Solved

ipsec vpn through isp router

Posted on 2010-09-11
7
533 Views
Last Modified: 2012-05-10
Got a question for you; I'm not a cisco wiz. Just started playing with it.
Got a problem connecting a router to the existing network from behind a isp router. Got one public ip address from the isp (11.11.11.11), and got a cisco 2801 on the inside connecting to a existing network.

Getting this error message:
IPSEC(validate_proposal): invalid local address 192.168.1.2

192.168.1.2 is the ip address of fastethernet 0/1 wich is connected to the isp router (ZXV10) and configured as DMZ.

Heres the crypto setup:
crypto isakmp key PresharedKey address 22.22.22.22

crypto map cm-cryptomap 1 ipsec-isakmp
 description GRE IPsec Tunnel from A to B
 set peer 22.22.22.22
 set transform-set cm-transformset-1
 match address 100

interface Tunnel1
 description GRE IPsec Tunnel from A to B
 bandwidth 1536
 ip address 11.25.1.2 255.255.255.0
 tunnel source 11.11.11.11
 tunnel destination 22.22.22.22
 crypto map cm-cryptomap

interface FastEthernet0/1
description outside interface to isp
 ip address 192.168.1.2 255.255.255.0
 ip verify unicast reverse-path
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip inspect IN in
 ip inspect OUT out
 duplex auto
 speed auto
 no cdp enable
 crypto map cm-cryptomap

I've added the access lists and crypto to fastethernet as you can see.

Is it at all possible to do this? Or am i chasing a impossible dream?

0
Comment
Question by:Skrotpels
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 33653201
HI,

If you have private outside address the tunnel not going up never....
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33653211
Please provide the configs from both sides please

Billy
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 33653215
I think your problem is that you are trying to use an IPSec tunnel over NAT while using the public address as the exit address.

If you want a site to site tunnel to run over NAT, I would suggest that you used SSL instead...
0
How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

 

Author Comment

by:Skrotpels
ID: 33656362
Heres the config on the other side, its completely the same except oposite :)

crypto isakmp key PreSharedKey address 11.11.11.11

crypto map cm-cryptomap 1 ipsec-isakmp
 description IPsec to Site
 set peer 11.11.11.11
 set transform-set cm-transformset-1
 match address 101
 qos pre-classify

interface Tunnel29
 description IP Tunnel to Site B from Site A
 bandwidth 4096
 ip address 11.25.1.2 255.255.255.0
 ip pim sparse-mode
 shutdown
 qos pre-classify
 tunnel source 22.22.22.22
 tunnel destination 11.11.11.11
 crypto map cm-cryptomap


How can i change this to SSL vpn? lots of configs?
please advise as i'm a noob here
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 200 total points
ID: 33656475
Do your devices have SSL Licences ?

I'm guesing that the ISP router is a DSL device, you could try running it in bridge mode and using the Public address on your router, or if you have more than one IP, running it as a router instead of a NAT router and using your router behind it.
0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 300 total points
ID: 33656969
I was hoping that you would have provided the complete configs, there is not much we can do with the crypto configs, we know what the issue is; I personally like to have the configs to know what we are dealing with and to ensure that any changes/configs we provide will not overwrite anything else you might have that is important to your production network.

What you are trying to do is very common; here what what you need to do:
1. enable NAT-T (NOTE: With Cisco IOS Software Release 12.2(13)T and later, NAT-T is enabled by default in Cisco IOS.)

More information: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html

2. IPsec uses IP protocols 50 and 51, and IKE traffic passes on protocol 17, port 500 (UDP 500). Make sure these are permitted appropriately, nat-t also needs port 4500/UDP open as well.

Depending on what firewall you do have, please note that 50 and 51 on number 2 are NOT port numbers but rather protocol numbers. Many SOHO routers will not have an option to forward protocol numbers. What you want to look for is an option to allow vpn passthru (VPN passthrough, I have seen them named different), in addition to the VPN passthrough, you will of course still need to port forward UDP 500 and UDP 4500 to your VPN Router. For the record, what are you port forwarding UDP 500 currently, and the protocols 50/51? What is the make and model of the router that is connected to your ISP?

Billy
0
 

Author Comment

by:Skrotpels
ID: 33705476
Thanks all for answers, in the end I got a fixed ip from the isp. So the tunnel is up again between the sites. Now i cannot ping the inside interface, but I'll create a new subject on it.

thanks
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question