Bmused
asked on
PPPoE/IPSec - Basic setup
Hi Experts,
I think I may have been staring @ this one a little too long & am missing something very basic... Very straight forward setup - Cisco 1841 (12.4IOS) - bridged to ADSL modem (PPPoE) - other end of tunnel is a Fortigate Firewall. Authenticates OK(PPoE) & establishes the IPSec tunnel - but alas, no traffic in either direction.... I suspect something on the 1841 (as it's been a while since I 've played with these) - I'm sure someone could cast their eyes over the config below and spot it straight away... *I have other IPSec Tunnels humming along nicely on the Fortigate - so when looking @ this please assume a perfect config on the Fortigate... :-)
########################## ###
crypto map Test 10 ipsec-isakmp
set peer xxx.xxx.x.xxx
set transform-set Test
match address 100
!
interface FastEthernet0/0
description ### ADSL WAN Interface ###
ip address xxx.xxx.xxx.xx/30
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
no ip mroute-cache
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
crypto map Test
hold-queue 224 in
!
interface FastEthernet0/1
description ### Uplink to 3560 Fa0/24 ###
ip address xx.xxx.xx.x/24
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxxxxx@isp.com
ppp chap password 0 ***********
ppp pap sent-username xxxxxxxx@isp.com password 0 ***********
!
ip route 0.0.0.0 0.0.0.0 Dialer0 200
!
ip nat inside source list 100 interface Dialer0 overload
!
access-list 100 permit ip xx.xxx.xx.x 0.0.0.255 xx.xxx.x.x 0.0.3.255
dialer-list 1 protocol ip permit
!
########################## #####
Any one?
Happy to provide any other info/details you may require....
Thanks,
Simon
I think I may have been staring @ this one a little too long & am missing something very basic... Very straight forward setup - Cisco 1841 (12.4IOS) - bridged to ADSL modem (PPPoE) - other end of tunnel is a Fortigate Firewall. Authenticates OK(PPoE) & establishes the IPSec tunnel - but alas, no traffic in either direction.... I suspect something on the 1841 (as it's been a while since I 've played with these) - I'm sure someone could cast their eyes over the config below and spot it straight away... *I have other IPSec Tunnels humming along nicely on the Fortigate - so when looking @ this please assume a perfect config on the Fortigate... :-)
##########################
crypto map Test 10 ipsec-isakmp
set peer xxx.xxx.x.xxx
set transform-set Test
match address 100
!
interface FastEthernet0/0
description ### ADSL WAN Interface ###
ip address xxx.xxx.xxx.xx/30
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
no ip mroute-cache
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
crypto map Test
hold-queue 224 in
!
interface FastEthernet0/1
description ### Uplink to 3560 Fa0/24 ###
ip address xx.xxx.xx.x/24
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxxxxx@isp.com
ppp chap password 0 ***********
ppp pap sent-username xxxxxxxx@isp.com password 0 ***********
!
ip route 0.0.0.0 0.0.0.0 Dialer0 200
!
ip nat inside source list 100 interface Dialer0 overload
!
access-list 100 permit ip xx.xxx.xx.x 0.0.0.255 xx.xxx.x.x 0.0.3.255
dialer-list 1 protocol ip permit
!
##########################
Any one?
Happy to provide any other info/details you may require....
Thanks,
Simon
I'm missing the crypto isakmp policy ?
ip nat inside source list 100 interface Dialer0 overload
!
access-list 100 permit ip xx.xxx.xx.x 0.0.0.255 xx.xxx.x.x 0.0.3.255
crypto map Test 10 ipsec-isakmp
set peer xxx.xxx.x.xxx
set transform-set Test
match address 100
you use access-list 100 two times, you'll have to make a seperate one for NAT, as you'll probably not want those NAT'd.
!
access-list 100 permit ip xx.xxx.xx.x 0.0.0.255 xx.xxx.x.x 0.0.3.255
crypto map Test 10 ipsec-isakmp
set peer xxx.xxx.x.xxx
set transform-set Test
match address 100
you use access-list 100 two times, you'll have to make a seperate one for NAT, as you'll probably not want those NAT'd.
ASKER
The 'crypto isakmp policy' is fine as the tunnel is up/established.
Have created seperate ACL's, but still no joy... very frustrating!
:-(
Have created seperate ACL's, but still no joy... very frustrating!
:-(
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Up & running - all traffic now routing as expected