Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
941
Views
0
Helpful
3
Replies

Cisco 891 VPN Connection issue with OpenSwan

szpuni123
Level 1
Level 1

‎07-10-2013 09:13 AM - edited ‎03-07-2019 02:20 PM

Hello,

I have a small issue with VPN between my linux server (ubuntu with openswan) and cisco891.

Tunel is up and running but I can access devices only from cisco side but if I try to ping any device on cisco side I cannot connect to anything.

crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

111.111.111.111   222.222.222.222    QM_IDLE           2001 ACTIVE

In this example 111.111.111.111 is a cisco and 222.222.222.222 is a linux server both with external ip's

Lan side is 192.168.2.1 for cisco and 192.168.90.10 for linux.

With that tunnel running i can ping 192.168.90.10 from any device in 192.168.2.0/24 network but if I try do reverse I mean from cisco to ping any device in 2.0 network I have no reply from any device.

Any ideas?

Config below:

no ip domain lookup

ip domain name actualgaming.com

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 icmp

ip inspect name DEFAULT100 netshow

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 esmtp

ip inspect name DEFAULT100 sqlnet

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

ip cef

no ipv6 cef

object-group network GAMESERVERS

host 1.1.1.1

!

object-group network MONITORING

host 222.222.222.222

!

object-group network WEBSERVERS

host 3.3.3.3

!

object-group network PERSONAL

host 4.4.4.4

redundancy

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key secretpassword address  222.222.222.222

crypto isakmp keepalive 10 periodic

!

!

crypto ipsec transform-set cm-transformset-1 esp-aes esp-sha-hmac

!

!

!

crypto map cm-cryptomap local-address GigabitEthernet0

crypto map cm-cryptomap 1 ipsec-isakmp

set peer 222.222.222.222

set security-association lifetime kilobytes 46080000

set transform-set cm-transformset-1

match address 110

interface GigabitEthernet0

description $ES_WAN$$FW_OUTSIDE$

ip address 111.111.111.186 255.255.255.252

ip access-group MAIN_IN in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip inspect DEFAULT100 out

ip virtual-reassembly in

duplex full

speed 100

crypto map cm-cryptomap

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 192.168.2.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

ip nat inside source route-map ISP interface GigabitEthernet0 overload

ip nat inside source static tcp 192.168.2.103 22 111.111.111.186 65022 route-map ISP extendable

ip nat inside source static tcp 192.168.2.103 5555 111.111.111.186 65101 route-map ISP extendable

ip nat inside source static tcp 192.168.2.104 5555 111.111.111.186 65102 route-map ISP extendable

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 111.111.111.185 10

ip access-list extended NAT

deny   ip any 10.0.0.0 0.255.255.255

deny   ip any 192.168.0.0 0.0.255.255

deny   ip any 172.16.0.0 0.15.255.255

permit ip 192.168.2.0 0.0.0.255 any

ip access-list extended MAIN_IN

permit ip object-group GAMESERVERS any

permit ip object-group WEBSERVERS any

permit ip object-group PERSONAL any

permit ip object-group MONITORING any

permit icmp any any

deny   ip any any log

!

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

route-map ISP permit 10

match ip address NAT

match interface GigabitEthernet0

Labels:
0 Helpful
3 Replies 3

XIE YAO
Level 1
Level 1

‎07-10-2013 09:26 AM

normally it's caused by interesting cal mismatch, have you checked that on both sides?

Sent from Cisco Technical Support iPhone App

0 Helpful

szpuni123
Level 1
Level 1
In response to XIE YAO

‎07-10-2013 09:29 AM

I'm sorry but not quite understand what are you asking here.

What sort of call mismatch you are talking about here?

I had very similar setup working with centos with same open swan configuration which I can post here if required but for some reason in this setup i can only achive one way comunication strangely...

0 Helpful

szpuni123
Level 1
Level 1
In response to szpuni123

‎07-11-2013 01:40 AM

Nodoby can help me with that?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card