Hi,

I've applied the static ip address on the 7206 route. I set up debugging on the home router and tried to ping the following address from my desktop 192.169.176.132. The following is the debugging that came out of this. Before when i tried this, it didnt produce any output.

Anything from that?

Rob

Is that a typo - should the IP address be 192.168.176.132 ?

Anyway, looks from the debugging like you now are creating an IPSEC tunnel. What does the output of "sh crypto ipsec sa" on your router show.

I'm assuming the ping didn't work though. Is that correct ?

Jon

Yes - it was a typo. fat fingers! And correct, i tried the ping but no response. I did a sh crypto ipsec sa and the result didn't seem different to the one before but foolishly i didn't take a print of it and i'm now away from the set up. I can do it tonight and send it over then. Anything I can check on the 7206side?

The ACL on the home router is now:

access-list 160 permit ip 172.17.25.16 0.0.0.15 172.16.0.0 0.0.255.255

access-list 160 permit ip 172.17.25.16 0.0.0.15 172.17.0.0 0.0.255.255

access-list 160 permit ip 172.17.25.16 0.0.0.15 192.168.0.0 0.0.255.255

access-list 160 permit ip 172.17.25.16 0.0.0.15 192.206.209.0 0.0.0.255

dialer-list 1 protocol ip permit

Should i include a line to permit the public ip traffic back? I'm guessing its covered in the map peers.

Hi Jon,

to be honest I did not read through the whole story just the beginning and the and, so I am sorry if I say something you already had known.

I have the same scenario but with a 831 SOHO router at the BO and a 1841 at HQ.

What I guess, is that the acl in the crypto-map which should initiate tunnel setup does not get hit. You have to configure it so that your remote LAN destination address range get a match on it. Here is a short exceprt of my config :

!

crypto ipsec transform-set tset esp-3des

!

crypto map cmap 100 ipsec-isakmp

set peer public_ip_of_the_peer

set transform-set tset

match address vpnacl

!

..

!

ip access-list extended vpnacl

permit ip local_subnet remote_subnet

!

When you ping a host in the remote subnet, it will match the ACL which will in turn bring up the tunnel with the remote peer.

And one more thing, if it applies : you will have to set up NAT by using route-maps, otherwise it will not work.

I hope it helps.

Laszlo

Hi Laszlo

No problem with joining in, the more the merrier :-).

There was a problem getting the remote router to recognise the interesting traffic but i think we are past that now.

Could you explain what you mean about having to setup NAT or it won't work. I don't think Rob is actually Natting the traffic at all from his home PC.

Jon

Hi Laszlo.

it does look like you have a similar set up. Can you give me an example of the NAT to be used?

and is it only to be appiled at the HQ router?

Hi,

my network setup is :

BO LAN : 10.1.10.0/24 - BO Router(831) -- ADSL -----INet-----LL-HQ Router(1841)--HQ LAN 10.1.1.0/24 and 10.1.18.0/24

This is the relevant config of the BO router :

!

crypto key pubkey-chain rsa

named-key vpn_router_hostname encryption

address HQRouterPublicIP

key-string

xxx

quit

identity profile default

template Virtual-Template1

!

crypto isakmp policy 100

encr 3des

authentication rsa-encr

group 2

crypto isakmp identity hostname

crypto isakmp keepalive 30

!

!

crypto ipsec transform-set tset esp-3des

!

crypto map cmap 100 ipsec-isakmp

set peer HQRouterPublicIP

set transform-set tset

match address vpnacl

!

!

interface Ethernet0

ip address 10.1.10.1 255.255.255.0

ip helper-address 10.1.1.9

ip helper-address 10.1.1.20

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1300

dot1x port-control auto

dot1x reauthentication

dot1x max-req 10

no cdp enable

!

interface Ethernet1

no ip address

no ip unreachables

no ip proxy-arp

duplex auto

pppoe enable

pppoe-client dial-pool-number 1

no cdp enable

!

interface FastEthernet1

no ip address

duplex auto

speed auto

!

interface FastEthernet2

no ip address

duplex auto

speed auto

!

interface FastEthernet3

no ip address

duplex auto

speed auto

!

interface FastEthernet4

no ip address

duplex auto

speed auto

!

interface Virtual-Template1

ip unnumbered Loopback0

ip access-group inetonly in

ip access-group inetonly out

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1300

!

interface Dialer1

mtu 1400

ip address negotiated

ip access-group incoming_traffic in

ip access-group outgoing_traffic out

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect firewall out

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxx

ppp chap password xxx

ppp pap sent-username xxx

ppp ipcp dns request

crypto map cmap

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip nat inside source route-map dontnatlocal interface Dialer1 overload

!

!

ip access-list extended incoming_traffic

permit tcp any host BORouterPublicIP eq 22

permit udp host HQRouterPublicIP host BORouterPublicIP eq isakmp

permit esp host HQRouterPublicIP host BORouterPublicIP

ip access-list extended inetonly

deny ip any 10.0.0.0 0.255.255.255

permit ip any any

ip access-list extended outgoing_traffic

permit udp host BORouterPublicIP host HQRouterPublicIP eq isakmp

permit esp host BORouterPublicIP host HQRouterPublicIP

ip access-list extended vpnacl

permit ip 10.1.10.0 0.0.0.255 10.1.1.0 0.0.0.255

permit ip 10.1.10.0 0.0.0.255 10.1.18.0 0.0.0.255

ip access-list extended what_to_nat

deny ip 10.1.10.0 0.0.0.255 10.1.1.0 0.0.0.255

deny ip 10.1.10.0 0.0.0.255 10.1.18.0 0.0.0.255

permit ip 10.1.10.0 0.0.0.255 any

!

dialer-list 1 protocol ip permit

!

route-map dontnatlocal permit 10

match ip address what_to_nat

!

Hope it helps,

Laszlo

Thanks Laszlo. I'll be sure to see if i can config mine the same. do you have the patching config on the HQ router? is that natted as well? Interesting stuff. I appreciate it.

Hello,

yes, the HQ router is also Natted, here is its crypto config :

!

ip host BORouterHostName BORouterPublicIP

!

!

crypto key pubkey-chain rsa

named-key BORouterHostName encryption

address BORouterPublicIP

key-string

xxxxxxx

quit

!

!

crypto isakmp policy 80

encr 3des

authentication rsa-encr

group 2

crypto isakmp identity hostname

crypto isakmp keepalive 30

!

crypto ipsec transform-set vpntransform esp-3des

!

crypto map vpnmap 150 ipsec-isakmp

set peer BORouterPublicIP

set transform-set vpntransform

match address vpnacl010

!

!

interface Serial0/0/0

ip address xxx

ip access-group 101 in

ip access-group 102 out

ip nat outside

crypto map vpnmap

!

ip route 0.0.0.0 0.0.0.0 ISP_Gateway_address

ip route 10.1.1.0 255.255.255.0 Internal_Router

ip route 10.1.18.0 255.255.255.0 Internal_Router

!

ip nat inside source route-map what_to_nat interface Serial0/0/0 overload

!

ip access-list extended natlocal

deny ip 10.1.1.0 0.0.0.255 10.1.8.0 0.0.7.255

deny ip 10.1.18.0 0.0.0.255 10.1.8.0 0.0.7.255

permit ip 10.1.1.0 0.0.0.255 any

permit ip 10.1.18.0 0.0.0.255 any

ip access-list extended vpnacl010

permit ip 10.1.1.0 0.0.0.255 10.1.10.0 0.0.0.255

permit ip 10.1.18.0 0.0.0.255 10.1.10.0 0.0.0.255

!

access-list 101 permit udp host BORouterPublicIP host HQRouterPublicIP eq isakmp

access-list 101 permit esp host BORouterPublicIP host HQRouterPublicIP

!

route-map what_to_nat permit 10

match ip address natlocal

!

Regards,

Laszlo