Solved: IPsec tunnel connection/ping problem

dzambalaja · ‎01-27-2020

Hello colleagues!

I'm begginer and was facing with small project(pkt attached) for a few days, but I gave up.

The problem i can't fix is just can't from outside network (172.16.1.0) devices to server (www.nevada.net) on the other side by ipsec vpn tunnel.

Created everything few times and still recieving error "host is unreachable...".

I know there must be a little mistake, but I can't find it.

Could anyone help me and point the problem or show some protips :).

Here some info:

NY Router:

ACL 112 permit 172.16.1.0/24
192.168.10.0/24

ipsec:

Group 2, AES, pre share

key: Z1A2L3I4C5Z6E7N8I9E0

peer address: 70.0.0.1

transf. set:

policy 10

esp-3des espsha-hmac

VPN-MAP ipsec-isakmp

peer address: 70.0.0.1

ACL 112

interface S0/0/1

OREGON:

ACL 111 permit 192.168.10.0/24
172.16.1.0/24

ipsec:

Group 2, AES, pre share

key: Z1A2L3I4C5Z6E7N8I9E0

peer address: 30.0.0.1

transf. set:

policy 10

esp-3des espsha-hmac

VPN-MAP ipsec-isakmp

peer address: 30.0.0.1

ACL 111

interface S0/0/1

Help!

Best regards,

Georg Pauwen · ‎01-28-2020

Hello,

the problem was not the IPSec tunnel, but there were some things missing.172.16.1.0/24 is not a directly connected network on the NY router, so you cannot announce it in OSPF. I added static routes on the oregon and intermediate router. Also, the cell server did not have a default gateway configured (90.0.0.1), I added that as well. The LAN interfaces on the ny and oregon routers had a crypto map assigned to the LAN interfaces, I removed these since they are not necessary

Attached the revised and working version. I saved it in version 7.3.0, if you use a lower version and cannot open it, I'll send over the configs as text files....

View solution in original post

Francesco Molino · ‎01-27-2020

Hi

Don't have packet tracer to open your project file.
If VPN is up and you can't ping, usually it's a nat issue.
Can you share the nat config and subnets from there 2 ends?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

dzambalaja · ‎01-28-2020

Hi Francesco, thank you for respond.

I tried to configure nat but it didn't work for me, probably i did something wrong here...

I'm able to ping the only one interface in NY device (90.0.0.1), but inside and behind tunnel not..

I'm attaching config for these 2 ends.

Georg Pauwen · ‎01-28-2020

What are the passwords for your routers ?

dzambalaja · ‎01-28-2020

for ny password is ny
and for oregon pass is oregon

Georg Pauwen · ‎01-28-2020

Hello,

the problem was not the IPSec tunnel, but there were some things missing.172.16.1.0/24 is not a directly connected network on the NY router, so you cannot announce it in OSPF. I added static routes on the oregon and intermediate router. Also, the cell server did not have a default gateway configured (90.0.0.1), I added that as well. The LAN interfaces on the ny and oregon routers had a crypto map assigned to the LAN interfaces, I removed these since they are not necessary

Attached the revised and working version. I saved it in version 7.3.0, if you use a lower version and cannot open it, I'll send over the configs as text files....

dzambalaja · ‎01-28-2020

Thank You so much that explains a lot and everything works great!

I tried to automate it somehow, but I'm still learning.

ps. does exist there any automatic possibility to make communication in tunnel without static routes?

Regards,

Eoin Corcoran · ‎01-29-2020

IPsec can only encrypt Unicast traffic. Routing protocols like OSPF and EIGRP use Multicast to form relationships and therefore won't work.

You can create a GRE tunnel on top of your IPsec tunnel however, and use routing protocols over that.

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/P2P_GRE/2_p2pGRE_Phase2.html