PPPoE/IPSec - Basic setup

Hi Experts,

I think I may have been staring @ this one a little too long & am missing something very basic...  Very straight forward setup - Cisco 1841 (12.4IOS) - bridged to ADSL modem (PPPoE) - other end of tunnel is a Fortigate Firewall.  Authenticates OK(PPoE) & establishes the IPSec tunnel - but alas, no traffic in either direction.... I suspect something on the 1841 (as it's been a while since I 've played with these) - I'm sure someone could cast their eyes over the config below and spot it straight away...  *I have other IPSec Tunnels humming along nicely on the Fortigate - so when looking @ this please assume a perfect config on the Fortigate... :-)

#############################

crypto map Test 10 ipsec-isakmp
 set peer xxx.xxx.x.xxx
 set transform-set Test
 match address 100
!
interface FastEthernet0/0
 description ### ADSL WAN Interface ###
 ip address xxx.xxx.xxx.xx/30
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 no ip mroute-cache
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no cdp enable
 crypto map Test
 hold-queue 224 in
!
interface FastEthernet0/1
 description ### Uplink to 3560 Fa0/24 ###
 ip address xx.xxx.xx.x/24
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
!
interface Dialer0
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname xxxxxxxx@isp.com
 ppp chap password 0 ***********
 ppp pap sent-username xxxxxxxx@isp.com password 0 ***********
!
ip route 0.0.0.0 0.0.0.0 Dialer0 200
!
ip nat inside source list 100 interface Dialer0 overload
!
access-list 100 permit ip xx.xxx.xx.x 0.0.0.255 xx.xxx.x.x 0.0.3.255
dialer-list 1 protocol ip permit
!
###############################

Any one?

Happy to provide any other info/details you may require....

Thanks,

Simon
LVL 1
BmusedAsked:
Who is Participating?
 
BmusedAuthor Commented:
Solved -
-Assigned no IP to Fa0/0 (WAN)
-Created loopback with bridged IP
-assigned dialer unnumbered loopback IP
-set cryto map to dialer0
-edited the required ACL's (one only required)
-added req'd additional routes

All good.... thanks Experts!

:-)
0
 
JorisFRSTCommented:
I'm missing the  crypto isakmp policy ?
0
 
JorisFRSTCommented:
ip nat inside source list 100 interface Dialer0 overload
!
access-list 100 permit ip xx.xxx.xx.x 0.0.0.255 xx.xxx.x.x 0.0.3.255

crypto map Test 10 ipsec-isakmp
 set peer xxx.xxx.x.xxx
 set transform-set Test
 match address 100

you use access-list 100 two times, you'll have to make a seperate one for NAT, as you'll probably not want those NAT'd.
0
 
BmusedAuthor Commented:
The 'crypto isakmp policy' is fine as the tunnel is up/established.

Have created seperate ACL's, but still no joy... very frustrating!

:-(
0
 
BmusedAuthor Commented:
Up & running - all traffic now routing as expected
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.