Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
782
Views
0
Helpful
6
Replies

ipSec over ADSL 827

dcourtier
Level 1
Level 1

‎10-31-2001 12:33 PM - edited ‎02-21-2020 11:28 AM

Has anyone out there got a working ipSec config for an 827 using dialer interface they can send me?

I have converted a config from a serial interface router and find the outbound tunnel packets are encrypted but not transmitted as NAT is taking over and the acl is denying them. The crypto session is up okay, and I can send packets the other way.

The NAT config is exactly the same as for a serial router which bench tests fine, without NAT'ing tunnel packets.

regards,

Labels:
0 Helpful
6 Replies 6

cjacinto
Cisco Employee
Cisco Employee

‎11-05-2001 09:11 PM

It would be similar to:

http://www.cisco.com/warp/customer/707/overload_private.shtml

except the ethernet is a dialer interface. I assume that you get a static ip address for your dialer interface.

0 Helpful

dcourtier
Level 1
Level 1
In response to cjacinto

‎11-06-2001 04:51 PM

Thanks,

that example was one of the ones I've been working from. My senario has static IP's at both sites, with an e-mail server at the main site running through an 805, which is similar to the Cisco example http://www.cisco.com/warp/customer/707/static.html

I think the problem is related to having the 827 having an ATM interface, the ATM subinterface & the Dialer interface, because the exact same config works fine on a serial interface router. I have the local Cisco folk also scratching their heads!

0 Helpful

7g.abate
Level 1
Level 1
In response to dcourtier

‎11-12-2001 05:31 AM

Have you tried to configure an ipsec encryption schema over a generic GRE tunnel? In this way you should avoid the ATM interface problem.

Bye GV

0 Helpful

3lgangitano
Level 1
Level 1

‎11-12-2001 05:40 AM

I've just encountered the same problem.

I've solved the NAT problem using the exampled cited in other replies (route-map nonat), but I now I have another problem:

- packet are encrypted but not sent out on the Dialer interface (I've checked with a sniffer on the ISP's ADSL router)

Consider that:

- IPSec handshaking between the 827 and a PIX is OK

- SAs are rightly set up

- show crypto ipsec sa states that packet are succesfully encrypted

Any hint?

Thanks a lot.

L

0 Helpful

dcourtier
Level 1
Level 1
In response to 3lgangitano

‎11-13-2001 11:58 AM

Thanks for the GRE suggestion, The local Cisco folk have managed to find a GRE sample config for an 827 so hope to try that out this week. Will post the config here once I've got it working.

cheers.

0 Helpful

dcourtier
Level 1
Level 1
In response to dcourtier

‎11-14-2001 04:56 PM

Found the problem. It's called Cisco IOS 12.1(3)XG3

as per the release notes:

CSCdr69152

For IPSec to work properly on some IPSec interfaces, fast switching must be explicitly disabled by entering the commands no ip route-cache and no ip mroute-cache. This might impact IPSec functionality under certain encapsulation modes.

For example, if you use a dialer interface to configure PPP over ATM encapsulation or PPP over Ethernet encapsulation and apply IPSec to the interface, fast switching must be explicitly disabled for IPSec to work. For a bridge group virtual interface to function properly as an IPSec interface, fast switching must also be disabled. IPSec works properly with fast switching enabled when applied on other interfaces, such as ATM or virtual interfaces.

Fast switching is automatically enabled by default. To work around this problem, disable fast switching on IPSec interfaces.

0 Helpful
Customers Also Viewed These Support Documents