cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1888
Views
0
Helpful
5
Replies

Telnet over IPsec tunnel

effing_society
Level 1
Level 1

Hello all,

 

I have R1 and R2, each are connected through the public internet by using IPsec tunnel, and on this R2, i have one management interface: 

INT F0/0.99 10.10.99.3 /24

 

I would like to telnet from R1 LAN to the interface on R2, but unfortunately I cannot make it work and i have no idea why, been through some of the forum like this one, but I'm not using NAT so if anybody can help me with this it will be great.

 

Huawei similar issue

https://forum.huawei.com/enterprise/en/case-after-configuring-ipsec-vpn-on-router-ping-is-normal-but-telnet-is-abnormal/thread/472253-861

 

R1 Config of IPsec

crypto isakmp policy 100

 encr aes 256

 authentication pre-share

 group 5

 lifetime 60

 

crypto isakmp key xxx address 10.10.200.5

 

crypto ipsec transform-set MOSTSECURE esp-aes 256 esp-sha-hmac

 

access-list 100 permit ip 10.10.10.0 0.0.0.31 10.10.11.0 0.0.0.3

 

crypto map PT-IPSEC 1000 ipsec-isakmp

 description HQ to BR1

 set peer 10.10.200.5

 set pfs group5

 set security-association lifetime seconds 120

 set transform-set MOSTSECURE

 match address 100

 

interface Serial0/1/1

 ip address 10.10.200.1 255.255.255.252

 crypto map PT-IPSEC

 

R2 Config of IPsec

crypto isakmp policy 100

 encr aes 256

 authentication pre-share

 group 5

 lifetime 60

 

crypto isakmp key xxx address 10.10.200.1

 

crypto ipsec transform-set MOSTSECURE esp-aes 256 esp-sha-hmac

 

access-list 100 permit ip 10.10.11.0 0.0.0.3 10.10.10.0 0.0.0.31

 

crypto map PT-IPSEC 1000 ipsec-isakmp

 description BR1 to HQ

 set peer 10.10.200.1

 set pfs group5

 set security-association lifetime seconds 120

 set transform-set MOSTSECURE

 match address 100

 

interface Serial0/1/1

 ip address 10.10.200.5 255.255.255.252

 crypto map PT-IPSEC

 

 

5 Replies 5

All addresses that you want to access through the tunnel need to be part of your crypto-definition. You need to add the address-space that you are coming from and the address-space where you want to go to (the 10.10.99.3) to your ACL 100.

Hi, 

 

thanks for the quick reply.

 

i have tried adding 1 rule as below

access-list 100 permit tcp host 10.10.10.2 host 10.10.99.3 

 

and yet it still doesn't work. 

 

The tracert result shows that the traffic stops at the default gateway which is 10.10.10.1 on R1. 

 

May you advise something more?

If you use tcp in your ACL, you can't use traceroute to troubleshoot as this is either ICMP- or UDP-based. I would use "IP" in the crypto-ACL. Do you also have a static route for 10.10.99.3 pointing to your ISP next-hop?

Hi,

 

I tried your suggestion of using "IP" rather than "TCP" in my ACL, and I add one more static route as below:

ip route 10.10.99.3 255.255.255.255 10.10.200.2 < isp next-hop

 

My result came out as Capture.PNG in attachment. Capture2.PNG and Capture3.PNG is some of the troubleshooting that I have did, may you check if there is any insight?

 

Thanks for the help so far!!

Attached is my PKT file, please ignore the Branch 2 as that is going to be configured VPN after we have solved this issue.

 

Branch 1 login is itin019group1 and telnet login is the same password

Review Cisco Networking for a $25 gift card