06-18-2015 11:01 AM - edited 03-05-2019 01:41 AM
Hi, hope I'm asking in the right place. In packet tracer I'm trying to demonstrate an ipsec vpn tunnel. I'm having trouble with the ACL that is used with the crypto map match statement. Suppose I have 2 routers, connected via 11.0.0.0/30 network. Each router has a local network (192.168.0.0/24, 192.168.1.0/24)
With my current configs, I cannot ping from one local network to the other. If I change both "VPNOK" acls to permit ip any any, then it will work. Could someone tell me what is wrong with the ACL? would it be more secure to specify each local network in the acl, rather than 'any any'?
thank you
RA:
hostname RA
!
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp pool Local
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp key mykey address 11.0.0.2
!
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set mytransformset esp-aes esp-sha-hmac
!
crypto map mymap 100 ipsec-isakmp
set peer 11.0.0.2
set pfs group2
set security-association lifetime seconds 86400
set transform-set mytransformset
match address VPNOK
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
!
interface FastEthernet0/1
ip address 11.0.0.1 255.255.255.252
crypto map mymap
!
ip route 192.168.0.0 255.255.255.0 11.0.0.2
!
ip access-list extended VPNOK
permit ip 192.168.0.0 0.0.0.255 any
RB:
hostname RB
!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp pool Local
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp key mykey address 11.0.0.1
!
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set mytransformset esp-aes esp-sha-hmac
!
crypto map mymap 100 ipsec-isakmp
set peer 11.0.0.1
set pfs group2
set security-association lifetime seconds 86400
set transform-set mytransformset
match address VPNOK
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/1
ip address 11.0.0.2 255.255.255.252
crypto map mymap
!
ip route 192.168.0.0 255.255.255.0 11.0.0.1
!
ip access-list extended VPNOK
permit ip 192.168.1.0 0.0.0.255 any
06-18-2015 01:08 PM
Hi,
The rule is that crypto ACLs aka Proxy-ids should be mirrored on each side so you have to put 192.168.1.0 to 192.168.2.0 on one side and 192.168.2.0 to 192.168.1.0 on the other side or any to any on both sides like you did.But best practice is to specify the specific subnets.
Regards,
Alain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide