Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

ipsec vpn through isp router

Posted on 2010-09-11
7
Medium Priority
?
539 Views
Last Modified: 2012-05-10
Got a question for you; I'm not a cisco wiz. Just started playing with it.
Got a problem connecting a router to the existing network from behind a isp router. Got one public ip address from the isp (11.11.11.11), and got a cisco 2801 on the inside connecting to a existing network.

Getting this error message:
IPSEC(validate_proposal): invalid local address 192.168.1.2

192.168.1.2 is the ip address of fastethernet 0/1 wich is connected to the isp router (ZXV10) and configured as DMZ.

Heres the crypto setup:
crypto isakmp key PresharedKey address 22.22.22.22

crypto map cm-cryptomap 1 ipsec-isakmp
 description GRE IPsec Tunnel from A to B
 set peer 22.22.22.22
 set transform-set cm-transformset-1
 match address 100

interface Tunnel1
 description GRE IPsec Tunnel from A to B
 bandwidth 1536
 ip address 11.25.1.2 255.255.255.0
 tunnel source 11.11.11.11
 tunnel destination 22.22.22.22
 crypto map cm-cryptomap

interface FastEthernet0/1
description outside interface to isp
 ip address 192.168.1.2 255.255.255.0
 ip verify unicast reverse-path
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip inspect IN in
 ip inspect OUT out
 duplex auto
 speed auto
 no cdp enable
 crypto map cm-cryptomap

I've added the access lists and crypto to fastethernet as you can see.

Is it at all possible to do this? Or am i chasing a impossible dream?

0
Comment
Question by:Skrotpels
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 33653201
HI,

If you have private outside address the tunnel not going up never....
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33653211
Please provide the configs from both sides please

Billy
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 33653215
I think your problem is that you are trying to use an IPSec tunnel over NAT while using the public address as the exit address.

If you want a site to site tunnel to run over NAT, I would suggest that you used SSL instead...
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Skrotpels
ID: 33656362
Heres the config on the other side, its completely the same except oposite :)

crypto isakmp key PreSharedKey address 11.11.11.11

crypto map cm-cryptomap 1 ipsec-isakmp
 description IPsec to Site
 set peer 11.11.11.11
 set transform-set cm-transformset-1
 match address 101
 qos pre-classify

interface Tunnel29
 description IP Tunnel to Site B from Site A
 bandwidth 4096
 ip address 11.25.1.2 255.255.255.0
 ip pim sparse-mode
 shutdown
 qos pre-classify
 tunnel source 22.22.22.22
 tunnel destination 11.11.11.11
 crypto map cm-cryptomap


How can i change this to SSL vpn? lots of configs?
please advise as i'm a noob here
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 800 total points
ID: 33656475
Do your devices have SSL Licences ?

I'm guesing that the ISP router is a DSL device, you could try running it in bridge mode and using the Public address on your router, or if you have more than one IP, running it as a router instead of a NAT router and using your router behind it.
0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 1200 total points
ID: 33656969
I was hoping that you would have provided the complete configs, there is not much we can do with the crypto configs, we know what the issue is; I personally like to have the configs to know what we are dealing with and to ensure that any changes/configs we provide will not overwrite anything else you might have that is important to your production network.

What you are trying to do is very common; here what what you need to do:
1. enable NAT-T (NOTE: With Cisco IOS Software Release 12.2(13)T and later, NAT-T is enabled by default in Cisco IOS.)

More information: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html

2. IPsec uses IP protocols 50 and 51, and IKE traffic passes on protocol 17, port 500 (UDP 500). Make sure these are permitted appropriately, nat-t also needs port 4500/UDP open as well.

Depending on what firewall you do have, please note that 50 and 51 on number 2 are NOT port numbers but rather protocol numbers. Many SOHO routers will not have an option to forward protocol numbers. What you want to look for is an option to allow vpn passthru (VPN passthrough, I have seen them named different), in addition to the VPN passthrough, you will of course still need to port forward UDP 500 and UDP 4500 to your VPN Router. For the record, what are you port forwarding UDP 500 currently, and the protocols 50/51? What is the make and model of the router that is connected to your ISP?

Billy
0
 

Author Comment

by:Skrotpels
ID: 33705476
Thanks all for answers, in the end I got a fixed ip from the isp. So the tunnel is up again between the sites. Now i cannot ping the inside interface, but I'll create a new subject on it.

thanks
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question