02-05-2011 06:16 AM - edited 02-21-2020 05:09 PM
Hi guys,
i'm trying to connect 2 1841 routers using ipsec/gre.
the situation is as below:
router A ----- Internet ----- router b
router A config:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address bb.bb.bb.bb
crypto ipsec transform-set TFMset esp-3des esp-md5-hmac
!
crypto ipsec profile ToB
set transform-set TFMset
!
interface Tunnel0
description *** To B ***
ip address 100.100.100.1 255.255.255.252
tunnel source aa.aa.aa.aa
tunnel destination bb.bb.bb.bb
tunnel mode ipsec ipv4
tunnel protection ipsec profile ToB
interface FastEthernet0/0
ip address aa.aa.aa.aa 255.255.255.252
ip nat outside
!
interface FastEthernet0/1
ip address 11.11.11.11 255.255.255.0
ip nat inside
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip nat inside source route-map NONAT interface FastEthernet0/0 overload
ip access-list extended IPNAT
deny ip 11.11.11.0 0.0.0.255 22.22.22.0 0.0.0.255
permit ip 11.11.11.0 0.0.0.255 any
!
route-map NONAT permit 10
match ip address IPNAT
Router B config:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address aa.aa.aa.aa
crypto ipsec transform-set TFMset esp-3des esp-md5-hmac
!
crypto ipsec profile ToA
set transform-set TFMset
!
interface Tunnel0
description *** To A ***
ip address 100.100.100.1 255.255.255.252
tunnel source bb.bb.bb.bb
tunnel destination aa.aa.aa.aa
tunnel mode ipsec ipv4
tunnel protection ipsec profile ToA
interface FastEthernet0/0
ip address bb.bb.bb.bb 255.255.255.252
ip nat outside
!
interface FastEthernet0/1
ip address 22.22.22.22 255.255.255.0
ip nat inside
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip nat inside source route-map NONAT interface FastEthernet0/0 overload
ip access-list extended IPNAT
deny ip 22.22.22.0 0.0.0.255 11.11.11.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 any
!
route-map NONAT permit 10
match ip address IPNAT
i manage to see the crypto isakmp and tunnel up but i'm not able to ping to the remote LAN ip..
do you guys have any idea on this?
Thanks...
Solved! Go to Solution.
02-05-2011 07:28 AM
Hi,
Try to create a static route on a router for remote network pointing to the tunnel source as its gateway.
The following is one useful link:-
https://learningnetwork.cisco.com/docs/DOC-2457
Thanks,
Shilpa
02-05-2011 06:52 AM
Hi,
Please try to use transport mode in the transform set on both routers by using the following command:-
crypto ipsec transform-set TFMset esp-3des esp-md5-hmac mode transport
Please let me know if it helps.
02-05-2011 07:04 AM
Hi,
Tried to change to transport mode but am still unable to ping the LAN interfaces of the peer.
is there like any issue with the routing or access-lists?
Thanks..
02-05-2011 07:06 AM
Hi,
Thanks for the update.
Are you using any routing protocol on routers?
Also please paste the output of 'sh ip route' and check if there is any access-list blocking the traffic.
Thanks,
Shilpa
02-05-2011 07:12 AM
the routers are not using any routing protocols..
show ip route :
100.0.0.0/30 is subnetted, 1 subnets
C 100.100.100.0 is directly connected, Tunnel0
22.22.22.0/24 is subnetted, 1 subnets
C bb.bb.bb.bb is directly connected, FastEthernet0/0
S* 0.0.0.0/0 is directly connected, FastEthernet0/0
the only access list are for the NAT...there isn't any other acces list..
02-05-2011 07:28 AM
Hi,
Try to create a static route on a router for remote network pointing to the tunnel source as its gateway.
The following is one useful link:-
https://learningnetwork.cisco.com/docs/DOC-2457
Thanks,
Shilpa
02-05-2011 10:53 PM
Hi Shilpa,
using dynamic routing and saw the routes learned via the tunnel.
the issue was solved after adding static route of the LAN segment pointing to the remote tunnel IP.
THanks.
02-05-2011 10:57 PM
Hi,
Thats great.
Thanks,
Shilpa
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide