07-16-2003 03:32 AM - edited 02-21-2020 12:40 PM
Hi all,
We have IPSEC over GRE between a C3725 and a C1721 with ADSL. We can ping from
a host to the remote router but not ping from a host to a remote host. We can also ping
from the router to a remote host. What's wrong with our configuration?
Thanks
3725 ios 12.2(13)T4
1721 ios 12.2(15)T2
!
hostname HK
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key test address 0.0.0.0 0.0.0.0
!
!
!
crypto ipsec transform-set uw esp-3des esp-md5-hmac
!
!
!
crypto map vpn 10 ipsec-isakmp
description NBW
set peer 94.10.160.64
set transform-set uw
match address 122
!
interface Loopback0
description Loopback interface
ip address xxx.xxx.xxx.1 255.255.255.0
!
interface Tunnel0
description Tunnel Headquarter-NBW via Power ADSL
bandwidth 450
ip unnumbered FastEthernet0/0
tunnel source dialer10
tunnel destination 94.10.160.64
crypto map vpn
!
!
!
interface ATM0/0
description Power ADSL Headquarter
no ip address
no ip mroute-cache
no atm ilmi-keepalive
pvc 4/23
encapsulation aal5mux ppp dialer
dialer pool-member 10
!
dsl operating-mode auto
!
interface FastEthernet0/0
description LAN Hoofdkantoor
ip address xxx.xxx.254.254 255.255.0.0
ip broadcast-address 172.20.255.255
ip access-group lan-in in
ip access-group lan-out out
ip nat inside
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface Dialer10
description PPPoA Power ADSL HeadQuarter
bandwidth 450
ip address negotiated
ip access-group adsl-in in
ip access-group adsl-out-10 out
ip nat outside
encapsulation ppp
dialer pool 10
dialer idle-timeout 0
dialer persistent
dialer-group 10
fair-queue
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxx password yyy
crypto map vpn
!
!
router eigrp 1
variance 10
redistribute connected route-map map-distribute
passive-interface FastEthernet0/0
passive-interface Dialer10
network 172.20.0.0
maximum-paths 3
no auto-summary
!
ip nat translation timeout 300
ip nat translation finrst-timeout 30
ip nat translation syn-timeout 30
ip nat translation icmp-timeout 10
ip nat inside source static udp 192.168.1.4 459 interface Dialer10 459
ip nat inside source static tcp 192.168.1.7 4080 interface Dialer10 4080
ip nat inside source static tcp 192.168.1.7 3080 interface Dialer10 3080
ip nat inside source static tcp 192.168.1.5 443 interface Dialer10 443
ip nat inside source static tcp 192.168.1.5 80 interface Dialer10 80
ip nat inside source static tcp 192.168.1.3 113 interface Dialer10 113
ip nat inside source static tcp 192.168.1.3 25 interface Dialer10 25
ip nat inside source static tcp 192.168.1.3 22 interface Dialer10 22
ip nat inside source route-map map-dialer10 interface Dialer10 overload
ip classless
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
ip route 0.0.0.0 0.0.0.0 Dialer10 100
ip route 172.22.253.0 255.255.255.0 172.20.11.4 permanent
ip route 94.10.160.64 255.255.255.255 Dialer10
ip route 195.112.162.253 255.255.255.255 FastEthernet0/0 permanent
ip http server
!
!
ip access-list extended adsl-in
remark Spoofed addresses
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 224.0.0.0 15.255.255.255 any log
deny ip host 255.255.255.255 any log
remark VPN
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit gre 94.10.160.0 0.0.0.255 94.10.160.0 0.0.0.255
permit esp any any
remark Established sessions
permit tcp any any established
remark TCP services
permit tcp any any eq 22
permit tcp any any eq smtp
permit tcp any any eq www
permit tcp any any eq ident
permit tcp any any eq 443
permit tcp any any eq 3080
permit tcp any any eq 4080
ip access-list extended adsl-out-10
permit ip host 94.10.160.114 any
deny tcp any any eq 1 log
deny ip any any log
ip access-list extended dialer10-overload
permit ip 192.168.1.0 0.0.0.255 any
permit ip host 172.20.11.2 any
ip access-list extended lan-in
permit ip any 172.16.0.0 0.15.255.255
permit ip any 192.168.0.0 0.0.255.255
permit ip any 10.0.0.0 0.255.255.255
permit ip any 224.0.0.0 15.255.255.255
permit ip any host 255.255.255.255
permit ip any 212.136.50.0 0.0.1.255
permit ip 195.112.162.252 0.0.0.3 any
permit ip host 172.20.11.11 host 213.84.187.156
deny tcp any any eq 1 log
deny ip any any log
ip access-list extended lan-out
permit ip 172.16.0.0 0.15.255.255 any
permit ip 192.168.0.0 0.0.255.255 any
permit ip 10.0.0.0 0.255.255.255 any
permit ip 212.136.50.0 0.0.1.255 any
permit ip any 195.112.162.252 0.0.0.3
permit ip host 94.10.6.12 host 172.20.11.2
permit ip host 213.84.187.156 host 172.20.11.11
deny tcp any any eq 1 log
deny ip any any log
!
map-class dialer perm
dialer idle-timeout 86400
dialer wait-for-carrier-time 20
logging trap debugging
logging facility local0
logging 172.20.11.2
access-list 122 remark IPsec NBW
access-list 122 permit gre host 94.10.160.114 host 94.10.160.64
dialer-list 10 protocol ip permit
!
route-map map-distribute permit 100
description Routes distributed via EIGRP
match interface Loopback0
!
route-map map-dialer10 permit 10
match ip address dialer10-overload
match interface Dialer10
!
!
hostname Indus2
!
!
!
ip cef
ip audit notify log
ip audit po max-events 100
!
isdn switch-type basic-net3
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key test address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set uw esp-3des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 94.10.160.114
set transform-set uw
match address 110
!
!
!
interface Tunnel0
description Tunnel NBW-Hoofdkantoor via Power ADSL
bandwidth 450
ip unnumbered FastEthernet0
tunnel source Dialer10
tunnel destination 94.10.160.114
crypto map vpn
!
!
interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
pvc 4/23
encapsulation aal5mux ppp dialer
dialer pool-member 10
!
dsl operating-mode auto
!
interface FastEthernet0
ip address 172.22.254.254 255.255.0.0
ip access-group lan-in in
ip access-group lan-out out
ip helper-address 172.20.11.2
no ip mroute-cache
speed auto
full-duplex
no cdp enable
!
interface Dialer10
description PPoA Power ADSL NBW - 94.10.160.64
bandwidth 450
ip address negotiated
ip access-group adsl-in in
ip access-group adsl-out out
encapsulation ppp
dialer pool 10
dialer idle-timeout 0
dialer persistent
dialer-group 10
no cdp enable
ppp authentication chap callin
ppp pap sent-username xxx password yyy
crypto map vpn
!
router eigrp 1
variance 10
passive-interface FastEthernet0
network 172.22.0.0
maximum-paths 3
no auto-summary
!
ip classless
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
ip route 0.0.0.0 0.0.0.0 Dialer10
ip route 94.10.160.114 255.255.255.255 Dialer10
no ip http server
no ip http secure-server
!
!
!
ip access-list extended adsl-in
remark Spoofed addresses
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 224.0.0.0 15.255.255.255 any log
deny ip host 255.255.255.255 any log
remark VPN
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit gre 94.10.160.0 0.0.0.255 94.10.160.0 0.0.0.255
permit esp any any
ip access-list extended adsl-out
permit ip host 194.109.160.64 any
deny tcp any any eq 1 log
deny ip any any log
ip access-list extended lan-in
permit ip any 172.16.0.0 0.15.255.255
permit ip any 192.168.0.0 0.0.255.255
permit ip any 10.0.0.0 0.255.255.255
permit ip any 224.0.0.0 15.255.255.255
permit ip any host 255.255.255.255
deny tcp any any eq 1 log
deny ip any any log
ip access-list extended lan-out
permit ip 172.16.0.0 0.15.255.255 any
permit ip 192.168.0.0 0.0.255.255 any
permit ip 10.0.0.0 0.255.255.255 any
deny tcp any any eq 1 log
deny ip any any log
!
logging trap debugging
logging facility local0
logging 172.20.11.2
access-list 1 permit any
access-list 10 permit 172.22.0.0 0.0.255.255
access-list 110 permit gre host 94.10.160.64 host 94.10.160.114
dialer-list 1 protocol ip permit
dialer-list 10 protocol ip permit
no cdp run
!
07-17-2003 01:53 AM
Hi,
The first thing that strikes to my mind is to use the address of your peer in the "crypto map key ..." command. I suggest you to use each others' peer's addresses 94.10.160.64 and 94.10.160.114 in your "crypto isakmp key test address 0.0.0.0 0.0.0.0" command.
Secondly, force all default traffic into Tunnel0 (this is for testing only) rather than through the Dialer interface. To do this, just change the default ip route to "ip route 0.0.0.0 0.0.0.0 Tunnel0". With this basic configuration, you should be able to reach both the remote router and the remote hosts.
Post your reply back if you still see any issues.
Also, try to force all default
Thanks,
Naveen.
07-18-2003 12:35 AM
Hi,
We have done what you write but it still doesn't work
Thanks,
evr
07-22-2003 09:40 AM
Sounds like you don't have a fully converged routing table. Does your EIGRP show a neighbor adjacency?
You mention the router can ping a remote host. Can the router still ping the remote host if you change the source address to the local Lan and not the default of the exiting interface.
You can also remove the "crypto map vpn" command from your Tunnel interfaces. That command was only necessary on GREs due to a bug. That bug was fixed in 12.2(13)T
Happy Routing,
~ron
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide