ipsec problem

Discussion in 'Cisco' started by Tom McFarlane, Apr 22, 2004.

  1. Hi,

    i'm trying to tunnel a connection between 2 routers and having
    problems with it, they are both cisco 827's.

    The tunnnel just does not work, it doesn't route the ip's thru it.

    I have the the relevant output from both routers. With the ip's
    addresses replaced with x's and y's:

    Router 1 (xxx.xxx.xxx.129/25)

    crypto isakmp policy 1
    hash md5
    authentication pre-share
    crypto isakmp key THE_CRYPTO_KEY address yyy.yyy.yyy.1
    !
    !
    crypto ipsec transform-set rtpset esp-des esp-md5-hmac
    !
    crypto map rtp 1 ipsec-isakmp
    set peer yyy.yyy.yyy.1
    set transform-set rtpset
    match address 115
    !
    !
    !
    interface Ethernet0
    ip address 10.10.10.129 255.255.255.128
    ip nat inside
    ip inspect myfw in
    ip inspect myfw out
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    atm vc-per-vp 64
    no atm ilmi-keepalive
    dsl operating-mode auto
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface Dialer1
    ip address xxx.xxx.xxx.129 255.255.255.128
    ip access-group ppp-in in
    ip nat outside
    ip inspect myfw in
    ip inspect myfw out
    !
    ip nat pool ISPNATPool xxx.xxx.xxx.129 xxx.xxx.xxx.255 netmask
    255.255.255.128
    ip nat inside source static 10.10.10.129 interface Dialer1
    ip nat inside source route-map nonat pool ISPNATPool
    ip nat inside source static 10.10.10.130 xxx.xxx.xxx.130
    ip nat inside source static 10.10.10.131 xxx.xxx.xxx.131

    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    !
    !
    access-list 110 deny ip 10.10.10.0 0.0.0.128 10.10.10.0 0.0.0.128
    access-list 110 permit ip 10.10.10.0 0.0.0.128 any
    access-list 115 permit ip 10.10.10.0 0.0.0.128 10.10.10.0 0.0.0.128
    !
    route-map nonat permit 10
    match ip address 110



    And... Router 2 (yyy.yyy.yyy.1/25)
    crypto isakmp policy 1
    hash md5
    authentication pre-share
    crypto isakmp key THE_CRYPTO_KEY address xxx.xxx.xxx.129
    !
    !
    crypto ipsec transform-set rtpset esp-des esp-md5-hmac
    !
    crypto map rtp 1 ipsec-isakmp
    set peer xxx.xxx.xxx.129
    set transform-set rtpset
    match address 115
    !
    !
    !
    interface Ethernet0
    ip address 10.10.10.1 255.255.255.0
    ip access-group 105 out
    ip nat inside
    ip inspect myfw in
    ip inspect myfw out
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    atm vc-per-vp 64
    no atm ilmi-keepalive
    dsl operating-mode auto
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface Dialer1
    ip address yyy.yyy.yyy.1 255.255.255.128
    ip access-group ppp-in in
    ip nat outside
    !
    ip nat pool ISPNATPool yyy.yyy.yyy.1 yyy.yyy.yyy.127 netmask
    255.255.255.128
    ip nat inside source list 18 pool ISPNATPool
    ip nat inside source static 10.10.10.1 interface Dialer1
    ip nat inside source static 10.10.10.2 yyy.yyy.yyy.2
    ip nat inside source static 10.10.10.3 yyy.yyy.yyy.3
    ip nat inside source static 10.10.10.4 yyy.yyy.yyy.4
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    !
    !
    access-list 110 deny ip 10.10.10.0 0.0.0.128 10.10.10.0 0.0.0.128
    access-list 110 permit ip 10.10.10.0 0.0.0.128 any
    access-list 115 permit ip 10.10.10.0 0.0.0.128 10.10.10.0 0.0.0.128
    !
    route-map nonat permit 10
    match ip address 110


    Thanks In Advance

    Tom
    Tom McFarlane, Apr 22, 2004
    #1
    1. Advertising

  2. Tom McFarlane

    Wil Schultz Guest

    At least some of your problems are you are using the same address range
    on both sides. Also, add your crypto map's to your dialer interfaces.

    Wil
    my 2ยข
    "When everything seems to be going well, you have obviously overlooked
    something."



    Tom McFarlane wrote:
    > Hi,
    >
    > i'm trying to tunnel a connection between 2 routers and having
    > problems with it, they are both cisco 827's.
    >
    > The tunnnel just does not work, it doesn't route the ip's thru it.
    >
    > I have the the relevant output from both routers. With the ip's
    > addresses replaced with x's and y's:
    >
    > Router 1 (xxx.xxx.xxx.129/25)
    >
    > crypto isakmp policy 1
    > hash md5
    > authentication pre-share
    > crypto isakmp key THE_CRYPTO_KEY address yyy.yyy.yyy.1
    > !
    > !
    > crypto ipsec transform-set rtpset esp-des esp-md5-hmac
    > !
    > crypto map rtp 1 ipsec-isakmp
    > set peer yyy.yyy.yyy.1
    > set transform-set rtpset
    > match address 115
    > !
    > !
    > !
    > interface Ethernet0
    > ip address 10.10.10.129 255.255.255.128
    > ip nat inside
    > ip inspect myfw in
    > ip inspect myfw out
    > hold-queue 100 out
    > !
    > interface ATM0
    > no ip address
    > atm vc-per-vp 64
    > no atm ilmi-keepalive
    > dsl operating-mode auto
    > pvc 0/38
    > encapsulation aal5mux ppp dialer
    > dialer pool-member 1
    > !
    > !
    > interface Dialer1
    > ip address xxx.xxx.xxx.129 255.255.255.128
    > ip access-group ppp-in in
    > ip nat outside
    > ip inspect myfw in
    > ip inspect myfw out
    > !
    > ip nat pool ISPNATPool xxx.xxx.xxx.129 xxx.xxx.xxx.255 netmask
    > 255.255.255.128
    > ip nat inside source static 10.10.10.129 interface Dialer1
    > ip nat inside source route-map nonat pool ISPNATPool
    > ip nat inside source static 10.10.10.130 xxx.xxx.xxx.130
    > ip nat inside source static 10.10.10.131 xxx.xxx.xxx.131
    >
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Dialer1
    > !
    > !
    > access-list 110 deny ip 10.10.10.0 0.0.0.128 10.10.10.0 0.0.0.128
    > access-list 110 permit ip 10.10.10.0 0.0.0.128 any
    > access-list 115 permit ip 10.10.10.0 0.0.0.128 10.10.10.0 0.0.0.128
    > !
    > route-map nonat permit 10
    > match ip address 110
    >
    >
    >
    > And... Router 2 (yyy.yyy.yyy.1/25)
    > crypto isakmp policy 1
    > hash md5
    > authentication pre-share
    > crypto isakmp key THE_CRYPTO_KEY address xxx.xxx.xxx.129
    > !
    > !
    > crypto ipsec transform-set rtpset esp-des esp-md5-hmac
    > !
    > crypto map rtp 1 ipsec-isakmp
    > set peer xxx.xxx.xxx.129
    > set transform-set rtpset
    > match address 115
    > !
    > !
    > !
    > interface Ethernet0
    > ip address 10.10.10.1 255.255.255.0
    > ip access-group 105 out
    > ip nat inside
    > ip inspect myfw in
    > ip inspect myfw out
    > hold-queue 100 out
    > !
    > interface ATM0
    > no ip address
    > atm vc-per-vp 64
    > no atm ilmi-keepalive
    > dsl operating-mode auto
    > pvc 0/38
    > encapsulation aal5mux ppp dialer
    > dialer pool-member 1
    > !
    > !
    > interface Dialer1
    > ip address yyy.yyy.yyy.1 255.255.255.128
    > ip access-group ppp-in in
    > ip nat outside
    > !
    > ip nat pool ISPNATPool yyy.yyy.yyy.1 yyy.yyy.yyy.127 netmask
    > 255.255.255.128
    > ip nat inside source list 18 pool ISPNATPool
    > ip nat inside source static 10.10.10.1 interface Dialer1
    > ip nat inside source static 10.10.10.2 yyy.yyy.yyy.2
    > ip nat inside source static 10.10.10.3 yyy.yyy.yyy.3
    > ip nat inside source static 10.10.10.4 yyy.yyy.yyy.4
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Dialer1
    > !
    > !
    > access-list 110 deny ip 10.10.10.0 0.0.0.128 10.10.10.0 0.0.0.128
    > access-list 110 permit ip 10.10.10.0 0.0.0.128 any
    > access-list 115 permit ip 10.10.10.0 0.0.0.128 10.10.10.0 0.0.0.128
    > !
    > route-map nonat permit 10
    > match ip address 110
    >
    >
    > Thanks In Advance
    >
    > Tom
    Wil Schultz, Apr 22, 2004
    #2
    1. Advertising

  3. Hi,

    I sorted that problem, was a mistake in the hostmask, and just missed
    out the bit in the config where i added the cryto map to the diaer
    interface, but it still isn't working. It just doesn't make the
    connection between the two routers and the packets just get forwarded
    out via the default route instead of thru the tunnel...

    Any help would be appriciated

    Thanks

    Tom.

    (Tom McFarlane) wrote in message news:<>...
    > Hi,
    >
    > i'm trying to tunnel a connection between 2 routers and having
    > problems with it, they are both cisco 827's.
    >
    > The tunnnel just does not work, it doesn't route the ip's thru it.
    >
    > I have the the relevant output from both routers. With the ip's
    > addresses replaced with x's and y's:
    >
    > Router 1 (xxx.xxx.xxx.129/25)
    >
    > crypto isakmp policy 1
    > hash md5
    > authentication pre-share
    > crypto isakmp key THE_CRYPTO_KEY address yyy.yyy.yyy.1
    > !
    > !
    > crypto ipsec transform-set rtpset esp-des esp-md5-hmac
    > !
    > crypto map rtp 1 ipsec-isakmp
    > set peer yyy.yyy.yyy.1
    > set transform-set rtpset
    > match address 115
    > !
    > !
    > !
    > interface Ethernet0
    > ip address 10.10.10.129 255.255.255.128
    > ip nat inside
    > ip inspect myfw in
    > ip inspect myfw out
    > hold-queue 100 out
    > !
    > interface ATM0
    > no ip address
    > atm vc-per-vp 64
    > no atm ilmi-keepalive
    > dsl operating-mode auto
    > pvc 0/38
    > encapsulation aal5mux ppp dialer
    > dialer pool-member 1
    > !
    > !
    > interface Dialer1
    > ip address xxx.xxx.xxx.129 255.255.255.128
    > ip access-group ppp-in in
    > ip nat outside
    > ip inspect myfw in
    > ip inspect myfw out
    > !
    > ip nat pool ISPNATPool xxx.xxx.xxx.129 xxx.xxx.xxx.255 netmask
    > 255.255.255.128
    > ip nat inside source static 10.10.10.129 interface Dialer1
    > ip nat inside source route-map nonat pool ISPNATPool
    > ip nat inside source static 10.10.10.130 xxx.xxx.xxx.130
    > ip nat inside source static 10.10.10.131 xxx.xxx.xxx.131
    >
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Dialer1
    > !
    > !
    > access-list 110 deny ip 10.10.10.0 0.0.0.128 10.10.10.0 0.0.0.128
    > access-list 110 permit ip 10.10.10.0 0.0.0.128 any
    > access-list 115 permit ip 10.10.10.0 0.0.0.128 10.10.10.0 0.0.0.128
    > !
    > route-map nonat permit 10
    > match ip address 110
    >
    >
    >
    > And... Router 2 (yyy.yyy.yyy.1/25)
    > crypto isakmp policy 1
    > hash md5
    > authentication pre-share
    > crypto isakmp key THE_CRYPTO_KEY address xxx.xxx.xxx.129
    > !
    > !
    > crypto ipsec transform-set rtpset esp-des esp-md5-hmac
    > !
    > crypto map rtp 1 ipsec-isakmp
    > set peer xxx.xxx.xxx.129
    > set transform-set rtpset
    > match address 115
    > !
    > !
    > !
    > interface Ethernet0
    > ip address 10.10.10.1 255.255.255.0
    > ip access-group 105 out
    > ip nat inside
    > ip inspect myfw in
    > ip inspect myfw out
    > hold-queue 100 out
    > !
    > interface ATM0
    > no ip address
    > atm vc-per-vp 64
    > no atm ilmi-keepalive
    > dsl operating-mode auto
    > pvc 0/38
    > encapsulation aal5mux ppp dialer
    > dialer pool-member 1
    > !
    > !
    > interface Dialer1
    > ip address yyy.yyy.yyy.1 255.255.255.128
    > ip access-group ppp-in in
    > ip nat outside
    > !
    > ip nat pool ISPNATPool yyy.yyy.yyy.1 yyy.yyy.yyy.127 netmask
    > 255.255.255.128
    > ip nat inside source list 18 pool ISPNATPool
    > ip nat inside source static 10.10.10.1 interface Dialer1
    > ip nat inside source static 10.10.10.2 yyy.yyy.yyy.2
    > ip nat inside source static 10.10.10.3 yyy.yyy.yyy.3
    > ip nat inside source static 10.10.10.4 yyy.yyy.yyy.4
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Dialer1
    > !
    > !
    > access-list 110 deny ip 10.10.10.0 0.0.0.128 10.10.10.0 0.0.0.128
    > access-list 110 permit ip 10.10.10.0 0.0.0.128 any
    > access-list 115 permit ip 10.10.10.0 0.0.0.128 10.10.10.0 0.0.0.128
    > !
    > route-map nonat permit 10
    > match ip address 110
    >
    >
    > Thanks In Advance
    >
    > Tom
    Tom McFarlane, Apr 23, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David

    IPSec vs. L2TP/IPsec vs. PPTP

    David, Jan 7, 2004, in forum: Cisco
    Replies:
    0
    Views:
    6,758
    David
    Jan 7, 2004
  2. AM
    Replies:
    0
    Views:
    639
  3. AM
    Replies:
    1
    Views:
    543
  4. AM
    Replies:
    0
    Views:
    444
  5. Replies:
    1
    Views:
    6,159
    News Reader
    Nov 27, 2008
Loading...

Share This Page