09-14-2020 10:42 PM - edited 09-14-2020 10:44 PM
Hi,
I was wondering if anyone could help as to why I can't pingfrom lan to Alan across my ipsec tunnel.
Router 1 WAN IP is 43.255.33.42, LAN ip is 192.168.10.1
Router 2 WAN IP is 43.255.45.186 LAN ip is 192.168.5.1
I can ping across the wan ips and the tunnel itself is active.
Here is my relevant config, however full configs are attached.
Any help is appreciated!
Router 1
-------
crypto isakmp policy 20
hash md5
authentication pre-share
crypto isakmp key x address 43.255.45.186
crypto ipsec transform-set ConsepTunnel esp-3des esp-sha-hmac
crypto map IPsec 10 ipsec-isakmp
set peer 43.255.45.186
set transform-set ConsepTunnel
match address 100
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255
ip access-list extended NAT
deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 10.10.0.0 0.0.255.255
deny ip 192.168.10.0 0.0.0.255 192.168.70.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 198.168.5.0 0.0.0.255
permit ip any any
ip route 192.168.5.0 255.255.255.0 43.255.45.186
interface GigabitEthernet0/0
description "WAN Interface - 100Mb Unlimited Internet"
bandwidth 100000
ip address 43.255.33.42 255.255.255.252
ip access-group Inbound-Traffic in
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1350
load-interval 30
duplex full
speed 100
crypto map IPsec
service-policy output 100Mb_Shape_Out-VoIP-Consep-WA
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
Router 2
-------
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key x address 43.255.33.42
crypto ipsec transform-set ipsec-kentrd esp-des esp-md5-hmac
mode tunnel
!
!
!
!
crypto map IPsec 10 ipsec-isakmp
set peer 43.255.33.42
set transform-set ipsec-kentrd
match address 100
access-list 100 permit ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255
ip access-list extended NAT
deny ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip any any
ip route 192.168.10.0 255.255.255.0 43.255.33.42
interface Dialer1
description "WAN interface"
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname x
ppp chap password 0 x
ppp pap sent-username x password 0 x
no cdp enable
crypto map IPsec
interface Vlan1
description LAN Interface
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
Solved! Go to Solution.
09-15-2020 12:02 AM
Hello
The rtrs dont have any parity regards thier gre/ipsec configuration?
You have gre/ipsec on RTR1, Static routing i assume pointing to RTR2, which by the way you should set to route via the encrypted tunnel and not the physical interface And on rtr2 you have no gre tunnels and no addressing related any next-hop address thats specifed on RTR1
09-15-2020 12:02 AM
Hello
The rtrs dont have any parity regards thier gre/ipsec configuration?
You have gre/ipsec on RTR1, Static routing i assume pointing to RTR2, which by the way you should set to route via the encrypted tunnel and not the physical interface And on rtr2 you have no gre tunnels and no addressing related any next-hop address thats specifed on RTR1
09-15-2020 12:09 AM
Hello,
remove both specific static routes. Since your routers are not directly connected, the next hop IP addresses don't make any sense. Let the default routes take care of the routing.
R2
--> no ip route 192.168.10.0 255.255.255.0 43.255.33.42
R1
--> no ip route 192.168.5.0 255.255.255.0 43.255.45.186
09-15-2020 03:52 PM
Hello,
Thanks for the responses.
I don't remember adding that tunnel 3 interface on Router 1 (unless my colleague added it). However when i remove the tunnel it still couldn't ping across.
Anyway, i followed paul's advice and built a tunnel interface on both routers and added static routes to be sent through the encrypted tunnel and can now confirm it works.
Thanks for your help guys.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide