Cisco 837 IPSEC Linksys WAG54g

Discussion in 'Cisco' started by Systematic, Jul 11, 2005.

  1. Systematic

    Systematic Guest

    Has anoyone successfully managed to setup an IPSEC tunnel with a Cisco
    router and Linksys WAG54g ?

    As I have managed to establish an actual tunnel but nothing will route
    between the networks. Cant ping machines at either end.

    Any ideas ?
     
    Systematic, Jul 11, 2005
    #1
    1. Advertising

  2. Systematic

    Uli Link Guest

    Systematic schrieb:

    > Has anoyone successfully managed to setup an IPSEC tunnel with a Cisco
    > router and Linksys WAG54g ?


    Not a Linksys WAG54g, but Allnet 1294VPN and Netgear FVS318 and Safenet
    Softremote IPsec client (and other Cisco IOS routers)
    Don't have a 837, but a 836 instead ;-)

    > As I have managed to establish an actual tunnel but nothing will route
    > between the networks. Cant ping machines at either end.
    > Any ideas ?


    Yes. But there are many traps with FW, NAT, ACLs and the routing table.
    Describe your setup a little closer.

    --
    Uli
     
    Uli Link, Jul 11, 2005
    #2
    1. Advertising

  3. Systematic

    Systematic Guest

    Well have a Cisco 837 at one end of connection on 192.168.0.0 with NAT
    running on the internal range.

    Other end has Linksys WAG54g 192.168.1.0 also with NAT.

    I can see the tunnel establish under the connections screen on the linksys
    and also when debug on the Cisco router.

    But when trying to ping either end just get no replies from either end.

    Do you have an example of a configuration you have got working successfully
    ?

    Thanks
    Matt

    "Uli Link" <> wrote in message
    news:42d2959e$0$20127$-online.net...
    > Systematic schrieb:
    >
    >> Has anoyone successfully managed to setup an IPSEC tunnel with a Cisco
    >> router and Linksys WAG54g ?

    >
    > Not a Linksys WAG54g, but Allnet 1294VPN and Netgear FVS318 and Safenet
    > Softremote IPsec client (and other Cisco IOS routers)
    > Don't have a 837, but a 836 instead ;-)
    >
    >> As I have managed to establish an actual tunnel but nothing will route
    >> between the networks. Cant ping machines at either end.
    >> Any ideas ?

    >
    > Yes. But there are many traps with FW, NAT, ACLs and the routing table.
    > Describe your setup a little closer.
    >
    > --
    > Uli
    >
     
    Systematic, Jul 11, 2005
    #3
  4. Systematic

    Uli Link Guest

    Systematic schrieb:

    > Well have a Cisco 837 at one end of connection on 192.168.0.0 with NAT
    > running on the internal range.
    >
    > Other end has Linksys WAG54g 192.168.1.0 also with NAT.


    So have to exclude traffic from 192.168.0.0/24 to 192.168.1.0/24 from
    being natted.


    > I can see the tunnel establish under the connections screen on the linksys
    > and also when debug on the Cisco router.


    What do you mean by "see tunnel establish"?
    You'll need one SA for the IKE and two SAs for the dataflow in each
    direction.

    > But when trying to ping either end just get no replies from either end.
    >


    When using ping from exec of the Cisco you'll need to specify
    "ping tag 192.168.1.1 source Ethernet0"

    > Do you have an example of a configuration you have got working successfully


    the following works for me with dynamic IPs on both sides.
    It is easier when you restrict by know WAN IP address, or at least a
    range of addresses for the preshared key.
    3DES-SHA1 with PFS/DH group 2

    !
    crypto isakmp policy 5
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp key YourPreSharedKey address 0.0.0.0 0.0.0.0 no-xauth
    !
    crypto isakmp identity hostname
    !
    crypto ipsec transform-set tfs-3des esp-3des esp-sha-hmac
    !
    crypto identity id-list-100
    description FQDN-OF-REMOTE-SITE
    fqdn yourremote-fqdn.domainname.dom
    !
    crypto map your_cmap_1 10 ipsec-isakmp
    description YOUR-IPSEC-TUNNEL
    set peer yourremote-fqdn.domainname.dom dynamic
    set security-association lifetime kilobytes 256000
    set security-association lifetime seconds 28800
    set transform-set tfs-3des
    set pfs group2
    set identity id-list-100
    match address 120
    reverse-route
    !
    interface Dialer 0
    crypto map your_cmap_1
    !
    ip nat inside source route-map NAT_ROUTEMAP interface Dialer0 overload
    !
    !
    route-map NAT_ROUTEMAP permit 1
    match ip address 102
    !
    access-list 102 remark First exclude IPsec Tunnel from natting
    access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 102 remark Now the traffic being natted
    access-list 102 permit ip 192.168.0.0 0.0.0.255 any
    access-list 102 deny ip any any
    !
    access-list 120 remark Traffic matching will be protected
    access-list 120 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
    !

    If it won't work with the Linksys, try using MD5 instead of SHA1 and
    perhaps turning of PFS. If you want AES instead of 3DES you'll need to
    turn of hardware encryption.

    --
    Uli
     
    Uli Link, Jul 11, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Clayton

    Linksys WAG54G Wireless Router & PCMCIA Wireless Card

    Clayton, Dec 6, 2004, in forum: Wireless Networking
    Replies:
    5
    Views:
    3,047
    Clayton
    Dec 10, 2004
  2. nospam

    Loss of DNS/ARP responses from Linksys WAG54G

    nospam, Feb 12, 2005, in forum: Wireless Networking
    Replies:
    6
    Views:
    2,635
    nospam
    Feb 15, 2005
  3. Ronnie
    Replies:
    2
    Views:
    3,402
  4. Phil
    Replies:
    1
    Views:
    2,108
    Walter Roberson
    Dec 11, 2004
  5. Michael
    Replies:
    1
    Views:
    555
    Michael
    Nov 18, 2005
Loading...

Share This Page