Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1649
Views
10
Helpful
4
Replies

VPN connected but host not reachable

Go to solution
Nehadeepu
Level 1
Level 1

‎02-07-2019 11:33 AM

Hi,

 

 

 

Below is the R1 VPN Configuration: 

crypto ikev2 proposal PHASE1PROPOSAL

encryption aes-cbc-256

integrity sha512

group 14

!

crypto ikev2 policy PHASE1POLICY

proposal PHASE1PROPOSAL

!

crypto ikev2 keyring VPNKEY

peer R3

  address 172.16.17.2

  pre-shared-key cisco?123

!

!

!

crypto ikev2 profile PHASE1PROFILE

match identity remote fqdn r3.lab

identity local fqdn r1.lab

authentication remote pre-share

authentication local pre-share

keyring local VPNKEY

!

!

!

crypto ipsec transform-set TSET ah-sha256-hmac esp-aes 256

mode tunnel

!

crypto map vpn 10 ipsec-isakmp

set peer 172.16.17.2

set transform-set TSET

set ikev2-profile PHASE1PROFILE

match address 111

!

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

duplex full

!

interface FastEthernet1/0

ip address 172.16.16.1 255.255.255.0

ip ospf 1 area 0

speed auto

duplex auto

crypto map vpn

!

!

router ospf 1

router-id 1.1.1.1

!

ip route 0.0.0.0 0.0.0.0 FastEthernet1/0

!

access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

!

 

And Below is the R3 VPN Configuration:

 

crypto ikev2 proposal PHASE1PROPOSAL

encryption aes-cbc-256

integrity sha512

group 14

!

crypto ikev2 policy PHASE1POLICY

proposal PHASE1PROPOSAL

!

crypto ikev2 keyring VPNKEY

peer R3

  address 172.16.16.1

  pre-shared-key cisco?123

!

!

!

crypto ikev2 profile PHASE1PROFILE

match identity remote fqdn r1.lab

identity local fqdn r3.lab

authentication remote pre-share

authentication local pre-share

keyring local VPNKEY

!

!

!

crypto ipsec transform-set TSET ah-sha256-hmac esp-aes 256

mode tunnel

!

crypto map vpn 10 ipsec-isakmp

set peer 172.16.16.1

set transform-set TSET

set ikev2-profile PHASE1PROFILE

match address 111

!

interface FastEthernet0/0

ip address 172.16.17.2 255.255.255.0

ip ospf 1 area 0

duplex full

crypto map vpn

!

interface FastEthernet1/1

ip address 192.168.2.1 255.255.255.0

speed auto

duplex auto

!

!

router ospf 1

router-id 3.3.3.3

!

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

!

access-list 111 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

!

 

VPN is connecting and I can ping from R1 LAN interface (192.168.1.1) to R3 LAN interface(192.168.2.1) and packet encapsulation and decapsulation are happing without any issue.

 

facing below issue::

My LAN hosts are not reachable  IPSec.

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎02-07-2019 11:45 AM

Hi,

1. First, try to ping the router LAN interface. If it is not reachable then check your ACL, Route and VPN configuration as Phase 1 and Phase 2.

2. If router LAN to LAN interface reachable but host not reachable then verify that Host subnet must be allowed in VPN ACL. If yes then turned of CEF and turned on again (This is as per my experience).

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

4 Replies 4

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎02-07-2019 11:45 AM

Hi,

1. First, try to ping the router LAN interface. If it is not reachable then check your ACL, Route and VPN configuration as Phase 1 and Phase 2.

2. If router LAN to LAN interface reachable but host not reachable then verify that Host subnet must be allowed in VPN ACL. If yes then turned of CEF and turned on again (This is as per my experience).

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Go to solution
Nehadeepu
Level 1
Level 1
In response to Deepak Kumar

‎02-20-2019 10:41 AM

Hi,

Thanks. I am working on LAB in GNS3 and turned off CEF and Turned On back is resolved my issue. 

 

 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎02-08-2019 05:26 PM

As a first step can you verify that each router can successfully ping the peer address of the remote peer?

 

As a second step, you tell us that " I can ping from R1 LAN interface (192.168.1.1) to R3 LAN interface(192.168.2.1)" . This is good. Can you tell us whether there is any possibility that hosts in one of the LANs have a default gateway that is different from the router you tell us about at that site? (a traceroute from a host in one LAN to a host in the remote LAN might be helpful for this)

 

As a third step can you post the output of show crypto ipsec sa from both routers?

 

HTH

 

Rick 

 

 

 

HTH

Rick

Go to solution
Nehadeepu
Level 1
Level 1
In response to Richard Burts

‎02-20-2019 10:43 AM

Hi,
Thanks. I verified all details but didn't find any issue. After turned off CEF and Turned on is seems work for me.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card