IPSec

godlam · ‎08-15-2005

I just fixed the problem of NAT in 1712. Just upgrade the IOS. However, the IPSec did not work which is worked before. The IPSec tunnel has been establish but we cannot ping. I can ping before. The problem is do I need to reload the router when I changed the internal and external IP address? Please advice. Thanks.

Regards

Godwin

Richard Burts · ‎08-15-2005

Godwin

It should not be necessary to reload the router just because you changed interface addresses.

When you changed the IOS to fix the problem with NAT were you careful to get a feature set that includes support for IPSec? Perhaps you can post the information about your new IOS?

HTH

Rick

HTH

Rick

godlam · ‎08-15-2005

Yes, I have checked the feature set which including the IPSec 3DES. Just upgrade IOS from 12.3(7)XR3 to 12.3(14)T3. Thanks

Regards

Godwin

rakesh503 · ‎08-15-2005

Godwin,

Can you post the configs? Also, I am sure you are using the advanced IP services IOS which supports IPSec...

Rakesh

godlam · ‎08-15-2005

Rakesh

The attached file is the configuration. Actually, there is the same configuration and using on the old router 1710 which is running on IOS 12.2(11)T6. There is nothing problem. In addition, the VPN tunnel is establish but it cannot be access, such as ping. Please advice. Thanks.

spremkumar · ‎08-16-2005

hi

i feel 2 of the config lines related to the dynamic ipsec clients are mising while seeing your attached config file.

would suggest to add up those lines and chek out the result,i feel may be the config lines got invalid while migrating from the previous ios to the current ios.

crypto map mapname isakmp authorization list xxx

crypto map mapname client configuration address respond

few more links for your ref..

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094685.shtml

http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html

regds

godlam · ‎08-17-2005

Thanks for your response. I have put those line but it did not access to the remote network. I am using the 1712 connected to the LinkSys VPN Router. The tunnel is created when I type sh crypto isakmp sa. But I cannot ping to the remote network. Please advice. Thanks.

Regards

spremkumar · ‎08-18-2005

Hi

Plz do confirm whether you are trying to ping either 10.3.0.0/16 or 192.168.3.0/24 coz i see only these are the intersting traffic being encrypted on ur router.

Also have look at this link which mite help u to troubleshoot the same.

but do remember that you arent enabling debugs during peak hours and also ensure that you arent enabling all the debug commands in a single stretch..

http://www.cisco.com/en/US/netsol/ns341/ns396/ns172/ns334/networking_solutions_design_guide_chapter09186a008017e282.html

regds

godlam · ‎08-18-2005

Actually, we have built up two tunnel. One going to 10.3.0.0/24 and another one is going to 10.2.xxx.0/24. Also, I did not enable debug commands. Do you know why after upgrading the IOS, the command 'no crypto isakmp ccm' is generated. What is purpose of this statement. Please advice.

godlam · ‎08-22-2005

The problem is fixed. I just upgrade the IOS to 12.3(7)T11 rather than 12.4. I did not change any configuration. There is very strange.