Telnet over IPsec tunnel

effing_society · ‎05-13-2021

Hello all,

I have R1 and R2, each are connected through the public internet by using IPsec tunnel, and on this R2, i have one management interface:

INT F0/0.99 10.10.99.3 /24

I would like to telnet from R1 LAN to the interface on R2, but unfortunately I cannot make it work and i have no idea why, been through some of the forum like this one, but I'm not using NAT so if anybody can help me with this it will be great.

Huawei similar issue

https://forum.huawei.com/enterprise/en/case-after-configuring-ipsec-vpn-on-router-ping-is-normal-but-telnet-is-abnormal/thread/472253-861

R1 Config of IPsec

crypto isakmp policy 100

encr aes 256

authentication pre-share

group 5

lifetime 60

crypto isakmp key xxx address 10.10.200.5

crypto ipsec transform-set MOSTSECURE esp-aes 256 esp-sha-hmac

access-list 100 permit ip 10.10.10.0 0.0.0.31 10.10.11.0 0.0.0.3

crypto map PT-IPSEC 1000 ipsec-isakmp

description HQ to BR1

set peer 10.10.200.5

set pfs group5

set security-association lifetime seconds 120

set transform-set MOSTSECURE

match address 100

interface Serial0/1/1

ip address 10.10.200.1 255.255.255.252

crypto map PT-IPSEC

R2 Config of IPsec

crypto isakmp policy 100

encr aes 256

authentication pre-share

group 5

lifetime 60

crypto isakmp key xxx address 10.10.200.1

crypto ipsec transform-set MOSTSECURE esp-aes 256 esp-sha-hmac

access-list 100 permit ip 10.10.11.0 0.0.0.3 10.10.10.0 0.0.0.31

crypto map PT-IPSEC 1000 ipsec-isakmp

description BR1 to HQ

set peer 10.10.200.1

set pfs group5

set security-association lifetime seconds 120

set transform-set MOSTSECURE

match address 100

interface Serial0/1/1

ip address 10.10.200.5 255.255.255.252

crypto map PT-IPSEC

Karsten Iwen · ‎05-13-2021

All addresses that you want to access through the tunnel need to be part of your crypto-definition. You need to add the address-space that you are coming from and the address-space where you want to go to (the 10.10.99.3) to your ACL 100.

effing_society · ‎05-13-2021

Hi,

thanks for the quick reply.

i have tried adding 1 rule as below

access-list 100 permit tcp host 10.10.10.2 host 10.10.99.3

and yet it still doesn't work.

The tracert result shows that the traffic stops at the default gateway which is 10.10.10.1 on R1.

May you advise something more?

Karsten Iwen · ‎05-13-2021

If you use tcp in your ACL, you can't use traceroute to troubleshoot as this is either ICMP- or UDP-based. I would use "IP" in the crypto-ACL. Do you also have a static route for 10.10.99.3 pointing to your ISP next-hop?

effing_society · ‎05-13-2021

Hi,

I tried your suggestion of using "IP" rather than "TCP" in my ACL, and I add one more static route as below:

ip route 10.10.99.3 255.255.255.255 10.10.200.2 < isp next-hop

My result came out as Capture.PNG in attachment. Capture2.PNG and Capture3.PNG is some of the troubleshooting that I have did, may you check if there is any insight?

Thanks for the help so far!!

effing_society · ‎05-13-2021

Attached is my PKT file, please ignore the Branch 2 as that is going to be configured VPN after we have solved this issue.

Branch 1 login is itin019group1 and telnet login is the same password