08-23-2002 02:39 AM - edited 02-21-2020 12:01 PM
I have a 1720 router,having outside public ip address to connect to the ISP and I got a range of public ip addresses for the inside interfaces.the 1721 has ip/fw/ipsec 3DES bundle and a cryoto card .I am configuring the router so that vpn client 1.1 should connect to it through dialup.
The configuration is like this
----------------------------------------
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key xxxxxx address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local test-pool
!
!
crypto ipsec transform-set test-tranfer esp-3des esp-sha-hmac
!
crypto dynamic-map test-dynamic 10
set transform-set test-tranfer
!
!
crypto map test client configuration address initiate
crypto map test client configuration address respond
crypto map test 10 ipsec-isakmp dynamic test-dynamic
!!
interface FastEthernet0
ip address 213.x.x.x 255.255.255.x
speed auto
!
interface Serial0
description connected to etisalat
ip address 194.x.x.x 255.255.255.x
crypto map test
!
ip local pool test-pool 213.42.x.1 213.42.x.100
ip classless
ip subnet-zero
ip route 0.0.0.0 0.0.0.0 194.x.x.x
no ip http server
ip http port 8080
ip pim bidir-enable
!
--------------------------
When i try to ping the outside interface of the router from a pc having vpn installed(1.1) and when i give debug crypto engine command on the router,it says...."packet lost due to missing cryptomap".
Can anybody tell me where i am wrong.what extra configuration i need ?
Any help would be highly appreciated.
Tanweer
08-23-2002 07:50 AM
What happens when you ping the internal interface or internal servers? Is the pool of addresses on the same subnet as the internal interface?
08-23-2002 08:20 PM
Since i cant ping to the outside interface of the router ,so too i cant ping to the
inside.Moreover the pool of ip address i took are of from same class , but of course diifferent subnet.
Any help will be highly appreciated.
09-01-2002 10:44 PM
Are these protocol enabled on outside interface.Enable & check.
AH=51/ESP=50/ISAKMP=500
09-02-2002 06:52 AM
change the local pool to be something that is nowhere on your network like 10.1.1.1-254
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide