Solved

Cant get IPSEC to work

Posted on 2006-10-31
5
203 Views
Last Modified: 2011-09-20
Have a VPN setup between 2 cisco routers. I'm using a pre-shared key and i have defined the interesting traffic with an ACL on each respective router.

The routers can ping each other, however, the clients from one side cannot ping the clients on the other side. It looks like IPSEC is not working.


Diagram is something like this:

NY 192.168.3.1-------------------------------------192.168.1.1  SanFran
0
Comment
Question by:dissolved
  • 3
5 Comments
 

Author Comment

by:dissolved
ID: 17844509
Sh run for New York


NY#sh run
Building configuration...

Current configuration : 1216 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname NY
!
logging rate-limit console 10 except errors
enable secret 5 $1$kprY$RN4NWD24I3TSc0qTVz3oo0
!
ip subnet-zero
no ip finger
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 100
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key vpntime address 192.168.1.1
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 20 esp-des esp-sha-hmac
!
crypto map SanFran 120 ipsec-isakmp
 set peer 192.168.1.1
 set transform-set 20
 set pfs group2
 match address 105
!
!
!
!
interface Ethernet0
 description internal
 ip address 10.10.3.1 255.0.0.0
!
interface Serial0
 description Connected to 2500B
 ip address 192.168.3.1 255.255.0.0
 encapsulation ppp
 crypto map SanFran
!
interface Serial1
 ip address 68.34.76.5 255.255.0.0
 shutdown
!
ip kerberos source-interface any
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip http server
!
access-list 105 permit ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255 log
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password xxxxxxx
 login
!
end

NY#
0
 

Author Comment

by:dissolved
ID: 17844516
Sh run for San Francisco

SanFran#sh run
Building configuration...

Current configuration : 1298 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname SanFran
!
logging rate-limit console 10 except errors
enable secret 5 $1$A9jO$0STiEhn2rxouPfSLSX7c01
!
ip subnet-zero
no ip finger
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 100
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key vpntime address 192.168.3.1
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 20 esp-des esp-sha-hmac
!
crypto map NY 120 ipsec-isakmp
 set peer 192.168.3.1
 set transform-set 20
 set pfs group2
 match address 105
!
!
!
!
interface Ethernet0
 description internal
 ip address 10.10.1.1 255.0.0.0
!
interface Serial0
 description Connected to Router A
 ip address 192.168.1.1 255.255.0.0
 encapsulation ppp
 no fair-queue
 clockrate 2000000
 crypto map NY
!
interface Serial1
 description Connected_to_firewall
 ip address 68.34.76.6 255.255.0.0
 shutdown
 clockrate 2000000
!
ip kerberos source-interface any
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.3.1
ip http server
!
access-list 105 permit ip 10.10.1.0 0.0.0.255 10.10.3.0 0.0.0.255
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password xxxxx
 login
!
end

SanFran#
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 450 total points
ID: 17847066
Duplicate post...
http://www.experts-exchange.com/Hardware/Routers/Q_22044141.html

You have to change the subnet masks on the E0 interfaces else both ends are in the same 10.0/8 network
0
 
LVL 8

Assisted Solution

by:nitadmin
nitadmin earned 50 total points
ID: 17847639
lrmore is right. You can't have the same network address on both sides of your vpn tunnel.
You have to put them into different subnets.

Cheers,
NITADMIN
0
 

Author Comment

by:dissolved
ID: 17869732
Got it to work. Just for future reference:  
The way I have it setup is IPSEC in tunnel mode. How would I specficy transport mode? At what point of the configuration can you choose this??

Thanks
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question