06-12-2013 07:07 AM - edited 03-07-2019 01:51 PM
Hi,
I need some help as i am new to IPSEC VPN.
Below is my setup:
I have Vlan 1 on my router which has been assigned the public IP and Vlan 10 which has been assign 20.20.20.x which connects to my server inside.
I have configured the IPSEC VPN and the VPN is up and running. I am able to ping destination IP (10.128.240.x) from the router. However when i login my server and ping the destination IP, it does not work. Below is my router config,
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key KEY address X.X.X.X
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
set peer X.X.X.X
set transform-set myset
set pfs group2
match address 101
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
switchport access vlan 10
!
!
interface Vlan1
ip address Y.Y.Y.Y 255.255.255.248
crypto map myvpn
!
!
interface Vlan10
ip address 20.20.20.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.77.21
ip route 10.128.240.x 255.255.255.255 Vlan1
!
access-list 101 permit ip 20.20.20.0 0.0.0.255 host 10.128.240.x
06-12-2013 07:58 AM
Navin,
Can I ask what kind of router / switch you are applying this configuration?
The access-list 101 tells the router what traffic to encrypt - you have said anything sourced from 20.20.20.0/24 destined for host 10.128.240.x. Is this correct? The 10.128.240.x address is the remote address at the other end of the tunnel (unencrypted).
I am confused by the command: ip route 10.128.240.x 255.255.255.255 Vlan1
What are you trying to achieve with this command?
06-12-2013 10:26 PM
Hi,
Thanks for the analysis.
Yes correct anything from 20.20.20.x and destined for 10.128.240.x should be encrypted. Yes 10.128.240.x is the address of a server behind the tunnel. I all i need is 20.20.20.x to be able to atleast ping 10.128.240.x.
ip route 10.128.240.x 255.255.255.255 Vlan1 - i put this command to tell the router to route traffic destined to 10.128.240.x through the IPSEC Tunnel. Is it correct? If not, then how does the router know which traffic it should route through the tunnel?
And the router is cisco 888
06-13-2013 06:06 AM
Hi,
I login my server (20.20.20.1) and ping the ip 10.128.248.58,
I have turned on terminal monitor and below are the logs
Jun 13 13:03:51.477: IP: tableid=0, s=20.20.20.1 (Vlan10), d=20.20.20.2 (Vlan10), routed via RIB
Jun 13 13:03:51.477: IP: s=20.20.20.1 (Vlan10), d=20.20.20.2 (Vlan10), len 60, rcvd 3
Jun 13 13:03:51.477: IP: s=20.20.20.1 (Vlan10), d=20.20.20.2, len 60, stop process pak for forus packet
Jun 13 13:03:51.477: IP: s=20.20.20.2 (local), d=20.20.20.1 (Vlan10), len 40, sending
Jun 13 13:03:51.477: IP: s=20.20.20.2 (local), d=20.20.20.1 (Vlan10), len 40, sending full packet
Jun 13 13:03:53.109: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Jun 13 13:04:03.105: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Jun 13 13:04:03.265: IP: s=20.20.20.1 (Vlan10), d=20.20.20.2, len 60, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Jun 13 13:04:03.265: IP: tableid=0, s=20.20.20.1 (Vlan10), d=20.20.20.2 (Vlan10), routed via RIB
Jun 13 13:04:03.265: IP: s=20.20.20.1 (Vlan10), d=20.20.20.2 (Vlan10), len 60, rcvd 3
Jun 13 13:04:03.265: IP: s=20.20.20.1 (Vlan10), d=20.20.20.2, len 60, stop process pak for forus packet
Jun 13 13:04:03.265: IP: s=20.20.20.2 (local), d=20.20.20.1 (Vlan10), len 40, sending
Jun 13 13:04:03.265: IP: s=20.20.20.2 (local), d=20.20.20.1 (Vlan10), len 40, sending full packet
Jun 13 13:04:13.109: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Jun 13 13:04:21.481: IP: s=20.20.20.1 (Vlan10), d=20.20.20.2, len 60, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Jun 13 13:04:21.481: IP: tableid=0, s=20.20.20.1 (Vlan10), d=20.20.20.2 (Vlan10), routed via RIB
Jun 13 13:04:21.481: IP: s=20.20.20.1 (Vlan10), d=20.20.20.2 (Vlan10), len 60, rcvd 3
Jun 13 13:04:21.481: IP: s=20.20.20.1 (Vlan10), d=20.20.20.2, len 60, stop process pak for forus packet
Jun 13 13:04:21.481: IP: s=20.20.20.2 (local), d=20.20.20.1 (Vlan10), len 40, sending
Jun 13 13:04:21.481: IP: s=20.20.20.2 (local), d=20.20.20.1 (Vlan10), len 40, sending full packet
Jun 13 13:04:23.105: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Jun 13 13:04:33.105: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Jun 13 13:04:33.333: IP: s=20.20.20.1 (Vlan10), d=20.20.20.2, len 60, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
what can we conclude from these logs?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide