Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
785
Views
0
Helpful
4
Replies

How to configure vpn using two segment in one tunnel?

Go to solution
darwin_valdez
Level 1
Level 1

‎02-10-2011 03:50 AM

Hi Guys,

Please help me how to configure two segment in one vpn tunnel. Our client has two segment which is 10.15 and 192.168. We already established VPN connectivity. We can ping the 10.15 segment, but we cannot ping 192.168. Herewith the configuration example.

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxxx address 11.11.11.11

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel

set peer 11.11.11.11

set security-association lifetime seconds 28800

set transform-set ESP-3DES-SHA

match address 102

access-list 101 deny   ip 192.168.202.0 0.0.0.255 host 10.15.0.177

access-list 101 deny   ip 192.168.202.0 0.0.0.255 host 192.168.30.174

access-list 101 permit ip 192.168.202.0 0.0.0.255 any

access-list 102 permit ip 192.168.202.0 0.0.0.255 host 10.15.0.178

access-list 102 permit ip 192.168.202.0 0.0.0.255 host 192.168.30.174

Here is the extended ping.

Router#ping
Protocol [ip]:
Target IP address: 10.15.0.177
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.202.3
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.15.0.177, timeout is 2 seconds:
Packet sent with a source address of 192.168.202.3
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 172/172/172 ms
Router#ping
Protocol [ip]:
Target IP address: 192.168.30.174
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.202.3
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.174, timeout is 2 seconds:
Packet sent with a source address of 192.168.202.3
.....
Success rate is 0 percent (0/5)
And here is the crypto isakmp sa result.
Router#show crypto isakmp sa
dst             src             state          conn-id slot status
11.11.11.11   22.22.22.22 QM_IDLE              1    0 ACTIVE
And here is the crypto session.
Router#show crypto sessio
Router#show crypto session
Crypto session current status

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 11.11.11.11 port 500
  IPSEC FLOW: permit ip 192.168.202.0/255.255.255.0 host 192.168.30.174
        Active SAs: 2, origin: crypto map
  IPSEC FLOW: permit ip 192.168.202.0/255.255.255.0 host 10.15.0.177
        Active SAs: 2, origin: crypto map
And here is the crypto session detail.
Router#show crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 11.11.11.11 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 11.11.11.11
      Desc: (none)
  IKE SA: local 22.22.22.22/500 remote 11.11.11.11/500 Active
          Capabilities:(none) connid:1 lifetime:23:44:02
  IPSEC FLOW: permit ip 192.168.202.0/255.255.255.0 host 192.168.30.174
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 4568454/27867
        Outbound: #pkts enc'ed 4 drop 1 life (KB/Sec) 4568453/27867
  IPSEC FLOW: permit ip 192.168.202.0/255.255.255.0 host 10.15.0.177
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 8 drop 0 life (KB/Sec) 4591368/27842
        Outbound: #pkts enc'ed 8 drop 2 life (KB/Sec) 4591368/27842
 
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎02-10-2011 05:35 AM

Hi,

Your side has 192.168.202.0/24 and you try to PING 10.15 succesfully but not 192.168.30.174

Check that the ASA has a route to 192.168.30.174 pointing to the outside interface.

Also check that the client has defined the 192.168.30.174 as part of the VPN traffic correctly.

Federico.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎02-10-2011 05:35 AM

Hi,

Your side has 192.168.202.0/24 and you try to PING 10.15 succesfully but not 192.168.30.174

Check that the ASA has a route to 192.168.30.174 pointing to the outside interface.

Also check that the client has defined the 192.168.30.174 as part of the VPN traffic correctly.

Federico.

0 Helpful

Go to solution
darwin_valdez
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-10-2011 05:51 AM

- Hi,

1 Your side has 192.168.202.0/24 and you try to PING 10.15 succesfully but not 192.168.30.174

2 Check that the ASA has a route to 192.168.30.174 pointing to the outside interface.

3 Also check that the client has defined the 192.168.30.174 as part of the VPN traffic correctly.

- Federico.

Hi Federico,

Thank you soo much for the immediate reply.

1 Yes, that is true.

2 Yes, the client is using ASA. However, we are not sure if they realy have route to 192.168.30.174 pointing to their outside interface. Will ask.

3 I will check and ask the client.

   Is my configuration correct or miss configured? Btw, we are using 2821 on our part.

Darwin.

0 Helpful

Go to solution
andamani
Cisco Employee
Cisco Employee
In response to darwin_valdez

‎02-10-2011 09:28 PM

Hi Darwin,

please check if the traffic to 192.168.30.174 is in nat exemption as well.

Please paste the routemap configuration of the router.

Also ensure the other end of the vpn tunnel has the interesting traffic of 192.168.30.174 to 192.168.202.0/24 defined along with other interesting traffic.

Ensure that the routing is at place for the network.

Rest of the configuration posted seems fine.

Also please paste the output of sh cry ips sa peer below after the test ping.

Regards,

Anisha

0 Helpful

Go to solution
darwin_valdez
Level 1
Level 1
In response to andamani

‎02-10-2011 10:48 PM

Hi Anisha,

Are you asking the other end of the VPN tunnel?

Btw, This is the output.

local  ident (addr/mask/prot/port): (192.168.202.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.30.174/255.255.255.255/0/0)

   current_peer 11.11.11.11 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 1, #recv errors 0

     local crypto endpt.: 22.22.22.22, remote crypto endpt.: 11.11.11.11

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0x640FD2DF(1678758623)

     inbound esp sas:

      spi: 0x30CDF135(818802997)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3003, flow_id: FPGA:3, crypto map: SDM_CMAP_1

        sa timing: remaining key lifetime (k/sec): (4492009/28692)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x640FD2DF(1678758623)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3004, flow_id: FPGA:4, crypto map: SDM_CMAP_1

        sa timing: remaining key lifetime (k/sec): (4492008/28691)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.202.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.15.0.177/255.255.255.255/0/0)

   current_peer 11.11.11.11 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 1, #recv errors 0

     local crypto endpt.: 22.22.22.22, remote crypto endpt.: 11.11.11.11

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0xAFA9F3EF(2947150831)

     inbound esp sas:

      spi: 0xD01EEF00(3491688192)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3001, flow_id: FPGA:1, crypto map: SDM_CMAP_1

        sa timing: remaining key lifetime (k/sec): (4424608/28666)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xAFA9F3EF(2947150831)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3002, flow_id: FPGA:2, crypto map: SDM_CMAP_1

        sa timing: remaining key lifetime (k/sec): (4424608/28666)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)

Regards,

Darwin

0 Helpful
Customers Also Viewed These Support Documents