Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > ipsec problem

Reply
Thread Tools

ipsec problem

 
 
Tom McFarlane
Guest
Posts: n/a
 
      04-22-2004
Hi,

i'm trying to tunnel a connection between 2 routers and having
problems with it, they are both cisco 827's.

The tunnnel just does not work, it doesn't route the ip's thru it.

I have the the relevant output from both routers. With the ip's
addresses replaced with x's and y's:

Router 1 (xxx.xxx.xxx.129/25)

crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key THE_CRYPTO_KEY address yyy.yyy.yyy.1
!
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
!
crypto map rtp 1 ipsec-isakmp
set peer yyy.yyy.yyy.1
set transform-set rtpset
match address 115
!
!
!
interface Ethernet0
ip address 10.10.10.129 255.255.255.128
ip nat inside
ip inspect myfw in
ip inspect myfw out
hold-queue 100 out
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer1
ip address xxx.xxx.xxx.129 255.255.255.128
ip access-group ppp-in in
ip nat outside
ip inspect myfw in
ip inspect myfw out
!
ip nat pool ISPNATPool xxx.xxx.xxx.129 xxx.xxx.xxx.255 netmask
255.255.255.128
ip nat inside source static 10.10.10.129 interface Dialer1
ip nat inside source route-map nonat pool ISPNATPool
ip nat inside source static 10.10.10.130 xxx.xxx.xxx.130
ip nat inside source static 10.10.10.131 xxx.xxx.xxx.131

ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
access-list 110 deny ip 10.10.10.0 0.0.0.128 10.10.10.0 0.0.0.128
access-list 110 permit ip 10.10.10.0 0.0.0.128 any
access-list 115 permit ip 10.10.10.0 0.0.0.128 10.10.10.0 0.0.0.128
!
route-map nonat permit 10
match ip address 110



And... Router 2 (yyy.yyy.yyy.1/25)
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key THE_CRYPTO_KEY address xxx.xxx.xxx.129
!
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
!
crypto map rtp 1 ipsec-isakmp
set peer xxx.xxx.xxx.129
set transform-set rtpset
match address 115
!
!
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip access-group 105 out
ip nat inside
ip inspect myfw in
ip inspect myfw out
hold-queue 100 out
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer1
ip address yyy.yyy.yyy.1 255.255.255.128
ip access-group ppp-in in
ip nat outside
!
ip nat pool ISPNATPool yyy.yyy.yyy.1 yyy.yyy.yyy.127 netmask
255.255.255.128
ip nat inside source list 18 pool ISPNATPool
ip nat inside source static 10.10.10.1 interface Dialer1
ip nat inside source static 10.10.10.2 yyy.yyy.yyy.2
ip nat inside source static 10.10.10.3 yyy.yyy.yyy.3
ip nat inside source static 10.10.10.4 yyy.yyy.yyy.4
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
access-list 110 deny ip 10.10.10.0 0.0.0.128 10.10.10.0 0.0.0.128
access-list 110 permit ip 10.10.10.0 0.0.0.128 any
access-list 115 permit ip 10.10.10.0 0.0.0.128 10.10.10.0 0.0.0.128
!
route-map nonat permit 10
match ip address 110


Thanks In Advance

Tom
 
Reply With Quote
 
 
 
 
Wil Schultz
Guest
Posts: n/a
 
      04-22-2004
At least some of your problems are you are using the same address range
on both sides. Also, add your crypto map's to your dialer interfaces.

Wil
my 2
"When everything seems to be going well, you have obviously overlooked
something."



Tom McFarlane wrote:
> Hi,
>
> i'm trying to tunnel a connection between 2 routers and having
> problems with it, they are both cisco 827's.
>
> The tunnnel just does not work, it doesn't route the ip's thru it.
>
> I have the the relevant output from both routers. With the ip's
> addresses replaced with x's and y's:
>
> Router 1 (xxx.xxx.xxx.129/25)
>
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> crypto isakmp key THE_CRYPTO_KEY address yyy.yyy.yyy.1
> !
> !
> crypto ipsec transform-set rtpset esp-des esp-md5-hmac
> !
> crypto map rtp 1 ipsec-isakmp
> set peer yyy.yyy.yyy.1
> set transform-set rtpset
> match address 115
> !
> !
> !
> interface Ethernet0
> ip address 10.10.10.129 255.255.255.128
> ip nat inside
> ip inspect myfw in
> ip inspect myfw out
> hold-queue 100 out
> !
> interface ATM0
> no ip address
> atm vc-per-vp 64
> no atm ilmi-keepalive
> dsl operating-mode auto
> pvc 0/38
> encapsulation aal5mux ppp dialer
> dialer pool-member 1
> !
> !
> interface Dialer1
> ip address xxx.xxx.xxx.129 255.255.255.128
> ip access-group ppp-in in
> ip nat outside
> ip inspect myfw in
> ip inspect myfw out
> !
> ip nat pool ISPNATPool xxx.xxx.xxx.129 xxx.xxx.xxx.255 netmask
> 255.255.255.128
> ip nat inside source static 10.10.10.129 interface Dialer1
> ip nat inside source route-map nonat pool ISPNATPool
> ip nat inside source static 10.10.10.130 xxx.xxx.xxx.130
> ip nat inside source static 10.10.10.131 xxx.xxx.xxx.131
>
> ip classless
> ip route 0.0.0.0 0.0.0.0 Dialer1
> !
> !
> access-list 110 deny ip 10.10.10.0 0.0.0.128 10.10.10.0 0.0.0.128
> access-list 110 permit ip 10.10.10.0 0.0.0.128 any
> access-list 115 permit ip 10.10.10.0 0.0.0.128 10.10.10.0 0.0.0.128
> !
> route-map nonat permit 10
> match ip address 110
>
>
>
> And... Router 2 (yyy.yyy.yyy.1/25)
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> crypto isakmp key THE_CRYPTO_KEY address xxx.xxx.xxx.129
> !
> !
> crypto ipsec transform-set rtpset esp-des esp-md5-hmac
> !
> crypto map rtp 1 ipsec-isakmp
> set peer xxx.xxx.xxx.129
> set transform-set rtpset
> match address 115
> !
> !
> !
> interface Ethernet0
> ip address 10.10.10.1 255.255.255.0
> ip access-group 105 out
> ip nat inside
> ip inspect myfw in
> ip inspect myfw out
> hold-queue 100 out
> !
> interface ATM0
> no ip address
> atm vc-per-vp 64
> no atm ilmi-keepalive
> dsl operating-mode auto
> pvc 0/38
> encapsulation aal5mux ppp dialer
> dialer pool-member 1
> !
> !
> interface Dialer1
> ip address yyy.yyy.yyy.1 255.255.255.128
> ip access-group ppp-in in
> ip nat outside
> !
> ip nat pool ISPNATPool yyy.yyy.yyy.1 yyy.yyy.yyy.127 netmask
> 255.255.255.128
> ip nat inside source list 18 pool ISPNATPool
> ip nat inside source static 10.10.10.1 interface Dialer1
> ip nat inside source static 10.10.10.2 yyy.yyy.yyy.2
> ip nat inside source static 10.10.10.3 yyy.yyy.yyy.3
> ip nat inside source static 10.10.10.4 yyy.yyy.yyy.4
> ip classless
> ip route 0.0.0.0 0.0.0.0 Dialer1
> !
> !
> access-list 110 deny ip 10.10.10.0 0.0.0.128 10.10.10.0 0.0.0.128
> access-list 110 permit ip 10.10.10.0 0.0.0.128 any
> access-list 115 permit ip 10.10.10.0 0.0.0.128 10.10.10.0 0.0.0.128
> !
> route-map nonat permit 10
> match ip address 110
>
>
> Thanks In Advance
>
> Tom

 
Reply With Quote
 
 
 
 
Tom McFarlane
Guest
Posts: n/a
 
      04-23-2004
Hi,

I sorted that problem, was a mistake in the hostmask, and just missed
out the bit in the config where i added the cryto map to the diaer
interface, but it still isn't working. It just doesn't make the
connection between the two routers and the packets just get forwarded
out via the default route instead of thru the tunnel...

Any help would be appriciated

Thanks

Tom.

http://www.velocityreviews.com/forums/(E-Mail Removed) (Tom McFarlane) wrote in message news:<(E-Mail Removed). com>...
> Hi,
>
> i'm trying to tunnel a connection between 2 routers and having
> problems with it, they are both cisco 827's.
>
> The tunnnel just does not work, it doesn't route the ip's thru it.
>
> I have the the relevant output from both routers. With the ip's
> addresses replaced with x's and y's:
>
> Router 1 (xxx.xxx.xxx.129/25)
>
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> crypto isakmp key THE_CRYPTO_KEY address yyy.yyy.yyy.1
> !
> !
> crypto ipsec transform-set rtpset esp-des esp-md5-hmac
> !
> crypto map rtp 1 ipsec-isakmp
> set peer yyy.yyy.yyy.1
> set transform-set rtpset
> match address 115
> !
> !
> !
> interface Ethernet0
> ip address 10.10.10.129 255.255.255.128
> ip nat inside
> ip inspect myfw in
> ip inspect myfw out
> hold-queue 100 out
> !
> interface ATM0
> no ip address
> atm vc-per-vp 64
> no atm ilmi-keepalive
> dsl operating-mode auto
> pvc 0/38
> encapsulation aal5mux ppp dialer
> dialer pool-member 1
> !
> !
> interface Dialer1
> ip address xxx.xxx.xxx.129 255.255.255.128
> ip access-group ppp-in in
> ip nat outside
> ip inspect myfw in
> ip inspect myfw out
> !
> ip nat pool ISPNATPool xxx.xxx.xxx.129 xxx.xxx.xxx.255 netmask
> 255.255.255.128
> ip nat inside source static 10.10.10.129 interface Dialer1
> ip nat inside source route-map nonat pool ISPNATPool
> ip nat inside source static 10.10.10.130 xxx.xxx.xxx.130
> ip nat inside source static 10.10.10.131 xxx.xxx.xxx.131
>
> ip classless
> ip route 0.0.0.0 0.0.0.0 Dialer1
> !
> !
> access-list 110 deny ip 10.10.10.0 0.0.0.128 10.10.10.0 0.0.0.128
> access-list 110 permit ip 10.10.10.0 0.0.0.128 any
> access-list 115 permit ip 10.10.10.0 0.0.0.128 10.10.10.0 0.0.0.128
> !
> route-map nonat permit 10
> match ip address 110
>
>
>
> And... Router 2 (yyy.yyy.yyy.1/25)
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> crypto isakmp key THE_CRYPTO_KEY address xxx.xxx.xxx.129
> !
> !
> crypto ipsec transform-set rtpset esp-des esp-md5-hmac
> !
> crypto map rtp 1 ipsec-isakmp
> set peer xxx.xxx.xxx.129
> set transform-set rtpset
> match address 115
> !
> !
> !
> interface Ethernet0
> ip address 10.10.10.1 255.255.255.0
> ip access-group 105 out
> ip nat inside
> ip inspect myfw in
> ip inspect myfw out
> hold-queue 100 out
> !
> interface ATM0
> no ip address
> atm vc-per-vp 64
> no atm ilmi-keepalive
> dsl operating-mode auto
> pvc 0/38
> encapsulation aal5mux ppp dialer
> dialer pool-member 1
> !
> !
> interface Dialer1
> ip address yyy.yyy.yyy.1 255.255.255.128
> ip access-group ppp-in in
> ip nat outside
> !
> ip nat pool ISPNATPool yyy.yyy.yyy.1 yyy.yyy.yyy.127 netmask
> 255.255.255.128
> ip nat inside source list 18 pool ISPNATPool
> ip nat inside source static 10.10.10.1 interface Dialer1
> ip nat inside source static 10.10.10.2 yyy.yyy.yyy.2
> ip nat inside source static 10.10.10.3 yyy.yyy.yyy.3
> ip nat inside source static 10.10.10.4 yyy.yyy.yyy.4
> ip classless
> ip route 0.0.0.0 0.0.0.0 Dialer1
> !
> !
> access-list 110 deny ip 10.10.10.0 0.0.0.128 10.10.10.0 0.0.0.128
> access-list 110 permit ip 10.10.10.0 0.0.0.128 any
> access-list 115 permit ip 10.10.10.0 0.0.0.128 10.10.10.0 0.0.0.128
> !
> route-map nonat permit 10
> match ip address 110
>
>
> Thanks In Advance
>
> Tom

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Failing Phase2 Auth - IPSec - All IPSec SA proposals foundunacceptable scooter133@gmail.com Cisco 1 11-27-2008 02:50 AM
4506 acting as LNS with L2TP over IPsec and IPsec over L2TP. AM Cisco 0 02-20-2007 09:00 AM
4506 acting as LNS with L2TP over IPsec and IPsec over L2TP. AM Cisco 1 02-20-2007 07:20 AM
IPsec within L2TP over IPsec - PIX. AM Cisco 0 07-23-2006 10:14 PM
IPSec vs. L2TP/IPsec vs. PPTP David Cisco 0 01-07-2004 04:03 AM



Advertisments