PPPoE/IPSec - Basic setup

Hi Experts,

I think I may have been staring @ this one a little too long & am missing something very basic...  Very straight forward setup - Cisco 1841 (12.4IOS) - bridged to ADSL modem (PPPoE) - other end of tunnel is a Fortigate Firewall.  Authenticates OK(PPoE) & establishes the IPSec tunnel - but alas, no traffic in either direction.... I suspect something on the 1841 (as it's been a while since I 've played with these) - I'm sure someone could cast their eyes over the config below and spot it straight away...  *I have other IPSec Tunnels humming along nicely on the Fortigate - so when looking @ this please assume a perfect config on the Fortigate... :-)

#############################

crypto map Test 10 ipsec-isakmp
 set peer xxx.xxx.x.xxx
 set transform-set Test
 match address 100
!
interface FastEthernet0/0
 description ### ADSL WAN Interface ###
 ip address xxx.xxx.xxx.xx/30
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 no ip mroute-cache
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no cdp enable
 crypto map Test
 hold-queue 224 in
!
interface FastEthernet0/1
 description ### Uplink to 3560 Fa0/24 ###
 ip address xx.xxx.xx.x/24
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
!
interface Dialer0
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname xxxxxxxx@isp.com
 ppp chap password 0 ***********
 ppp pap sent-username xxxxxxxx@isp.com password 0 ***********
!
ip route 0.0.0.0 0.0.0.0 Dialer0 200
!
ip nat inside source list 100 interface Dialer0 overload
!
access-list 100 permit ip xx.xxx.xx.x 0.0.0.255 xx.xxx.x.x 0.0.3.255
dialer-list 1 protocol ip permit
!
###############################

Any one?

Happy to provide any other info/details you may require....

Thanks,

Simon
LVL 1
BmusedAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JorisFRSTCommented:
I'm missing the  crypto isakmp policy ?
0
JorisFRSTCommented:
ip nat inside source list 100 interface Dialer0 overload
!
access-list 100 permit ip xx.xxx.xx.x 0.0.0.255 xx.xxx.x.x 0.0.3.255

crypto map Test 10 ipsec-isakmp
 set peer xxx.xxx.x.xxx
 set transform-set Test
 match address 100

you use access-list 100 two times, you'll have to make a seperate one for NAT, as you'll probably not want those NAT'd.
0
BmusedAuthor Commented:
The 'crypto isakmp policy' is fine as the tunnel is up/established.

Have created seperate ACL's, but still no joy... very frustrating!

:-(
0
BmusedAuthor Commented:
Solved -
-Assigned no IP to Fa0/0 (WAN)
-Created loopback with bridged IP
-assigned dialer unnumbered loopback IP
-set cryto map to dialer0
-edited the required ACL's (one only required)
-added req'd additional routes

All good.... thanks Experts!

:-)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BmusedAuthor Commented:
Up & running - all traffic now routing as expected
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.