Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
543
Views
0
Helpful
3
Replies

IP SEC tunnel

DrazenSego
Level 1
Level 1

‎04-29-2016 01:46 AM - edited ‎03-05-2019 03:54 AM

hi,

im trying to debug ip sec tunnel which i inherited

sh cryptom isakmp sa gives:

IPv4 Crypto ISAKMP SA
dst                         src                state      conn-id   status

85.114.38.XY 80.149.40.XYZ QM_IDLE 2012 ACTIVE

in config ipsec is defined:


crypto ipsec transform-set VPN_ABC esp-3des esp-sha-hmac
mode tunnel

and:

crypto map VPN_ABC 1 ipsec-isakmp
set peer 80.149.40.XYZ
set transform-set VPN_ABC
set pfs group2
match address 115

list 115:

access-list 115 permit ip 192.168.0.0 0.0.0.255 10.10.89.0 0.0.0.255

access-list 115 permit ip 192.168.0.0 0.0.0.255 10.10.91.0 0.0.0.255
access-list 115 permit ip 192.168.0.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 115 deny ip any any

when i try to acces host 192.168.101.57 on remote network , traceroute sends packets to my WAN gateway instead via tunnel !

many thx for help!

Labels:
0 Helpful
3 Replies 3

Mark Malone
VIP Alumni
VIP Alumni

‎04-29-2016 03:53 AM

Hi

Whats there looks right but looks to be bits missing as well, wheres the crypto isakmp key and the crypto isakmp policy section

Can you also reach the far end public ip address from your router and does the far side match exactly for the lan-lan tunnel to come up , need to see both sides with full config for IPsec

Take a look at this doc lan-lan IPsec setup what your trying to achieve there

http://www.cisco.com/c/en/us/support/docs/routers/1700-series-modular-access-routers/71462-rtr-l2l-ipsec-split.html

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Mark Malone

‎04-29-2016 04:18 AM

The original post showed the crypto isakamp sa but not the crypto IPsec sa. Seeing the IPsec sa might shed some light on what has been negotiated.

Also the original post is not clear where the attempt to access the remote host is originated from. If from a PC connected behind the router I would expect it to work but if from the router itself then it probably does not have a source address that matches the access list 115.

HTH

Rick

HTH

Rick
0 Helpful

DrazenSego
Level 1
Level 1
In response to Richard Burts

‎04-29-2016 05:05 AM

thx for quick response!

Here is it:

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2

also:

ip route 0.0.0.0 0.0.0.0 85.XYZ.38.93  --> this is my WAN ip, on Fa4 interface
ip route 146.XYZ.0.0 255.255.0.0 Tunnel0 ---> this is another VPN, via tunnel , working ok
!



interface FastEthernet4
ip address 85.XYZ.38.94 255.255.255.252
ip access-group Fiducia_out out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map VPN_ABC

ip access-list extended Fiducia_out
permit ip any any

i think i missed something in NAT or ACL but cant find it.

im trying to access from router and host in local network, 192.168.0.0.

0 Helpful
Customers Also Viewed These Support Documents