Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1329
Views
0
Helpful
1
Replies

IPSEC VPN with Telecom Service Provider-Need Help

khizerkhan
Level 1
Level 1

‎03-11-2013 12:00 AM - edited ‎02-21-2020 06:45 PM

Dear Friends,

I am having a bit of trouble with a unique VPN scenario. The diagram is attached with the explanation below:

1. Their is an IPSEC VPN is established between our Office router and the Service provider's router both are using public IP Addresses.

2. Service provider has provided us a data Sim which we have inserted into our branch end router. It has a static IP Address of 10.171.14.x

3. The goal is to enable this sim to ping our database server which is located at our office and it has a private IP of 192.168.22.249

4. There is no firewall or any other device that is blocking the communication.

5. Service provider told us that we donot need to use IPSEC on our branch router so I can only assume that they have done something in their VRFs (Service provider cloud) etc to  provide us routes with security.

6. Now the problem is that we are enable to establish IPSEC VPN (Please see the output of show crypto isakmp sa) but when we are trying to ping from either our server towards the router with the sim or from the router with Sim towards our server we are getting "request time out". Please review the complete configuration as I am unable to get it to work.

Server IP Address=192.168.22.249 behind our LAN (gateway=192.168.22.199)

Remote router with Sim has an IP Address=10.171.14.x

Branch Router Configuration:

=====================

Only a static route is configured as below:

ip route 192.168.22.0 255.255.255.0 ppp-out1 (exit interface)

Office Router Configuration (Cisco 2800 Series C2800NM-ADVSECURITYK9-M):

=====================

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key (pre-shared key) address y.y.y.y (public IP of service provider)

crypto isakmp keepalive 10

crypto ipsec transform-set ft-zong esp-3des esp-md5-hmac

crypto map Ft-Zong local-address Multilink1

crypto map Ft-Zong 5 ipsec-isakmp

set peer y.y.y.y

set security-association lifetime seconds 28800

set transform-set ft-zong

match address 110

interface Multilink1

description $FW_OUTSIDE$

ip address X.X.X.X 255.255.255.248 (oUR public IP used for peering)

ip verify unicast reverse-path

ip inspect SDM_LOW out

ip virtual-reassembly

no cdp enable

ppp multilink

ppp multilink group 1

crypto map Ft-Zong

interface GigabitEthernet0/1

description $FW_INSIDE$

ip address 192.168.22.199 255.255.255.0 (This IP is on our database server as default gateway)

no ip redirects

no ip unreachables

no ip proxy-arp

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled

ip route 10.171.14.0 255.255.255.240 multilink1

access-list 110 permit ip 192.168.22.0 0.0.0.255 10.171.14.0 0.0.0.15

Another thing which is in my mind is that do we need any kind of natting for this to work ??? I have talk to service providers and they said that their is no need for any Natting. Also when I am trying to trace the 10.171.14.x network from database server the trace goes as far as the gateway ip 192.168.22.199 and thn goes dead.

Please note that i am getting "request time out" not destination network unreachable.

Any urgent help and suggestions would be much appreciated.

testing diagram.png

Labels:
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎03-11-2013 06:27 AM

Can you please share the output of :

show cry isa sa

show cry ipsec sa

0 Helpful
Customers Also Viewed These Support Documents