ip routing with ipsec

Discussion in 'Cisco' started by svaneck@hotmail.com, May 10, 2004.

  1. Guest

    I have set up an IPSEC connection with a client company. It is cisco
    router to cisco pix. I am running c2600-advsecurityk9-mz.123-1a.bin
    The crypto key, transform-set and map work fine. I cannot get the
    ipsec to fire off with the correct ip range tho.
    I have match address 121 in my crypto map. If I have

    access-list 121 permit ip 10.2.5.0 0.0.0.255 10.33.34.0 0.0.0.255
    access-list 121 permit icmp 10.2.5.0 0.0.0.255 10.33.34.0 0.0.0.255

    and try to ping 10.33.34.10, IPSEC is not activated and the ping goes
    out my default gateway. Yet if I add

    access-list 121 permit ip 10.2.5.0 0.0.0.255 192.168.54.0 0.0.0.255
    access-list 121 permit icmp 10.2.5.0 0.0.0.255 192.168.54.0 0.0.0.255

    and ping 192.168.54.10, it activates IPSEC. The ping fails, because
    they have no ip in that range.
    There is no 10.0.0.0/8 in the routing table, the closest is
    10.0.0.0/24
    Any ideas would be appreciated.
    Thanks,
    Steve
     
    , May 10, 2004
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    :I have set up an IPSEC connection with a client company. It is cisco
    :router to cisco pix. I am running c2600-advsecurityk9-mz.123-1a.bin
    :The crypto key, transform-set and map work fine. I cannot get the
    :ipsec to fire off with the correct ip range tho.
    :I have match address 121 in my crypto map. If I have

    :access-list 121 permit ip 10.2.5.0 0.0.0.255 10.33.34.0 0.0.0.255
    :access-list 121 permit icmp 10.2.5.0 0.0.0.255 10.33.34.0 0.0.0.255

    :and try to ping 10.33.34.10, IPSEC is not activated and the ping goes
    :eek:ut my default gateway.

    I do not know what the difficulty is, but I would point out that icmp
    is a subset of ip, so the second line is redundant after the first.

    What I would check would be the ACL on your interface. Packets must
    survive any interface ACL before they are considered for IPSec.
    (Though on the PIX, there is a command, sysopt connection permit-ipsec
    that allows ipsec packets to bypass interface ACL checking.)
    --
    WW{Backus,Church,Dijkstra,Knuth,Hollerith,Turing,vonNeumann}D ?
     
    Walter Roberson, May 10, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David

    IPSec vs. L2TP/IPsec vs. PPTP

    David, Jan 7, 2004, in forum: Cisco
    Replies:
    0
    Views:
    6,820
    David
    Jan 7, 2004
  2. AM
    Replies:
    0
    Views:
    679
  3. AM
    Replies:
    1
    Views:
    607
  4. AM
    Replies:
    0
    Views:
    483
  5. Replies:
    1
    Views:
    6,331
    News Reader
    Nov 27, 2008
Loading...

Share This Page