VPN between Cisco 837 (static IP) and Soho 97 (dynamic IP)

Discussion in 'Cisco' started by Anthony, May 15, 2004.

  1. Anthony

    Anthony Guest

    All,

    I have been pulling my hair out for two weeks now.

    I have a Cisco 837 that has a static IP and a Soho 97 with a dynamic
    IP. I am trying to get the Soho 97 to iniate an IPSEC tunnel to the
    837, but i'm having no success.

    I can't get the Soho 97 to initiate the tunnel, no matter what i do.
    I have tried almost every single example on the Cisco website.
    Running a debug on both the Cisco boxes shows absolutely no
    IPSEC/ISAKMP debug info. It appears that the Soho 97 just isn't
    sending any IPSEC/ISAKMP packets out.

    Does anyone know if this should work? i.e. can the Soho 97 initiate an
    IPSEC tunnel? or can the Soho 97 only terminate an IPSEC tunnel?

    Thanks,

    Anthony
     
    Anthony, May 15, 2004
    #1
    1. Advertising

  2. Anthony

    jt Guest

    Post the relevant cfg's.


    "Anthony" <> schrieb im Newsbeitrag
    news:...
    > All,
    >
    > I have been pulling my hair out for two weeks now.
    >
    > I have a Cisco 837 that has a static IP and a Soho 97 with a dynamic
    > IP. I am trying to get the Soho 97 to iniate an IPSEC tunnel to the
    > 837, but i'm having no success.
    >
    > I can't get the Soho 97 to initiate the tunnel, no matter what i do.
    > I have tried almost every single example on the Cisco website.
    > Running a debug on both the Cisco boxes shows absolutely no
    > IPSEC/ISAKMP debug info. It appears that the Soho 97 just isn't
    > sending any IPSEC/ISAKMP packets out.
    >
    > Does anyone know if this should work? i.e. can the Soho 97 initiate an
    > IPSEC tunnel? or can the Soho 97 only terminate an IPSEC tunnel?
    >
    > Thanks,
    >
    > Anthony
     
    jt, May 15, 2004
    #2
    1. Advertising

  3. Anthony

    Anthony Guest

    jt,

    Here are the last configs I tried. I have also included a 'show
    version' from each box:

    Thanks - Anthony


    '''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    Cisco 837 Config:
    '''''''''''''''''''''''''''''''''''''''''''''''''''''''''

    cisco837#show runn
    Building configuration...

    Current configuration : 2436 bytes
    !
    ! No configuration change since last restart
    !
    version 12.3
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname cisco837
    !
    enable secret 5 xxx
    enable password 7 xxx
    !
    username xxxx password 7 xxxx
    no aaa new-model
    ip subnet-zero
    !
    !
    ip audit notify log
    ip audit po max-events 100
    no ftp-server write-enable
    !
    !
    !
    !
    crypto isakmp policy 1
    encr 3des
    hash md5
    authentication pre-share
    crypto isakmp key 0 cisco123 address 0.0.0.0 0.0.0.0
    !
    !
    crypto ipsec transform-set rtpset esp-3des esp-md5-hmac
    !
    crypto dynamic-map rtpmap 10
    set transform-set rtpset
    match address 115
    !
    !
    !
    crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap
    !
    !
    !
    !
    interface Ethernet0
    ip address 192.168.0.1 255.255.255.0
    ip nat inside
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    no atm ilmi-keepalive
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    dsl operating-mode auto
    !
    interface FastEthernet1
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet2
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet3
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet4
    no ip address
    duplex auto
    speed auto
    !
    interface Dialer0
    ip address negotiated <--- picks up static IP (call it 1.1.1.1)
    ip nat outside
    encapsulation ppp
    dialer pool 1
    ppp authentication chap callin
    ppp chap hostname xxxx
    ppp chap password 7 xxxx
    ppp ipcp dns request
    ppp ipcp wins request
    crypto map rtptrans
    !
    ip nat inside source list 101 interface Dialer0 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip http server
    no ip http secure-server
    !
    access-list 101 permit ip 192.168.0.0 0.0.0.255 any
    access-list 115 permit ip 192.168.0.0 0.0.0.255 192.168.100.0
    0.0.0.255
    access-list 115 deny ip 192.168.0.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    !
    line con 0
    exec-timeout 120 0
    no modem enable
    stopbits 1
    line aux 0
    line vty 0 4
    access-class 23 in
    exec-timeout 120 0
    login local
    length 0
    !
    scheduler max-task-time 5000
    !
    end





    '''''''''''''''''''''''''''''''''''''''''''''''''''''''
    Cisco 837 show version
    '''''''''''''''''''''''''''''''''''''''''''''''''''''''

    cisco837>show ver
    Cisco Internetwork Operating System Software
    IOS (tm) C837 Software (C837-K9O3Y6-M), Version 12.3(2)XC, EARLY
    DEPLOYMENT RELE
    ASE SOFTWARE (fc1)
    Synched to technology version 12.3(1.6)T
    TAC Support: http://www.cisco.com/tac
    Copyright (c) 1986-2003 by cisco Systems, Inc.
    Compiled Thu 25-Sep-03 10:33 by ealyon
    Image text-base: 0x800131E8, data-base: 0x80B928E0

    ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
    ROM: C837 Software (C837-K9O3Y6-M), Version 12.3(2)XC, EARLY
    DEPLOYMENT RELEASE
    SOFTWARE (fc1)

    cisco837 uptime is 1 week, 5 days, 15 hours, 21 minutes
    System returned to ROM by reload at 23:00:00 UTC Mon May 3 2004
    System image file is "flash:c837-k9o3y6-mz.123-2.XC.bin"


    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are
    unable
    to comply with U.S. and local laws, return this product immediately.

    A summary of U.S. laws governing Cisco cryptographic products may be
    found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

    If you require further assistance please contact us by sending email
    to
    .

    CISCO C837 (MPC857DSL) processor (revision 0x400) with 44237K/4915K
    bytes of memory.
    Processor board ID AMB080403CZ (3726239585), with hardware revision
    0000
    CPU rev number 7
    Bridging software.
    1 Ethernet/IEEE 802.3 interface(s)
    4 FastEthernet/IEEE 802.3 interface(s)
    1 ATM network interface(s)
    128K bytes of non-volatile configuration memory.
    12288K bytes of processor board System flash (Read/Write)
    2048K bytes of processor board Web flash (Read/Write)

    Configuration register is 0x2102







    '''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    Cisco soho 97 Config:
    '''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    show runn
    Building configuration...

    Current configuration : 1967 bytes
    !
    version 12.3
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname cisco-soho97
    !
    enable secret 5 xxx
    !
    username xxx password 7 xxx
    ip subnet-zero
    no ip domain lookup
    ip dhcp excluded-address 192.168.100.1
    !
    ip dhcp pool CLIENT
    import all
    network 192.168.100.0 255.255.255.0
    default-router 192.168.100.1
    lease 0 2
    !
    !
    no aaa new-model
    !
    !
    !
    !
    crypto isakmp policy 1
    encr 3des
    hash md5
    authentication pre-share
    crypto isakmp key 0 cisco123 address 1.1.1.1 <--- 1.1.1.1 = Static
    IP of Cisco 837
    !
    !
    crypto ipsec transform-set rtpset esp-3des esp-md5-hmac
    !
    crypto map rtp 1 ipsec-isakmp
    set peer 1.1.1.1 <--- 1.1.1.1 = Static
    IP of Cisco 837
    set transform-set rtpset
    match address 115
    !
    !
    !
    !
    interface Ethernet0
    ip address 192.168.100.1 255.255.255.0
    hold-queue 100 out
    !
    !
    interface ATM0
    no ip address
    no atm ilmi-keepalive
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    dsl operating-mode auto
    !
    interface Dialer0
    ip address negotiated previous
    ip nat outside
    encapsulation ppp
    dialer pool 1
    ppp authentication chap callin
    ppp chap hostname xxx
    ppp chap password 7 xxx
    ppp ipcp dns request
    ppp ipcp wins request
    crypto map rtp
    !
    ip nat inside source list 101 interface Dialer0 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip http server
    no ip http secure-server
    !
    access-list 101 permit ip 192.168.100.0 0.0.0.255 any
    access-list 115 permit ip 192.168.100.0 0.0.0.255 192.168.0.0
    0.0.0.255
    access-list 115 deny ip 192.168.100.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    !
    line con 0
    exec-timeout 120 0
    no modem enable
    stopbits 1
    line aux 0
    line vty 0 4
    access-class 23 in
    exec-timeout 120 0
    login local
    !
    scheduler max-task-time 5000
    !
    end

    cisco-soho97#




    ''''''''''''''''''''''''''''''''''''''''''''''''
    Cisco soho 97 'show version'
    ''''''''''''''''''''''''''''''''''''''''''''''''

    show ver
    Cisco Internetwork Operating System Software
    IOS (tm) SOHO97 Software (SOHO97-K9OY1-M), Version 12.3(2)XC, EARLY
    DEPLOYMENT RELEASE SOFTWARE (fc1)
    Synched to technology version 12.3(1.6)T
    TAC Support: http://www.cisco.com/tac
    Copyright (c) 1986-2003 by cisco Systems, Inc.
    Compiled Thu 25-Sep-03 11:28 by ealyon
    Image text-base: 0x800131C0, data-base: 0x80965578

    ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
    ROM: SOHO97 Software (SOHO97-K9OY1-M), Version 12.3(2)XC, EARLY
    DEPLOYMENT RELEASE SOFTWARE (fc1)

    router2 uptime is 3 days, 14 hours, 39 minutes
    System returned to ROM by reload
    System image file is "flash:soho97-k9oy1-mz.123-2.XC.bin"


    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are
    unable
    to comply with U.S. and local laws, return this product immediately.

    A summary of U.S. laws governing Cisco cryptographic products may be
    found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

    If you require further assistance please contact us by sending email
    to
    .

    CISCO SOHO97 (MPC857DSL) processor (revision 0x400) with 29492K/3276K
    bytes of memory.
    Processor board ID AMB08080K53 (3051406853), with hardware revision
    0000
    CPU rev number 7
    Bridging software.
    1 Ethernet/IEEE 802.3 interface(s)
    1 ATM network interface(s)
    128K bytes of non-volatile configuration memory.
    8192K bytes of processor board System flash (Read/Write)
    2048K bytes of processor board Web flash (Read/Write)

    Configuration register is 0x2102


    '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''



    "jt" <> wrote in message news:<40a631ef$0$1861$-online.net>...
    > Post the relevant cfg's.
    >
    >
    > "Anthony" <> schrieb im Newsbeitrag
    > news:...
    > > All,
    > >
    > > I have been pulling my hair out for two weeks now.
    > >
    > > I have a Cisco 837 that has a static IP and a Soho 97 with a dynamic
    > > IP. I am trying to get the Soho 97 to iniate an IPSEC tunnel to the
    > > 837, but i'm having no success.
    > >
    > > I can't get the Soho 97 to initiate the tunnel, no matter what i do.
    > > I have tried almost every single example on the Cisco website.
    > > Running a debug on both the Cisco boxes shows absolutely no
    > > IPSEC/ISAKMP debug info. It appears that the Soho 97 just isn't
    > > sending any IPSEC/ISAKMP packets out.
    > >
    > > Does anyone know if this should work? i.e. can the Soho 97 initiate an
    > > IPSEC tunnel? or can the Soho 97 only terminate an IPSEC tunnel?
    > >
    > > Thanks,
    > >
    > > Anthony
     
    Anthony, May 16, 2004
    #3
  4. Anthony

    jt Guest

    will respond tonight, I need to dig through this.


    "Anthony" <> schrieb im Newsbeitrag
    news:...
    > jt,
    >
    > Here are the last configs I tried. I have also included a 'show
    > version' from each box:
    >
    > Thanks - Anthony
    >
    >
    > '''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    > Cisco 837 Config:
    > '''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    >
    > cisco837#show runn
    > Building configuration...
    >
    > Current configuration : 2436 bytes
    > !
    > ! No configuration change since last restart
    > !
    > version 12.3
    > no service pad
    > service timestamps debug uptime
    > service timestamps log uptime
    > service password-encryption
    > !
    > hostname cisco837
    > !
    > enable secret 5 xxx
    > enable password 7 xxx
    > !
    > username xxxx password 7 xxxx
    > no aaa new-model
    > ip subnet-zero
    > !
    > !
    > ip audit notify log
    > ip audit po max-events 100
    > no ftp-server write-enable
    > !
    > !
    > !
    > !
    > crypto isakmp policy 1
    > encr 3des
    > hash md5
    > authentication pre-share
    > crypto isakmp key 0 cisco123 address 0.0.0.0 0.0.0.0
    > !
    > !
    > crypto ipsec transform-set rtpset esp-3des esp-md5-hmac
    > !
    > crypto dynamic-map rtpmap 10
    > set transform-set rtpset
    > match address 115
    > !
    > !
    > !
    > crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap
    > !
    > !
    > !
    > !
    > interface Ethernet0
    > ip address 192.168.0.1 255.255.255.0
    > ip nat inside
    > hold-queue 100 out
    > !
    > interface ATM0
    > no ip address
    > no atm ilmi-keepalive
    > pvc 0/38
    > encapsulation aal5mux ppp dialer
    > dialer pool-member 1
    > !
    > dsl operating-mode auto
    > !
    > interface FastEthernet1
    > no ip address
    > duplex auto
    > speed auto
    > !
    > interface FastEthernet2
    > no ip address
    > duplex auto
    > speed auto
    > !
    > interface FastEthernet3
    > no ip address
    > duplex auto
    > speed auto
    > !
    > interface FastEthernet4
    > no ip address
    > duplex auto
    > speed auto
    > !
    > interface Dialer0
    > ip address negotiated <--- picks up static IP (call it 1.1.1.1)
    > ip nat outside
    > encapsulation ppp
    > dialer pool 1
    > ppp authentication chap callin
    > ppp chap hostname xxxx
    > ppp chap password 7 xxxx
    > ppp ipcp dns request
    > ppp ipcp wins request
    > crypto map rtptrans
    > !
    > ip nat inside source list 101 interface Dialer0 overload
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Dialer0
    > ip http server
    > no ip http secure-server
    > !
    > access-list 101 permit ip 192.168.0.0 0.0.0.255 any
    > access-list 115 permit ip 192.168.0.0 0.0.0.255 192.168.100.0
    > 0.0.0.255
    > access-list 115 deny ip 192.168.0.0 0.0.0.255 any
    > dialer-list 1 protocol ip permit
    > !
    > line con 0
    > exec-timeout 120 0
    > no modem enable
    > stopbits 1
    > line aux 0
    > line vty 0 4
    > access-class 23 in
    > exec-timeout 120 0
    > login local
    > length 0
    > !
    > scheduler max-task-time 5000
    > !
    > end
    >
    >
    >
    >
    >
    > '''''''''''''''''''''''''''''''''''''''''''''''''''''''
    > Cisco 837 show version
    > '''''''''''''''''''''''''''''''''''''''''''''''''''''''
    >
    > cisco837>show ver
    > Cisco Internetwork Operating System Software
    > IOS (tm) C837 Software (C837-K9O3Y6-M), Version 12.3(2)XC, EARLY
    > DEPLOYMENT RELE
    > ASE SOFTWARE (fc1)
    > Synched to technology version 12.3(1.6)T
    > TAC Support: http://www.cisco.com/tac
    > Copyright (c) 1986-2003 by cisco Systems, Inc.
    > Compiled Thu 25-Sep-03 10:33 by ealyon
    > Image text-base: 0x800131E8, data-base: 0x80B928E0
    >
    > ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
    > ROM: C837 Software (C837-K9O3Y6-M), Version 12.3(2)XC, EARLY
    > DEPLOYMENT RELEASE
    > SOFTWARE (fc1)
    >
    > cisco837 uptime is 1 week, 5 days, 15 hours, 21 minutes
    > System returned to ROM by reload at 23:00:00 UTC Mon May 3 2004
    > System image file is "flash:c837-k9o3y6-mz.123-2.XC.bin"
    >
    >
    > This product contains cryptographic features and is subject to United
    > States and local country laws governing import, export, transfer and
    > use. Delivery of Cisco cryptographic products does not imply
    > third-party authority to import, export, distribute or use encryption.
    > Importers, exporters, distributors and users are responsible for
    > compliance with U.S. and local country laws. By using this product you
    > agree to comply with applicable laws and regulations. If you are
    > unable
    > to comply with U.S. and local laws, return this product immediately.
    >
    > A summary of U.S. laws governing Cisco cryptographic products may be
    > found at:
    > http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
    >
    > If you require further assistance please contact us by sending email
    > to
    > .
    >
    > CISCO C837 (MPC857DSL) processor (revision 0x400) with 44237K/4915K
    > bytes of memory.
    > Processor board ID AMB080403CZ (3726239585), with hardware revision
    > 0000
    > CPU rev number 7
    > Bridging software.
    > 1 Ethernet/IEEE 802.3 interface(s)
    > 4 FastEthernet/IEEE 802.3 interface(s)
    > 1 ATM network interface(s)
    > 128K bytes of non-volatile configuration memory.
    > 12288K bytes of processor board System flash (Read/Write)
    > 2048K bytes of processor board Web flash (Read/Write)
    >
    > Configuration register is 0x2102
    >
    >
    >
    >
    >
    >
    >
    > '''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    > Cisco soho 97 Config:
    > '''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    > show runn
    > Building configuration...
    >
    > Current configuration : 1967 bytes
    > !
    > version 12.3
    > no service pad
    > service timestamps debug uptime
    > service timestamps log uptime
    > service password-encryption
    > !
    > hostname cisco-soho97
    > !
    > enable secret 5 xxx
    > !
    > username xxx password 7 xxx
    > ip subnet-zero
    > no ip domain lookup
    > ip dhcp excluded-address 192.168.100.1
    > !
    > ip dhcp pool CLIENT
    > import all
    > network 192.168.100.0 255.255.255.0
    > default-router 192.168.100.1
    > lease 0 2
    > !
    > !
    > no aaa new-model
    > !
    > !
    > !
    > !
    > crypto isakmp policy 1
    > encr 3des
    > hash md5
    > authentication pre-share
    > crypto isakmp key 0 cisco123 address 1.1.1.1 <--- 1.1.1.1 = Static
    > IP of Cisco 837
    > !
    > !
    > crypto ipsec transform-set rtpset esp-3des esp-md5-hmac
    > !
    > crypto map rtp 1 ipsec-isakmp
    > set peer 1.1.1.1 <--- 1.1.1.1 = Static
    > IP of Cisco 837
    > set transform-set rtpset
    > match address 115
    > !
    > !
    > !
    > !
    > interface Ethernet0
    > ip address 192.168.100.1 255.255.255.0
    > hold-queue 100 out
    > !
    > !
    > interface ATM0
    > no ip address
    > no atm ilmi-keepalive
    > pvc 0/38
    > encapsulation aal5mux ppp dialer
    > dialer pool-member 1
    > !
    > dsl operating-mode auto
    > !
    > interface Dialer0
    > ip address negotiated previous
    > ip nat outside
    > encapsulation ppp
    > dialer pool 1
    > ppp authentication chap callin
    > ppp chap hostname xxx
    > ppp chap password 7 xxx
    > ppp ipcp dns request
    > ppp ipcp wins request
    > crypto map rtp
    > !
    > ip nat inside source list 101 interface Dialer0 overload
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Dialer0
    > ip http server
    > no ip http secure-server
    > !
    > access-list 101 permit ip 192.168.100.0 0.0.0.255 any
    > access-list 115 permit ip 192.168.100.0 0.0.0.255 192.168.0.0
    > 0.0.0.255
    > access-list 115 deny ip 192.168.100.0 0.0.0.255 any
    > dialer-list 1 protocol ip permit
    > !
    > line con 0
    > exec-timeout 120 0
    > no modem enable
    > stopbits 1
    > line aux 0
    > line vty 0 4
    > access-class 23 in
    > exec-timeout 120 0
    > login local
    > !
    > scheduler max-task-time 5000
    > !
    > end
    >
    > cisco-soho97#
    >
    >
    >
    >
    > ''''''''''''''''''''''''''''''''''''''''''''''''
    > Cisco soho 97 'show version'
    > ''''''''''''''''''''''''''''''''''''''''''''''''
    >
    > show ver
    > Cisco Internetwork Operating System Software
    > IOS (tm) SOHO97 Software (SOHO97-K9OY1-M), Version 12.3(2)XC, EARLY
    > DEPLOYMENT RELEASE SOFTWARE (fc1)
    > Synched to technology version 12.3(1.6)T
    > TAC Support: http://www.cisco.com/tac
    > Copyright (c) 1986-2003 by cisco Systems, Inc.
    > Compiled Thu 25-Sep-03 11:28 by ealyon
    > Image text-base: 0x800131C0, data-base: 0x80965578
    >
    > ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
    > ROM: SOHO97 Software (SOHO97-K9OY1-M), Version 12.3(2)XC, EARLY
    > DEPLOYMENT RELEASE SOFTWARE (fc1)
    >
    > router2 uptime is 3 days, 14 hours, 39 minutes
    > System returned to ROM by reload
    > System image file is "flash:soho97-k9oy1-mz.123-2.XC.bin"
    >
    >
    > This product contains cryptographic features and is subject to United
    > States and local country laws governing import, export, transfer and
    > use. Delivery of Cisco cryptographic products does not imply
    > third-party authority to import, export, distribute or use encryption.
    > Importers, exporters, distributors and users are responsible for
    > compliance with U.S. and local country laws. By using this product you
    > agree to comply with applicable laws and regulations. If you are
    > unable
    > to comply with U.S. and local laws, return this product immediately.
    >
    > A summary of U.S. laws governing Cisco cryptographic products may be
    > found at:
    > http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
    >
    > If you require further assistance please contact us by sending email
    > to
    > .
    >
    > CISCO SOHO97 (MPC857DSL) processor (revision 0x400) with 29492K/3276K
    > bytes of memory.
    > Processor board ID AMB08080K53 (3051406853), with hardware revision
    > 0000
    > CPU rev number 7
    > Bridging software.
    > 1 Ethernet/IEEE 802.3 interface(s)
    > 1 ATM network interface(s)
    > 128K bytes of non-volatile configuration memory.
    > 8192K bytes of processor board System flash (Read/Write)
    > 2048K bytes of processor board Web flash (Read/Write)
    >
    > Configuration register is 0x2102
    >
    >
    > '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    >
    >
    >
    > "jt" <> wrote in message

    news:<40a631ef$0$1861$-online.net>...
    > > Post the relevant cfg's.
    > >
    > >
    > > "Anthony" <> schrieb im Newsbeitrag
    > > news:...
    > > > All,
    > > >
    > > > I have been pulling my hair out for two weeks now.
    > > >
    > > > I have a Cisco 837 that has a static IP and a Soho 97 with a dynamic
    > > > IP. I am trying to get the Soho 97 to iniate an IPSEC tunnel to the
    > > > 837, but i'm having no success.
    > > >
    > > > I can't get the Soho 97 to initiate the tunnel, no matter what i do.
    > > > I have tried almost every single example on the Cisco website.
    > > > Running a debug on both the Cisco boxes shows absolutely no
    > > > IPSEC/ISAKMP debug info. It appears that the Soho 97 just isn't
    > > > sending any IPSEC/ISAKMP packets out.
    > > >
    > > > Does anyone know if this should work? i.e. can the Soho 97 initiate an
    > > > IPSEC tunnel? or can the Soho 97 only terminate an IPSEC tunnel?
    > > >
    > > > Thanks,
    > > >
    > > > Anthony
     
    jt, May 16, 2004
    #4
  5. Anthony

    jt Guest

    Good evening Anthony,
    -----------------------------------------------

    I guess we can shrink it down to a phase 1 problem when you say that NO
    debug output is displayed.
    I could shrink it down to an ACL problem, I think

    General rule is to :

    First exclude ( DENY ) the LOCAL traffic ** to ** remote from NAT
    Second PERMIT local traffic to ANY remote.

    I saw you have CBAC in place on the receiving side - I cannot gurarantee
    that this is true, but CBAC ( ip audit... )
    drops incoming traffic from outside if not triggered from inside. PIX has
    the "sysopt permit-ipsec" - command
    while IOS hasn't, you should disable CBAC in this case.

    OK, so here we go. To avoid confusion, I have supplied the modified parts
    in a commented form,
    please insert only the blocks below, the rest of your config was entirely
    OK.

    Hope this helps to get you started. Please give me some feedback
    and debug isakmp.


    Daniel


    ############## Soho 97 on .100 /24
    #############################################

    This box is to initiate the connection to 837.

    !
    crypto map rtp 1 ipsec-isakmp
    set peer 1.1.1.1
    set transform-set rtpset
    match address 115
    !
    ! See the commented ACLs below !
    !
    !
    interface Dialer0
    ip address negotiated previous
    ip nat outside
    encapsulation ppp
    dialer pool 1
    ppp authentication chap callin
    ppp chap hostname xxx
    ppp chap password 7 xxx
    ppp ipcp dns request
    ppp ipcp wins request
    crypto map rtp
    !
    ip nat inside source list 101 interface Dialer0 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip http server
    no ip http secure-server
    !
    access-list 101 deny ip 192.168.100.0 192.168.0.0 0.0.0.255
    access-list 101 permit ip 192.168.100.0 0.0.0.255 any
    !
    access-list 115 permit ip 192.168.100.0 0.0.0.255 any
    !
    ! Modified ACLs !!!
    ! List 101 shovels everything via NAT on the WAN link.
    ! Therefore we must exclude ( deny ) NAT to remote ** first ** to comply
    with NAT exclusion statement on 837.
    ! These packets are referred to in ACL 115 for later ipSEC use.
    ! Thereafter we permit NAT on packets ( not ) intended for ipSEC via 115
    that is also used as dialer bait.
    !



    ################ 837 ############################

    Cisco 837 Configuration Script.
    This box should accept incoming ipSEC
    connections from any box configured to connnect to it.


    CBAC ( "ip Audit..." ) is removed as this may cause
    potential inteference with ipSEC. CBAC permits
    inbound connections of any kind only if these were
    triggered from inside. Because the 837 is triggered from
    outside CBAC will most probably drop the traffic.

    crypto isakmp enable ( added to have IKE explicitly turned on )

    access-list 101 permit ip any any
    ! Added / modified bait for the WAN dialer. If matched, dialout occurs.

    access-list 115 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
    access-list 115 permit ip 192.168.0.0 0.0.0.255 any

    ! Bait for ipSEC. First row for protection, second for exclusion.
     
    jt, May 16, 2004
    #5
  6. Anthony

    Anthony Guest

    Thanks Daniel,

    Your suggestions look promising.

    I will be testing the updated configs within the next couple of days.

    I'll post my results as soon as I have completed the testing.

    Thanks again,

    Anthony




    "jt" <> wrote in message news:<40a7b9b1$0$26349$-online.net>...
    > Good evening Anthony,
    > -----------------------------------------------
    >
    > I guess we can shrink it down to a phase 1 problem when you say that NO
    > debug output is displayed.
    > I could shrink it down to an ACL problem, I think
    >
    > General rule is to :
    >
    > First exclude ( DENY ) the LOCAL traffic ** to ** remote from NAT
    > Second PERMIT local traffic to ANY remote.
    >
    > I saw you have CBAC in place on the receiving side - I cannot gurarantee
    > that this is true, but CBAC ( ip audit... )
    > drops incoming traffic from outside if not triggered from inside. PIX has
    > the "sysopt permit-ipsec" - command
    > while IOS hasn't, you should disable CBAC in this case.
    >
    > OK, so here we go. To avoid confusion, I have supplied the modified parts
    > in a commented form,
    > please insert only the blocks below, the rest of your config was entirely
    > OK.
    >
    > Hope this helps to get you started. Please give me some feedback
    > and debug isakmp.
    >
    >
    > Daniel
    >
    >
    > ############## Soho 97 on .100 /24
    > #############################################
    >
    > This box is to initiate the connection to 837.
    >
    > !
    > crypto map rtp 1 ipsec-isakmp
    > set peer 1.1.1.1
    > set transform-set rtpset
    > match address 115
    > !
    > ! See the commented ACLs below !
    > !
    > !
    > interface Dialer0
    > ip address negotiated previous
    > ip nat outside
    > encapsulation ppp
    > dialer pool 1
    > ppp authentication chap callin
    > ppp chap hostname xxx
    > ppp chap password 7 xxx
    > ppp ipcp dns request
    > ppp ipcp wins request
    > crypto map rtp
    > !
    > ip nat inside source list 101 interface Dialer0 overload
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Dialer0
    > ip http server
    > no ip http secure-server
    > !
    > access-list 101 deny ip 192.168.100.0 192.168.0.0 0.0.0.255
    > access-list 101 permit ip 192.168.100.0 0.0.0.255 any
    > !
    > access-list 115 permit ip 192.168.100.0 0.0.0.255 any
    > !
    > ! Modified ACLs !!!
    > ! List 101 shovels everything via NAT on the WAN link.
    > ! Therefore we must exclude ( deny ) NAT to remote ** first ** to comply
    > with NAT exclusion statement on 837.
    > ! These packets are referred to in ACL 115 for later ipSEC use.
    > ! Thereafter we permit NAT on packets ( not ) intended for ipSEC via 115
    > that is also used as dialer bait.
    > !
    >
    >
    >
    > ################ 837 ############################
    >
    > Cisco 837 Configuration Script.
    > This box should accept incoming ipSEC
    > connections from any box configured to connnect to it.
    >
    >
    > CBAC ( "ip Audit..." ) is removed as this may cause
    > potential inteference with ipSEC. CBAC permits
    > inbound connections of any kind only if these were
    > triggered from inside. Because the 837 is triggered from
    > outside CBAC will most probably drop the traffic.
    >
    > crypto isakmp enable ( added to have IKE explicitly turned on )
    >
    > access-list 101 permit ip any any
    > ! Added / modified bait for the WAN dialer. If matched, dialout occurs.
    >
    > access-list 115 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
    > access-list 115 permit ip 192.168.0.0 0.0.0.255 any
    >
    > ! Bait for ipSEC. First row for protection, second for exclusion.
     
    Anthony, May 17, 2004
    #6
  7. Anthony

    Anthony Guest

    Thanks Daniel,

    Your suggestions look promising.

    I will be testing the updated configs within the next couple of days.

    I'll post my results as soon as I have completed the testing.

    Thanks again,

    Anthony




    "jt" <> wrote in message news:<40a7b9b1$0$26349$-online.net>...
    > Good evening Anthony,
    > -----------------------------------------------
    >
    > I guess we can shrink it down to a phase 1 problem when you say that NO
    > debug output is displayed.
    > I could shrink it down to an ACL problem, I think
    >
    > General rule is to :
    >
    > First exclude ( DENY ) the LOCAL traffic ** to ** remote from NAT
    > Second PERMIT local traffic to ANY remote.
    >
    > I saw you have CBAC in place on the receiving side - I cannot gurarantee
    > that this is true, but CBAC ( ip audit... )
    > drops incoming traffic from outside if not triggered from inside. PIX has
    > the "sysopt permit-ipsec" - command
    > while IOS hasn't, you should disable CBAC in this case.
    >
    > OK, so here we go. To avoid confusion, I have supplied the modified parts
    > in a commented form,
    > please insert only the blocks below, the rest of your config was entirely
    > OK.
    >
    > Hope this helps to get you started. Please give me some feedback
    > and debug isakmp.
    >
    >
    > Daniel
    >
    >
    > ############## Soho 97 on .100 /24
    > #############################################
    >
    > This box is to initiate the connection to 837.
    >
    > !
    > crypto map rtp 1 ipsec-isakmp
    > set peer 1.1.1.1
    > set transform-set rtpset
    > match address 115
    > !
    > ! See the commented ACLs below !
    > !
    > !
    > interface Dialer0
    > ip address negotiated previous
    > ip nat outside
    > encapsulation ppp
    > dialer pool 1
    > ppp authentication chap callin
    > ppp chap hostname xxx
    > ppp chap password 7 xxx
    > ppp ipcp dns request
    > ppp ipcp wins request
    > crypto map rtp
    > !
    > ip nat inside source list 101 interface Dialer0 overload
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Dialer0
    > ip http server
    > no ip http secure-server
    > !
    > access-list 101 deny ip 192.168.100.0 192.168.0.0 0.0.0.255
    > access-list 101 permit ip 192.168.100.0 0.0.0.255 any
    > !
    > access-list 115 permit ip 192.168.100.0 0.0.0.255 any
    > !
    > ! Modified ACLs !!!
    > ! List 101 shovels everything via NAT on the WAN link.
    > ! Therefore we must exclude ( deny ) NAT to remote ** first ** to comply
    > with NAT exclusion statement on 837.
    > ! These packets are referred to in ACL 115 for later ipSEC use.
    > ! Thereafter we permit NAT on packets ( not ) intended for ipSEC via 115
    > that is also used as dialer bait.
    > !
    >
    >
    >
    > ################ 837 ############################
    >
    > Cisco 837 Configuration Script.
    > This box should accept incoming ipSEC
    > connections from any box configured to connnect to it.
    >
    >
    > CBAC ( "ip Audit..." ) is removed as this may cause
    > potential inteference with ipSEC. CBAC permits
    > inbound connections of any kind only if these were
    > triggered from inside. Because the 837 is triggered from
    > outside CBAC will most probably drop the traffic.
    >
    > crypto isakmp enable ( added to have IKE explicitly turned on )
    >
    > access-list 101 permit ip any any
    > ! Added / modified bait for the WAN dialer. If matched, dialout occurs.
    >
    > access-list 115 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
    > access-list 115 permit ip 192.168.0.0 0.0.0.255 any
    >
    > ! Bait for ipSEC. First row for protection, second for exclusion.
     
    Anthony, May 17, 2004
    #7
  8. Anthony

    jt Guest

    Have a hairbrush handy whilst testing :)))


    "Anthony" <> schrieb im Newsbeitrag
    news:...
    > Thanks Daniel,
    >
    > Your suggestions look promising.
    >
    > I will be testing the updated configs within the next couple of days.
    >
    > I'll post my results as soon as I have completed the testing.
    >
    > Thanks again,
    >
    > Anthony
    >
    >
    >
    >
    > "jt" <> wrote in message

    news:<40a7b9b1$0$26349$-online.net>...
    > > Good evening Anthony,
    > > -----------------------------------------------
    > >
    > > I guess we can shrink it down to a phase 1 problem when you say that NO
    > > debug output is displayed.
    > > I could shrink it down to an ACL problem, I think
    > >
    > > General rule is to :
    > >
    > > First exclude ( DENY ) the LOCAL traffic ** to ** remote from NAT
    > > Second PERMIT local traffic to ANY remote.
    > >
    > > I saw you have CBAC in place on the receiving side - I cannot gurarantee
    > > that this is true, but CBAC ( ip audit... )
    > > drops incoming traffic from outside if not triggered from inside. PIX

    has
    > > the "sysopt permit-ipsec" - command
    > > while IOS hasn't, you should disable CBAC in this case.
    > >
    > > OK, so here we go. To avoid confusion, I have supplied the modified

    parts
    > > in a commented form,
    > > please insert only the blocks below, the rest of your config was

    entirely
    > > OK.
    > >
    > > Hope this helps to get you started. Please give me some feedback
    > > and debug isakmp.
    > >
    > >
    > > Daniel
    > >
    > >
    > > ############## Soho 97 on .100 /24
    > > #############################################
    > >
    > > This box is to initiate the connection to 837.
    > >
    > > !
    > > crypto map rtp 1 ipsec-isakmp
    > > set peer 1.1.1.1
    > > set transform-set rtpset
    > > match address 115
    > > !
    > > ! See the commented ACLs below !
    > > !
    > > !
    > > interface Dialer0
    > > ip address negotiated previous
    > > ip nat outside
    > > encapsulation ppp
    > > dialer pool 1
    > > ppp authentication chap callin
    > > ppp chap hostname xxx
    > > ppp chap password 7 xxx
    > > ppp ipcp dns request
    > > ppp ipcp wins request
    > > crypto map rtp
    > > !
    > > ip nat inside source list 101 interface Dialer0 overload
    > > ip classless
    > > ip route 0.0.0.0 0.0.0.0 Dialer0
    > > ip http server
    > > no ip http secure-server
    > > !
    > > access-list 101 deny ip 192.168.100.0 192.168.0.0 0.0.0.255
    > > access-list 101 permit ip 192.168.100.0 0.0.0.255 any
    > > !
    > > access-list 115 permit ip 192.168.100.0 0.0.0.255 any
    > > !
    > > ! Modified ACLs !!!
    > > ! List 101 shovels everything via NAT on the WAN link.
    > > ! Therefore we must exclude ( deny ) NAT to remote ** first ** to comply
    > > with NAT exclusion statement on 837.
    > > ! These packets are referred to in ACL 115 for later ipSEC use.
    > > ! Thereafter we permit NAT on packets ( not ) intended for ipSEC via 115
    > > that is also used as dialer bait.
    > > !
    > >
    > >
    > >
    > > ################ 837 ############################
    > >
    > > Cisco 837 Configuration Script.
    > > This box should accept incoming ipSEC
    > > connections from any box configured to connnect to it.
    > >
    > >
    > > CBAC ( "ip Audit..." ) is removed as this may cause
    > > potential inteference with ipSEC. CBAC permits
    > > inbound connections of any kind only if these were
    > > triggered from inside. Because the 837 is triggered from
    > > outside CBAC will most probably drop the traffic.
    > >
    > > crypto isakmp enable ( added to have IKE explicitly turned on )
    > >
    > > access-list 101 permit ip any any
    > > ! Added / modified bait for the WAN dialer. If matched, dialout occurs.
    > >
    > > access-list 115 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
    > > access-list 115 permit ip 192.168.0.0 0.0.0.255 any
    > >
    > > ! Bait for ipSEC. First row for protection, second for exclusion.
     
    jt, May 17, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. hk
    Replies:
    0
    Views:
    1,988
  2. Hans-Peter Walter
    Replies:
    3
    Views:
    1,204
    Joe Bloggs
    Jan 21, 2004
  3. Andy Low
    Replies:
    5
    Views:
    3,991
    Walter Roberson
    May 10, 2004
  4. Replies:
    4
    Views:
    4,243
  5. Diego Balgera
    Replies:
    5
    Views:
    7,823
    Johann Lo
    Feb 8, 2008
Loading...

Share This Page