Solved: ipsec/gre LAN issue

su-ren.foo · ‎02-05-2011

Hi guys,

i'm trying to connect 2 1841 routers using ipsec/gre.

the situation is as below:

router A ----- Internet ----- router b

router A config:

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address bb.bb.bb.bb

crypto ipsec transform-set TFMset esp-3des esp-md5-hmac
!
crypto ipsec profile ToB
set transform-set TFMset

!

interface Tunnel0
description *** To B ***
ip address 100.100.100.1 255.255.255.252
tunnel source aa.aa.aa.aa
tunnel destination bb.bb.bb.bb
tunnel mode ipsec ipv4
tunnel protection ipsec profile ToB

interface FastEthernet0/0
ip address aa.aa.aa.aa 255.255.255.252
ip nat outside
!
interface FastEthernet0/1
ip address 11.11.11.11 255.255.255.0
ip nat inside

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

ip nat inside source route-map NONAT interface FastEthernet0/0 overload

ip access-list extended IPNAT
deny ip 11.11.11.0 0.0.0.255 22.22.22.0 0.0.0.255
permit ip 11.11.11.0 0.0.0.255 any
!
route-map NONAT permit 10
match ip address IPNAT

Router B config:

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address aa.aa.aa.aa

crypto ipsec transform-set TFMset esp-3des esp-md5-hmac
!
crypto ipsec profile ToA
set transform-set TFMset

!

interface Tunnel0
description *** To A ***
ip address 100.100.100.1 255.255.255.252
tunnel source bb.bb.bb.bb
tunnel destination aa.aa.aa.aa
tunnel mode ipsec ipv4
tunnel protection ipsec profile ToA

interface FastEthernet0/0
ip address bb.bb.bb.bb 255.255.255.252
ip nat outside
!
interface FastEthernet0/1
ip address 22.22.22.22 255.255.255.0
ip nat inside

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

ip nat inside source route-map NONAT interface FastEthernet0/0 overload

ip access-list extended IPNAT

deny ip 22.22.22.0 0.0.0.255 11.11.11.0 0.0.0.255

permit ip 22.22.22.0 0.0.0.255 any

!

route-map NONAT permit 10

match ip address IPNAT

i manage to see the crypto isakmp and tunnel up but i'm not able to ping to the remote LAN ip..

do you guys have any idea on this?

Thanks...

Shilpa Gupta · ‎02-05-2011

Hi,

Try to create a static route on a router for remote network pointing to the tunnel source as its gateway.

The following is one useful link:-

https://learningnetwork.cisco.com/docs/DOC-2457

Thanks,

Shilpa

View solution in original post

Shilpa Gupta · ‎02-05-2011

Hi,

Please try to use transport mode in the transform set on both routers by using the following command:-

crypto ipsec transform-set TFMset esp-3des esp-md5-hmac mode transport

Please let me know if it helps.

su-ren.foo · ‎02-05-2011

Hi,

Tried to change to transport mode but am still unable to ping the LAN interfaces of the peer.

is there like any issue with the routing or access-lists?

Thanks..

Shilpa Gupta · ‎02-05-2011

Hi,

Thanks for the update.

Are you using any routing protocol on routers?

Also please paste the output of 'sh ip route' and check if there is any access-list blocking the traffic.

Thanks,

Shilpa

su-ren.foo · ‎02-05-2011

the routers are not using any routing protocols..

show ip route :

     100.0.0.0/30 is subnetted, 1 subnets
C       100.100.100.0 is directly connected, Tunnel0
     22.22.22.0/24 is subnetted, 1 subnets
C       bb.bb.bb.bb is directly connected, FastEthernet0/0
S*   0.0.0.0/0 is directly connected, FastEthernet0/0

the only access list are for the NAT...there isn't any other acces list..

Shilpa Gupta · ‎02-05-2011

Hi,

Try to create a static route on a router for remote network pointing to the tunnel source as its gateway.

The following is one useful link:-

https://learningnetwork.cisco.com/docs/DOC-2457

Thanks,

Shilpa

su-ren.foo · ‎02-05-2011

Hi Shilpa,

using dynamic routing and saw the routes learned via the tunnel.

the issue was solved after adding static route of the LAN segment pointing to the remote tunnel IP.

THanks.

Shilpa Gupta · ‎02-05-2011

Hi,

Thats great.

Thanks,

Shilpa