Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > "indirect" ipsec

Reply
Thread Tools

"indirect" ipsec

 
 
dt1649651@yahoo.com
Guest
Posts: n/a
 
      05-19-2005
My router has two interfaces A ( external ) and B ( internal ). No nat,
no firewall is defined.

IPSecVPN is defined on interface A.

If I establish a VPN connection to A from the outside ( from the
Internet) , it works.

If I establish a VPN connection to A from a PC that connects to
interface B , then the connection fails.

Do I miss something or this is a "feature" ?


Thanks for your advice,

DT

 
Reply With Quote
 
 
 
 
Grand Styolz
Guest
Posts: n/a
 
      05-19-2005
Please show your router configuration so it is easier for us to help
you.

 
Reply With Quote
 
 
 
 
dt1649651@yahoo.com
Guest
Posts: n/a
 
      05-19-2005
Grand Styolz wrote:
> Please show your router configuration so it is easier for us to help
> you.


Below is my configuration, the real ip is replaced by a.b.c.d, and the
gateway a.b.c.e.

IPSec is defined on FA 0/0

If my PC connects to other place and makes VPN connection to FA 0/0, it
works ( in other word, the connection does not go inside the router
before getting to FA 0/0 ).

If my PC connects to Vlan3 ( FA 0/0/2 ) and makes the VPN connection to
FA 0/0 ( thru FA 0/0/2 ) it fails right at phase 1.

Thanks,
DT


Current configuration : 3247 bytes
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname mycomp
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
enable secret 5 $1$W3fW$SaRjH9VDU3jv0
enable password 7 03154C225C4B

username user1 privilege 15 secret 5 $1$fu$Dv0UXBS8dxORejwshWtTN/
username user2 privilege 0 password 7 12440A0209
username user3 privilege 0 password 7 001A0B52570E12
username user4 password 7 104A060A1D00A

no network-clock-participate aim 0
no network-clock-participate aim 1

aaa new-model
aaa authentication login default local
aaa authentication login myvpn local
aaa authorization network mygroup local
aaa session-id common
ip subnet-zero
ip cef
no ip domain lookup
ip ssh authentication-retries 4
ip ips po max-events 100
no ftp-server write-enable

crypto isakmp policy 3
encr 3des
authentication pre-share
group 2

crypto isakmp client configuration group myvpnclient
key aa2oo5
dns 192.168.249.1
wins 192.168.249.1
domain mycomp.com
pool vpnippool
acl 108

crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset

crypto map clientmap client authentication list myvpn
crypto map clientmap isakmp authorization list mygroup
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap

interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
ip address a.b.c.d 255.255.255.224
duplex auto
speed auto
crypto map clientmap

interface FastEthernet0/1
ip address 192.168.249.4 255.255.255.0
duplex auto
speed auto
crypto map clientmap

interface FastEthernet0/0/0
no ip address

interface FastEthernet0/0/1
switchport access vlan 2
no ip address

interface FastEthernet0/0/2
switchport access vlan 3
no ip address

interface FastEthernet0/0/3
switchport access vlan 4
no ip address

interface Vlan1
no ip address
interface Vlan2
no ip address
interface Vlan3
ip address 192.168.253.4 255.255.255.0
interface Vlan4
ip address 192.168.235.2 255.255.255.0

ip local pool vpnippool 14.1.1.1 14.1.1.20

ip classless
ip route 0.0.0.0 0.0.0.0 a.b.c.e
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
access-list 101 permit ahp any any
access-list 101 permit esp any any
access-list 101 permit udp any any eq isakmp
access-list 102 permit ip any any
access-list 108 permit ip 192.168.235.0 0.0.0.255 14.1.1.0 0.0.0.255
control-plane
line con 0
password 7 111816AQ1A03401C01
speed 38400
line aux 0
exec-timeout 0 0
password 7 11A80EYU0340081C01
modem InOut
modem autoconfigure type usr_courier
transport input all
stopbits 1
speed 115200
flowcontrol hardware
line vty 0 4
privilege level 0
transport input ssh
scheduler allocate 20000 1000

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      05-19-2005
In article <(E-Mail Removed) .com>,
http://www.velocityreviews.com/forums/(E-Mail Removed) <(E-Mail Removed)> wrote:
:My router has two interfaces A ( external ) and B ( internal ). No nat,
:no firewall is defined.

:If I establish a VPN connection to A from a PC that connects to
:interface B , then the connection fails.

o I miss something or this is a "feature" ?

I don't know about IOS, but on the Cisco PIX it would be a feature.

On the PIX, IPSec is performed -after- routing -- after it has
already decided which interface it is going to send the packet out.
The choice of interfaces is determined by normal routing rules.

Thus, if the IP address assigned to the PC by the VPN lives outside,
and there is a packet destined to that proxied address for the PC,
then the PIX would say "Sure there's an IPSec tunnel here covering
that destination, but that tunnel would require that I send the
IPSec to the inside and I've already decided to send it to the
outside, so no-go!" And if the IP address assigned to the PC
by the VPN link lives inside, then any packet to that IP
would be routed first to the inside interface that doesn't have
an IPSec tunnel attached to it, so the packet wouldn't make it
into the tunnel.


If I understand correctly, under IOS if you want the same target IP
for inside and outside VPNs, you have to define the VPN on a loopback
interface; loopback interfaces can be routed to by both inside and
outside.
--
Would you buy a used bit from this man??
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Failing Phase2 Auth - IPSec - All IPSec SA proposals foundunacceptable scooter133@gmail.com Cisco 1 11-27-2008 02:50 AM
4506 acting as LNS with L2TP over IPsec and IPsec over L2TP. AM Cisco 0 02-20-2007 09:00 AM
4506 acting as LNS with L2TP over IPsec and IPsec over L2TP. AM Cisco 1 02-20-2007 07:20 AM
IPsec within L2TP over IPsec - PIX. AM Cisco 0 07-23-2006 10:14 PM
IPSec vs. L2TP/IPsec vs. PPTP David Cisco 0 01-07-2004 04:03 AM



Advertisments