01-27-2020 02:32 PM - edited 01-27-2020 02:35 PM
Hello colleagues!
I'm begginer and was facing with small project(pkt attached) for a few days, but I gave up.
The problem i can't fix is just can't from outside network (172.16.1.0) devices to server (www.nevada.net) on the other side by ipsec vpn tunnel.
Created everything few times and still recieving error "host is unreachable...".
I know there must be a little mistake, but I can't find it.
Could anyone help me and point the problem or show some protips :).
Here some info:
NY Router:
ACL 112 permit 172.16.1.0/24
192.168.10.0/24
ipsec:
Group 2, AES, pre share
key: Z1A2L3I4C5Z6E7N8I9E0
peer address: 70.0.0.1
transf. set:
policy 10
esp-3des espsha-hmac
VPN-MAP ipsec-isakmp
peer address: 70.0.0.1
ACL 112
interface S0/0/1
OREGON:
ACL 111 permit 192.168.10.0/24
172.16.1.0/24
ipsec:
Group 2, AES, pre share
key: Z1A2L3I4C5Z6E7N8I9E0
peer address: 30.0.0.1
transf. set:
policy 10
esp-3des espsha-hmac
VPN-MAP ipsec-isakmp
peer address: 30.0.0.1
ACL 111
interface S0/0/1
Help!
Best regards,
Solved! Go to Solution.
01-28-2020 02:08 PM
Hello,
the problem was not the IPSec tunnel, but there were some things missing.172.16.1.0/24 is not a directly connected network on the NY router, so you cannot announce it in OSPF. I added static routes on the oregon and intermediate router. Also, the cell server did not have a default gateway configured (90.0.0.1), I added that as well. The LAN interfaces on the ny and oregon routers had a crypto map assigned to the LAN interfaces, I removed these since they are not necessary
Attached the revised and working version. I saved it in version 7.3.0, if you use a lower version and cannot open it, I'll send over the configs as text files....
01-27-2020 06:48 PM
01-28-2020 12:42 PM
01-28-2020 01:27 PM
What are the passwords for your routers ?
01-28-2020 01:31 PM
01-28-2020 02:08 PM
Hello,
the problem was not the IPSec tunnel, but there were some things missing.172.16.1.0/24 is not a directly connected network on the NY router, so you cannot announce it in OSPF. I added static routes on the oregon and intermediate router. Also, the cell server did not have a default gateway configured (90.0.0.1), I added that as well. The LAN interfaces on the ny and oregon routers had a crypto map assigned to the LAN interfaces, I removed these since they are not necessary
Attached the revised and working version. I saved it in version 7.3.0, if you use a lower version and cannot open it, I'll send over the configs as text files....
01-28-2020 02:48 PM
Thank You so much that explains a lot and everything works great!
I tried to automate it somehow, but I'm still learning.
ps. does exist there any automatic possibility to make communication in tunnel without static routes?
Regards,
01-29-2020 08:53 AM
IPsec can only encrypt Unicast traffic. Routing protocols like OSPF and EIGRP use Multicast to form relationships and therefore won't work.
You can create a GRE tunnel on top of your IPsec tunnel however, and use routing protocols over that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide