Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
766
Views
5
Helpful
3
Replies

Issues pinging across ipsec tunnel

Go to solution
Gallain
Level 1
Level 1

‎09-14-2020 10:42 PM - edited ‎09-14-2020 10:44 PM

Hi,

I was wondering if anyone could help as to why I can't pingfrom lan to Alan across my ipsec tunnel.

 

Router 1 WAN IP is 43.255.33.42, LAN ip is 192.168.10.1

Router 2 WAN IP is 43.255.45.186 LAN ip is 192.168.5.1

 

I can ping across the wan ips and the tunnel itself is active. 

 

Here is my relevant config, however full configs are attached.

 

Any help is appreciated!

 

Router 1

-------

crypto isakmp policy 20
hash md5
authentication pre-share

 

crypto isakmp key x address 43.255.45.186

 

crypto ipsec transform-set ConsepTunnel esp-3des esp-sha-hmac

 

crypto map IPsec 10 ipsec-isakmp
set peer 43.255.45.186
set transform-set ConsepTunnel
match address 100

 

access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255

 

ip access-list extended NAT
deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 10.10.0.0 0.0.255.255
deny ip 192.168.10.0 0.0.0.255 192.168.70.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 198.168.5.0 0.0.0.255
permit ip any any

 

ip route 192.168.5.0 255.255.255.0 43.255.45.186

 

interface GigabitEthernet0/0
description "WAN Interface - 100Mb Unlimited Internet"
bandwidth 100000
ip address 43.255.33.42 255.255.255.252
ip access-group Inbound-Traffic in
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1350
load-interval 30
duplex full
speed 100
crypto map IPsec
service-policy output 100Mb_Shape_Out-VoIP-Consep-WA

 

interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto

Router 2

-------

crypto isakmp policy 10
hash md5
authentication pre-share

 

crypto isakmp key x address 43.255.33.42

 

crypto ipsec transform-set ipsec-kentrd esp-des esp-md5-hmac
mode tunnel
!
!
!
!
crypto map IPsec 10 ipsec-isakmp
set peer 43.255.33.42
set transform-set ipsec-kentrd
match address 100

 

access-list 100 permit ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255

 

ip access-list extended NAT
deny ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip any any

 

ip route 192.168.10.0 255.255.255.0 43.255.33.42

 

interface Dialer1
description "WAN interface"
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname x
ppp chap password 0 x
ppp pap sent-username x password 0 x
no cdp enable
crypto map IPsec

 

interface Vlan1
description LAN Interface
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly in

Labels:
Preview file
5 KB
Preview file
10 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP

‎09-15-2020 12:02 AM

Hello

The rtrs dont have any parity regards thier gre/ipsec configuration?

You have gre/ipsec on RTR1, Static routing  i assume pointing to RTR2, which by the way you should set to route via the encrypted tunnel and not the physical interface And on rtr2 you have no gre tunnels and no addressing related any next-hop address thats specifed on RTR1


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

3 Replies 3

Go to solution
paul driver
VIP
VIP

‎09-15-2020 12:02 AM

Hello

The rtrs dont have any parity regards thier gre/ipsec configuration?

You have gre/ipsec on RTR1, Static routing  i assume pointing to RTR2, which by the way you should set to route via the encrypted tunnel and not the physical interface And on rtr2 you have no gre tunnels and no addressing related any next-hop address thats specifed on RTR1


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
Georg Pauwen
VIP
VIP

‎09-15-2020 12:09 AM

Hello,

 

remove both specific static routes. Since your routers are not directly connected, the next hop IP addresses don't make any sense. Let the default routes take care of the routing.

 

R2

--> no ip route 192.168.10.0 255.255.255.0 43.255.33.42

 

R1

--> no ip route 192.168.5.0 255.255.255.0 43.255.45.186

0 Helpful

Go to solution
Gallain
Level 1
Level 1

‎09-15-2020 03:52 PM

Hello,

 

Thanks for the responses.

 

I don't remember adding that tunnel 3 interface on Router 1 (unless my colleague added it). However when i remove the tunnel it still couldn't ping across.

 

Anyway, i followed paul's advice and built a tunnel interface on both routers and added static routes to be sent through the encrypted tunnel and can now confirm it works.

 

Thanks for your help guys.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card