cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
732
Views
0
Helpful
3
Replies

site to site IPSEC VPN

Navin2010
Level 1
Level 1

Hi,

I need some help as i am new to IPSEC VPN.

Below is my setup:

I have Vlan 1 on my router which has been assigned the public IP and Vlan 10 which has been assign 20.20.20.x which connects to my server inside.

I have configured the IPSEC VPN and the VPN is up and running. I am able to ping destination IP (10.128.240.x) from the router. However when i login my server and ping the destination IP, it does not work. Below is my router config,

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key KEY address X.X.X.X

crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
set peer X.X.X.X
set transform-set myset
set pfs group2
match address 101

interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
switchport access vlan 10
!
!
interface Vlan1
ip address Y.Y.Y.Y 255.255.255.248
crypto map myvpn
!
!
interface Vlan10
ip address 20.20.20.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.77.21

ip route 10.128.240.x 255.255.255.255 Vlan1

!

access-list 101 permit ip 20.20.20.0 0.0.0.255 host 10.128.240.x

3 Replies 3

mfurnival
Level 4
Level 4

Navin,

Can I ask what kind of router / switch you are applying this configuration?

The access-list 101 tells the router what traffic to encrypt - you have said anything sourced from 20.20.20.0/24 destined for host 10.128.240.x. Is this correct? The 10.128.240.x address is the remote address at the other end of the tunnel (unencrypted).

I am confused by the command: ip route 10.128.240.x 255.255.255.255 Vlan1

What are you trying to achieve with this command?

Hi,

Thanks for the analysis.

Yes correct anything from 20.20.20.x and destined for 10.128.240.x should be encrypted. Yes 10.128.240.x is the address of a server behind the tunnel.  I all i need is 20.20.20.x to be able to atleast ping 10.128.240.x.

ip route 10.128.240.x 255.255.255.255 Vlan1 - i put this command to tell the router to route traffic destined to 10.128.240.x through the IPSEC Tunnel. Is it correct?  If not, then how does the router know which traffic it should route through the tunnel?

And the router is cisco 888

Hi,

I login my server (20.20.20.1) and ping the ip 10.128.248.58,

I have turned on terminal monitor and below are the logs

Jun 13 13:03:51.477: IP: tableid=0, s=20.20.20.1 (Vlan10), d=20.20.20.2 (Vlan10), routed via RIB

Jun 13 13:03:51.477: IP: s=20.20.20.1 (Vlan10), d=20.20.20.2 (Vlan10), len 60, rcvd 3

Jun 13 13:03:51.477: IP: s=20.20.20.1 (Vlan10), d=20.20.20.2, len 60, stop process pak for forus packet

Jun 13 13:03:51.477: IP: s=20.20.20.2 (local), d=20.20.20.1 (Vlan10), len 40, sending

Jun 13 13:03:51.477: IP: s=20.20.20.2 (local), d=20.20.20.1 (Vlan10), len 40, sending full packet

Jun 13 13:03:53.109: IPSEC(epa_des_crypt): decrypted packet failed SA identity check

Jun 13 13:04:03.105: IPSEC(epa_des_crypt): decrypted packet failed SA identity check

Jun 13 13:04:03.265: IP: s=20.20.20.1 (Vlan10), d=20.20.20.2, len 60, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Jun 13 13:04:03.265: IP: tableid=0, s=20.20.20.1 (Vlan10), d=20.20.20.2 (Vlan10), routed via RIB

Jun 13 13:04:03.265: IP: s=20.20.20.1 (Vlan10), d=20.20.20.2 (Vlan10), len 60, rcvd 3

Jun 13 13:04:03.265: IP: s=20.20.20.1 (Vlan10), d=20.20.20.2, len 60, stop process pak for forus packet

Jun 13 13:04:03.265: IP: s=20.20.20.2 (local), d=20.20.20.1 (Vlan10), len 40, sending

Jun 13 13:04:03.265: IP: s=20.20.20.2 (local), d=20.20.20.1 (Vlan10), len 40, sending full packet

Jun 13 13:04:13.109: IPSEC(epa_des_crypt): decrypted packet failed SA identity check

Jun 13 13:04:21.481: IP: s=20.20.20.1 (Vlan10), d=20.20.20.2, len 60, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Jun 13 13:04:21.481: IP: tableid=0, s=20.20.20.1 (Vlan10), d=20.20.20.2 (Vlan10), routed via RIB

Jun 13 13:04:21.481: IP: s=20.20.20.1 (Vlan10), d=20.20.20.2 (Vlan10), len 60, rcvd 3

Jun 13 13:04:21.481: IP: s=20.20.20.1 (Vlan10), d=20.20.20.2, len 60, stop process pak for forus packet

Jun 13 13:04:21.481: IP: s=20.20.20.2 (local), d=20.20.20.1 (Vlan10), len 40, sending

Jun 13 13:04:21.481: IP: s=20.20.20.2 (local), d=20.20.20.1 (Vlan10), len 40, sending full packet

Jun 13 13:04:23.105: IPSEC(epa_des_crypt): decrypted packet failed SA identity check

Jun 13 13:04:33.105: IPSEC(epa_des_crypt): decrypted packet failed SA identity check

Jun 13 13:04:33.333: IP: s=20.20.20.1 (Vlan10), d=20.20.20.2, len 60, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

what can we conclude from these logs?

Review Cisco Networking for a $25 gift card