03-11-2013 12:00 AM - edited 02-21-2020 06:45 PM
Dear Friends,
I am having a bit of trouble with a unique VPN scenario. The diagram is attached with the explanation below:
1. Their is an IPSEC VPN is established between our Office router and the Service provider's router both are using public IP Addresses.
2. Service provider has provided us a data Sim which we have inserted into our branch end router. It has a static IP Address of 10.171.14.x
3. The goal is to enable this sim to ping our database server which is located at our office and it has a private IP of 192.168.22.249
4. There is no firewall or any other device that is blocking the communication.
5. Service provider told us that we donot need to use IPSEC on our branch router so I can only assume that they have done something in their VRFs (Service provider cloud) etc to provide us routes with security.
6. Now the problem is that we are enable to establish IPSEC VPN (Please see the output of show crypto isakmp sa) but when we are trying to ping from either our server towards the router with the sim or from the router with Sim towards our server we are getting "request time out". Please review the complete configuration as I am unable to get it to work.
Server IP Address=192.168.22.249 behind our LAN (gateway=192.168.22.199)
Remote router with Sim has an IP Address=10.171.14.x
Branch Router Configuration:
=====================
Only a static route is configured as below:
ip route 192.168.22.0 255.255.255.0 ppp-out1 (exit interface)
Office Router Configuration (Cisco 2800 Series C2800NM-ADVSECURITYK9-M):
=====================
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key (pre-shared key) address y.y.y.y (public IP of service provider)
crypto isakmp keepalive 10
crypto ipsec transform-set ft-zong esp-3des esp-md5-hmac
crypto map Ft-Zong local-address Multilink1
crypto map Ft-Zong 5 ipsec-isakmp
set peer y.y.y.y
set security-association lifetime seconds 28800
set transform-set ft-zong
match address 110
interface Multilink1
description $FW_OUTSIDE$
ip address X.X.X.X 255.255.255.248 (oUR public IP used for peering)
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip virtual-reassembly
no cdp enable
ppp multilink
ppp multilink group 1
crypto map Ft-Zong
interface GigabitEthernet0/1
description $FW_INSIDE$
ip address 192.168.22.199 255.255.255.0 (This IP is on our database server as default gateway)
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
ip route 10.171.14.0 255.255.255.240 multilink1
access-list 110 permit ip 192.168.22.0 0.0.0.255 10.171.14.0 0.0.0.15
Another thing which is in my mind is that do we need any kind of natting for this to work ??? I have talk to service providers and they said that their is no need for any Natting. Also when I am trying to trace the 10.171.14.x network from database server the trace goes as far as the gateway ip 192.168.22.199 and thn goes dead.
Please note that i am getting "request time out" not destination network unreachable.
Any urgent help and suggestions would be much appreciated.
03-11-2013 06:27 AM
Can you please share the output of :
show cry isa sa
show cry ipsec sa
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide