topic what is reason for not working even phase 1 of the vpn? in Network Security

what is reason for not working even phase 1 of the vpn?

ronakpa — Mon, 11 Mar 2019 23:45:49 GMT

i have router 3845 and then it's connected with pix and then its connected with vpn tunnel to the customer router. i am here trying to make vpn connectivity for devices. so on router i did static nat statements 10.124.90.124 10.200.200.1. this type of six statements i wrote for six devices. on the pix i did

isakmp key ******** address 208.39.107.230 netmask 255.255.255.255

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

crypto map outside_map 60 ipsec-isakmp

crypto map outside_map 60 match address outside_cryptomap_60

crypto map outside_map 60 set peer 208.39.107.230

crypto map outside_map 60 set transform-set ESP-3DES-SHA-1

i have one question that i need to use physical subnet or nat subnet for crypto map acl?

and also on the customer router which subnet they can use as well nat sunet or my router physical subnet?

what is reason for not working even phase 1 of the vpn?

Julio Carvajal — Thu, 23 Aug 2012 18:27:06 GMT

Hello Ronald,

I might not understand your question but let me try to answer this for you:

On the crypto ACL you will set the traffic that needs to be encrypted ( in this case the LOCAL area networks of each side)

Now remember that you need to exclude this traffic on each side to being natted ( so it should not get translated if its goes inside the tunnel unless desired)

Regards,

Rate the helpful posts

what is reason for not working even phase 1 of the vpn?

ronakpa — Thu, 23 Aug 2012 18:33:58 GMT

my 3845 router physical ip is 192.133.193.242 and subnet /29

so i have to make cryto map acl on my pix

access-list name permit ip 10.200.200.0/24 216.46.255.0/26 or

access-list name permit ip 192.133.193.242/29 216.46.255.0/26

i want to know also same for customer side.

what is reason for not working even phase 1 of the vpn?

Julio Carvajal — Thu, 23 Aug 2012 18:37:59 GMT

Hello Ronak,

Please check the following diagram

192.168.12.0/24---Router----4.0.0.0-------ISP---------80.80.80.0---ASA------192.168.100.0/24

So the Crypto ACL on the router should be

ip access-list extended crypto_acl

permit ip 192.168.12.0 0.0.0.255 192.168.100.0 0.0.0.255

On the ASA

access-list crypto_acl permit ip 192.168.100.0 0.0.0.255 192.168.12.0 0.0.0.255

I hope this helps,

Rate all the helpful posts

what is reason for not working even phase 1 of the vpn?

ronakpa — Thu, 23 Aug 2012 18:52:11 GMT

my router is directly connected with pix

what is reason for not working even phase 1 of the vpn?

Julio Carvajal — Thu, 23 Aug 2012 19:17:56 GMT

Hello Ronak,

It should be the same but just in case can you set up a diagram,

Regards,

Julio

what is reason for not working even phase 1 of the vpn?

ronakpa — Thu, 23 Aug 2012 19:22:33 GMT

router-pix-internet-customer router

tunnel is terminating on pix.

what is reason for not working even phase 1 of the vpn?

Julio Carvajal — Thu, 23 Aug 2012 19:26:09 GMT

Hello Ronald,

Is the same than my topology.

Just that you need to include into the crypto ACL if required the traffic from the subnet behind the router ( behind the asa) to the other customer router.

Regards,

Julio