IPSEC problem

Discussion in 'Cisco' started by kevin@dominet.com, Mar 14, 2006.

  1. Guest

    I have a Cisco 3640 with an internal interface (192.168.0.1) and
    external interface (a.b.c.d). Everything on the internal is NAT to the
    external with overload. I have have an IPSEC tunnel setup betwenn the
    external and another router. The inside of the other router has ip of
    10.0.0.1. Everything works great. Any machine on the internal network
    can ping a machine on the remove network (192.168.0.x to 10.0.0.x).
    Now, I add another internal interface to the 3640 (192.168.1.1). Setup
    the NAT with overload just like the first internal interface.
    Everything works great. Any machine on the second internal can see the
    internet, but, they cannot access 10.0.0.x !
    My question is, can two internal interfaces access the same IPSEC
    tunnel ?

    When I do a SHOW IPSEC CRYPTO SA I get this
    local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (10.0.9.0/255.255.255.0/0/0)

    There is never a local ident with 192.168.1.0 for the second interface.
    When I ping from the second interface I get this debug error
    34867: 21:43:56: IP: s=192.168.1.43 (FastEthernet1/0), d=10.0.0.1
    (Loopback0), g=1.1.1.3, len 60, forward
    34868: 21:43:56: ICMP type=8, code=0

    34869: 21:43:56: IP: s=192.168.1.43 (Loopback0), d=10.0.0.1
    (FastEthernet1/1), len 60, crypto map check failed.
    34870: 21:43:56: ICMP type=8, code=0

    Anybody have a solution ?
     
    , Mar 14, 2006
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    >I have a Cisco 3640 with an internal interface (192.168.0.1) and


    >My question is, can two internal interfaces access the same IPSEC
    >tunnel ?


    Yes.

    >When I do a SHOW IPSEC CRYPTO SA I get this
    > local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
    > remote ident (addr/mask/prot/port): (10.0.9.0/255.255.255.0/0/0)


    >There is never a local ident with 192.168.1.0 for the second interface.


    Did you add 192.168.1/24 to the access list that defines the
    tunnels? Does the other end permit 192.168.1/24 ?

    Note that if you add 192.168.1/24 to the ACL, then the two interfaces
    would use different Security Associations (SA), so in that sense
    they would not be accessing "the same" IPSec tunnel.

    If, however, you were to change the ACL on both ends to be
    192.168.0/23 then that would cover 192.168.0/24 and 192.168.1/24
    within a single ACL entry, and that would involve only a single
    Security Association.

    Each "permit" entry in the crypto map ACL triggers a distinct
    Security Association when traffic is encountered that matches that
    entry. [That is why it is important to use the same ACL entry structure
    on both sides of the IPSec tunnel: if you were to use different
    ACL entries that happened to match the same traffic, then the two ends
    would know the traffic under different Security Associations and
    That Would Be Bad (TM).]
     
    Walter Roberson, Mar 14, 2006
    #2
    1. Advertising

  3. Guest

    Thanx a bunch!
    Duh, stupid me. I changed the remote router to 192.168.0/23 and it
    worked.
    Thanx again.
     
    , Mar 14, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David

    IPSec vs. L2TP/IPsec vs. PPTP

    David, Jan 7, 2004, in forum: Cisco
    Replies:
    0
    Views:
    6,796
    David
    Jan 7, 2004
  2. AM
    Replies:
    0
    Views:
    655
  3. AM
    Replies:
    1
    Views:
    574
  4. AM
    Replies:
    0
    Views:
    472
  5. Replies:
    1
    Views:
    6,235
    News Reader
    Nov 27, 2008
Loading...

Share This Page