509
Sh run for New York


NY#sh run
Building configuration...

Current configuration : 1216 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname NY
!
logging rate-limit console 10 except errors
enable secret 5 $1$kprY$RN4NWD24I3TSc0qTVz3oo0
!
ip subnet-zero
no ip finger
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 100
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key vpntime address 192.168.1.1
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 20 esp-des esp-sha-hmac
!
crypto map SanFran 120 ipsec-isakmp
 set peer 192.168.1.1
 set transform-set 20
 set pfs group2
 match address 105
!
!
!
!
interface Ethernet0
 description internal
 ip address 10.10.3.1 255.0.0.0
!
interface Serial0
 description Connected to 2500B
 ip address 192.168.3.1 255.255.0.0
 encapsulation ppp
 crypto map SanFran
!
interface Serial1
 ip address 68.34.76.5 255.255.0.0
 shutdown
!
ip kerberos source-interface any
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip http server
!
access-list 105 permit ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255 log
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password xxxxxxx
 login
!
end

NY#
0
 

Author Comment

by:dissolved
ID: 17844516
Sh run for San Francisco

SanFran#sh run
Building configuration...

Current configuration : 1298 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname SanFran
!
logging rate-limit console 10 except errors
enable secret 5 $1$A9jO$0STiEhn2rxouPfSLSX7c01
!
ip subnet-zero
no ip finger
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 100
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key vpntime address 192.168.3.1
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 20 esp-des esp-sha-hmac
!
crypto map NY 120 ipsec-isakmp
 set peer 192.168.3.1
 set transform-set 20
 set pfs group2
 match address 105
!
!
!
!
interface Ethernet0
 description internal
 ip address 10.10.1.1 255.0.0.0
!
interface Serial0
 description Connected to Router A
 ip address 192.168.1.1 255.255.0.0
 encapsulation ppp
 no fair-queue
 clockrate 2000000
 crypto map NY
!
interface Serial1
 description Connected_to_firewall
 ip address 68.34.76.6 255.255.0.0
 shutdown
 clockrate 2000000
!
ip kerberos source-interface any
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.3.1
ip http server
!
access-list 105 permit ip 10.10.1.0 0.0.0.255 10.10.3.0 0.0.0.255
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password xxxxx
 login
!
end

SanFran#
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1800 total points
ID: 17847066
Duplicate post...
http://www.experts-exchange.com/Hardware/Routers/Q_22044141.html

You have to change the subnet masks on the E0 interfaces else both ends are in the same 10.0/8 network
0
 
LVL 8

Assisted Solution

by:nitadmin
nitadmin earned 200 total points
ID: 17847639
lrmore is right. You can't have the same network address on both sides of your vpn tunnel.
You have to put them into different subnets.

Cheers,
NITADMIN
0
 

Author Comment

by:dissolved
ID: 17869732
Got it to work. Just for future reference:  
The way I have it setup is IPSEC in tunnel mode. How would I specficy transport mode? At what point of the configuration can you choose this??

Thanks
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This program is used to assist in finding and resolving common problems with wireless connections.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question