04-22-2014 05:30 AM
Hello
[u]I'm facing problem when I want to establish VPN IPsec tunnel Site-to-site configuration.
I can ping router Bydgoszcz from router Torun and invertly but only with standard ping (WAN interfaces) however I can't ping from LAN to LAN.[/u]
There is configuration of routers. IOS: C3745-ADVENTERPRISEK9-M
topology in attachment
Config of router Bydgoszcz:
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key kluczVPN123 address 192.168.11.1
crypto isakmp key kluczVPN123 address 192.168.21.3
!
!
crypto ipsec transform-set MYTRANSFORM esp-aes 256 esp-sha-hmac
!
crypto map CMAP 1 ipsec-isakmp
set peer 192.168.21.3
set transform-set MYTRANSFORM
set pfs group5
match address 100
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.11.1 255.255.255.0
ip ospf network broadcast
duplex auto
speed auto
crypto map CMAP
!
interface FastEthernet0/1
ip address 192.168.12.1 255.255.255.0
ip ospf network broadcast
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 1.1.1.0 0.0.0.255 area 0
network 192.168.11.0 0.0.0.255 area 0
network 192.168.21.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 192.168.12.0 0.0.0.255 192.168.22.0 0.0.0.255
Config routera Torun:
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key kluczVPN123 address 192.168.11.1
!
!
crypto ipsec transform-set MYTRANSFORM esp-aes 256 esp-sha-hmac
!
crypto map CMAP 1 ipsec-isakmp
set peer 192.168.11.1
set transform-set MYTRANSFORM
set pfs group5
match address 100
!
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.21.3 255.255.255.0
ip ospf network broadcast
duplex auto
speed auto
crypto map CMAP
!
interface FastEthernet0/1
ip address 192.168.22.3 255.255.255.0
ip ospf network broadcast
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 3.3.3.0 0.0.0.255 area 0
network 192.168.21.0 0.0.0.255 area 0
network 192.168.22.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 192.168.22.0 0.0.0.255 192.168.12.0 0.0.0.255
!
[u]ACL's looks fine for me[/u]
Torun#sh crypto isakmp sa
dst src state conn-id slot status
192.168.21.3 192.168.11.1 QM_IDLE 1 0 ACTIVE
--
Bydgoszcz#sh crypto isakmp sa
dst src state conn-id slot status
192.168.21.3 192.168.11.1 QM_IDLE 1 0 ACTIVE
[u]ISAKMP status on both sides is correct.[/u]
Transform sets, Crypto maps, etc seems to be correct
[u]When I ping LAN Torun from LAN Bydgoszcz and invertly, wehn SA is not established yet(or lifetime expired)
There is output like this on both sides:[/u]
Bydgoszcz#ping 192.168.22.3 source 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.22.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.12.1
*Mar 1 22:35:27.006: ISAKMP: received ke message (1/1)
*Mar 1 22:35:27.006: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Mar 1 22:35:27.010: ISAKMP: Found a peer struct for 192.168.21.3, peer port 500
*Mar 1 22:35:27.010: ISAKMP: Locking peer struct 0x64F2568C, IKE refcount 1 for isakmp_initiator
*Mar 1 22:35:27.014: ISAKMP: local port 500, remote port 500
*Mar 1 22:35:27.014: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 22:35:27.018: insert sa successfully sa = 655BB69C
*Mar 1 22:35:27.018: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Mar 1 22:35:27.022: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 192.168.21.3
*Mar 1 22:35:27.026: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Mar 1 22:35:27.030: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Mar 1 22:35:27.030: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Mar 1 22:35:27.034: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 1 22:35:27.038: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1
*Mar 1 22:35:27.038: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Mar 1 22:35:27.042: ISAKMP:(0:0:N/A:0): sending packet to 192.168.21.3 my_port 500 peer_port 500 (TATE
*Mar 1 22:35:27.370: ISAKMP (0:0): received packet from 192.168.21.3 dport 500 sport 500 Global (I)TE
*Mar 1 22:35:27.374: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 22:35:27.378: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 Ne.w State = IKE_I_MM2
*Mar 1 22:35:27.382: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Mar 1 22:35:27.386: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar 1 22:35:27.390: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
*Mar 1 22:35:27.390: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar 1 22:35:27.390: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 192.168.21.3
*Mar 1 22:35:27.390: ISAKMP:(0:0:N/A:0): local preshared key found
*Mar 1 22:35:27.390: ISAKMP : Scanning profiles for xauth ...
*Mar 1 22:35:27.390: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
*Mar 1 22:35:27.390: ISAKMP: encryption AES-CBC
*Mar 1 22:35:27.390: ISAKMP: keylength of 256
*Mar 1 22:35:27.390: ISAKMP: hash SHA
*Mar 1 22:35:27.390: ISAKMP: default group 5
*Mar 1 22:35:27.390: ISAKMP: auth pre-share
*Mar 1 22:35:27.390: ISAKMP: life type in seconds
*Mar 1 22:35:27.390: ISAKMP: life duration (basic) of 3600
*Mar 1 22:35.:27.390: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
*Mar 1 22:35:27.426: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar 1 22:35:27.430: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
*Mar 1 22:35:27.430: ISAKMP (0:134217729): vendor ID is NAT-T v7
*Mar 1 22:35:27.434: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 22:35:27.438: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Mar 1 22:35:27.438: ISAKMP:(0:1:SW:1): sending packet to 192.168.21.3 my_port 500 peer_port 500 (ITUP
*Mar 1 22:35:27.438: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 22:35:27.438: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Mar 1 22:35:27.570: ISAKMP (0:134217729): received packet from 192.168.21.3 dport 500 sport 500 GlM_SA_SETUP
*Mar 1 22:35:27.578: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 22:35:27.578: ISAKMP:(0:1:SW:1):Old State =. IKE_I_MM3 New State = IKE_I_MM4
*Mar 1 22:35:27.586: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0
*Mar 1 22:35:27.670: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0
*Mar 1 22:35:27.670: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 192.168.21.3
*Mar 1 22:35:27.670: ISAKMP:(0:1:SW:1):SKEYID state generated
*Mar 1 22:35:27.670: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar 1 22:35:27.670: ISAKMP:(0:1:SW:1): vendor ID is Unity
*Mar 1 22:35:27.670: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar 1 22:35:27.670: ISAKMP:(0:1:SW:1): vendor ID is DPD
*Mar 1 22:35:27.670: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar 1 22:35:27.670: ISAKMP:(0:1:SW:1): speaking to another IOS box!
*Mar 1 22:35:27.670: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 22:35:27.670: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Mar 1 22:35:27.670: ISAKMP:(0:1:SW:1):Send initial contact
*Mar 1 22:35:27.670: ISAKMP:(0:1:SW:1):.SA is doing pre-shared key authentication using id type ID_
*Mar 1 22:35:27.670: ISAKMP (0:134217729): ID payload
next-payload : 8
type : 1
address : 192.168.11.1
protocol : 17
port : 500
length : 12
*Mar 1 22:35:27.670: ISAKMP:(0:1:SW:1):Total payload length: 12
*Mar 1 22:35:27.670: ISAKMP:(0:1:SW:1): sending packet to 192.168.21.3 my_port 500 peer_port 500 (IXCH
*Mar 1 22:35:27.670: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 22:35:27.674: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Mar 1 22:35:27.726: ISAKMP (0:134217729): received packet from 192.168.21.3 dport 500 sport 500 GlM_KEY_EXCH
*Mar 1 22:35:27.734: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0
*Mar 1 22:35:27.738: ISAKMP (0:134217729): ID payload
next-payload : 8
type : 1
address : 192.168.21.3
protocol : 17
port : 500
length : 12
*Mar 1 22:35:27.742: ISAKMP.
Success rate is 0 percent (0/5)
Bydgoszcz#:(0:1:SW:1):: peer matches *none* of the profiles
*Mar 1 22:35:27.746: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 0
*Mar 1 22:35:27.750: ISAKMP:(0:1:SW:1):SA authentication status:
authenticated
*Mar 1 22:35:27.754: ISAKMP:(0:1:SW:1):SA has been authenticated with 192.168.21.3
*Mar 1 22:35:27.754: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 22:35:27.758: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Mar 1 22:35:27.766: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 22:35:27.770: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Mar 1 22:35:27.778: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 22:35:27.782: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Mar 1 22:35:27.782: ISAKMP:(0:1:SW:1):beginning Quick Mode exchange, M-ID of 1246707369
*Mar 1 22:35:27.826: ISAKMP:(0:1:SW:1): sending packet to 192.168.21.3 my_port 500 peer_port 500 (I
*Mar 1 22:35:27.826: ISAKMP:(0:1:SW:1):Node 1246707369, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar 1 22:35:27.826: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Mar 1 22:35:27.826: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 1 22:35:27.826: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 1 22:35:28.038: ISAKMP (0:134217729): received packet from 192.168.21.3 dport 500 sport 500 GlM_IDLE
*Mar 1 22:35:28.050: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 1246707369
*Mar 1 22:35:28.054: ISAKMP:(0:1:SW:1): processing SA payload. message ID = 1246707369
*Mar 1 22:35:28.054: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1
*Mar 1 22:35:28.058: ISAKMP: transform 1, ESP_AES
*Mar 1 22:35:28.058: ISAKMP: attributes in transform:
*Mar 1 22:35:28.058: ISAKMP: encaps is 1 (Tunnel)
*Mar 1 22:35:28.062: ISAKMP: SA life type in seconds
*Mar 1 22:35:28.062: ISAKMP: SA life duration (basic) of 3600
*Mar 1 22:35:28.062: ISAKMP: SA life type in kilobytes
*Mar 1 22:35:28.066: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Mar 1 22:35:28.070: ISAKMP: authenticator is HMAC-SHA
*Mar 1 22:35:28.070: ISAKMP: key length is 256
*Mar 1 22:35:28.074: ISAKMP: group is 5
*Mar 1 22:35:28.074: ISAKMP:(0:1:SW:1):atts are acceptable.
*Mar 1 22:35:28.078: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 1246707369
*Mar 1 22:35:28.078: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 1246707369
*Mar 1 22:35:28.138: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 1246707369
*Mar 1 22:35:28.138: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 1246707369
*Mar 1 22:35:28.138: ISAKMP: Locking peer struct 0x64F2568C, IPSEC refcount 4 for for stuff_ke
*Mar 1 22:35:28.138: ISAKMP:(0:1:SW:1): Creating IPSec SAs
*Mar 1 22:35:28.138: inbound SA from 192.168.21.3 to 192.168.11.1 (f/i) 0/ 0
(proxy 192.168.22.0 to 192.168.12.0)
*Mar 1 22:35:28.138: has spi 0xC9CF8BFA and conn_id 0 and flags 43
*Mar 1 22:35:28.138: lifetime of 3600 seconds
*Mar 1 22:35:28.138: lifetime of 4608000 kilobytes
*Mar 1 22:35:28.138: has client flags 0x0
*Mar 1 22:35:28.138: outbound SA from 192.168.11.1 to 192.168.21.3 (f/i) 0/0
(proxy 192.168.12.0 to 192.168.22.0)
*Mar 1 22:35:28.138: has spi 2023156237 and conn_id 0 and flags 4B
*Mar 1 22:35:28.138: lifetime of 3600 seconds
*Mar 1 22:35:28.138: lifetime of 4608000 kilobytes
*Mar 1 22:35:28.138: has client flags 0x0
*Mar 1 22:35:28.138: ISAKMP:(0:1:SW:1): sending packet to 192.168.21.3 my_port 500 peer_port 500 (I
*Mar 1 22:35:28.138: ISAKMP:(0:1:SW:1):deleting node 1246707369 error FALSE reason "No Error"
*Mar 1 22:35:28.138: ISAKMP:(0:1:SW:1):Node 1246707369, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 1 22:35:28.138: ISAKMP:(0:1:SW:1):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
*Mar 1 22:35:28.142: ISAKMP: Locking peer struct 0x64F2568C, IPSEC refcount 5 for from create_trans
*Mar 1 22:35:28.146: ISAKMP: Unlocking IPSEC struct 0x64F2568C from create_transforms, count 4
Bydgoszcz#
Bydgoszcz#
And when I ping again - nothing
Bydgoszcz#ping 192.168.22.3 source 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.22.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.12.1
.....
Success rate is 0 percent (0/5)
----------
PINGS
[u]From Bydgoszcz side:
Standard[/u]
Bydgoszcz#ping 192.168.22.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.22.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/49/92 ms
[u]From LAN of Bydgoszcz to LAN of Torun[/u]
Bydgoszcz#ping 192.168.22.3 source 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.22.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.12.1
.....
Success rate is 0 percent (0/5)
[u]To LAN of Torun from WAN of Bydgoszcz[/u]
Bydgoszcz#ping 192.168.22.3 source 192.168.11.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.22.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.11.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/49/72 ms
***************************************************************
[u]From Torun side:
Standardow ping[/u]
Torun#ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Torun#ping 192.168.11.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.11.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/49/92 ms
[u]To LAN of Bydgoszcz from LAN of Torun[/u]
Torun#ping 192.168.12.1 source 192.168.22.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.22.3
.....
Success rate is 0 percent (0/5)
[u]Ping to WAN of Bydgoszcz from LAN Torun[/u]
Torun#ping 192.168.11.1 source 192.168.22.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.11.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.22.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/52/72 ms
And this output occurs on Torun
Torun#
*Mar 6 12:41:30.583: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=2001 local=192 .168.21.3 remote=192.168.11.1 spi=8F58DC99 seqno=00000009
Any suggestions would be much appreciated. I don't know what went wrong
Thanks in advance
04-22-2014 06:36 AM
Please share output of this command from both the VPN routers:
show crypto ipsec sa
Vishnu
04-22-2014 07:48 AM
Bydgoszcz#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: CMAP, local addr 192.168.11.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.12.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.22.0/255.255.255.0/0/0)
current_peer 192.168.21.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 68, #pkts encrypt: 68, #pkts digest: 68
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 6, #recv errors 0
local crypto endpt.: 192.168.11.1, remote crypto endpt.: 192.168.21.3
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Torun#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: CMAP, local addr 192.168.21.3
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.22.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.12.0/255.255.255.0/0/0)
current_peer 192.168.11.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 68, #pkts decrypt: 68, #pkts verify: 68
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.21.3, remote crypto endpt.: 192.168.11.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Actually it shows that tunnel is established, however i can't ping from LAN to LAN
04-22-2014 11:23 AM
First of all, I do not see any active SA's formed in the phase 2 i.e. the tunnel is not up. Please bring the tunnel up first and then try. Also, I see that tunnel was up in the past and 68 packets were encrypted from the site where local network is 192.168.12.0 and same number of packets were decrypted on the other side of the VPN where local network is 192.168.22.0 but I do not see any encrypts from this side going back. The problem lies on the site with local address 192.168.12.0.
Please check NAT setting on this router (192.168.21.3)
Vishnu
04-22-2014 04:41 PM
There is no NAT deployed on any routers
04-22-2014 06:41 AM
From Bydgoszcz, the isakmp and ipsec peer should be 192.168.23.1, the outside interface of the peer. And for Torun, the peer should be 192.168.12.1. I don't see the inside LAN addresses in your diagram. Is is 192.168.12.0/24 for Bydgoszcz and 192.168.22.0/24 for Torun? In short, make sure your inside addresses are referenced in the ACL for IPSec protection and the outside addresses are used as the peers in the configs.
04-22-2014 07:50 AM
Sorry about the topology, previous one was out of date.
Now I attched actual one.
04-22-2014 08:22 AM
It looks like you're trying to use OSPF to communicate the routes between networks. I don't think that will work without using GRE or VTI. Try adding a static route on each router. Also, I don't see any NAT config, but make sure you're not NATing clients when they are trying to reach the remote LAN.
04-22-2014 04:44 PM
Yes, I wanted routers to connect with OSPF, so You say I have to deploy GRE over IPsec or VTI's? I don't want to change routes to static, but if I have to I will
04-23-2014 11:08 AM
Thanks for help William Stegman!
I need to learn more to deploy VPN with dynamic routing. Now i needed only basic solution.
04-22-2014 08:52 PM
Hi, piotrsz90
here is the solution without OSPF, only IPSEC, see the attachment file
if you want your loopback also ping each other then add in Acl also in Bydgoxzcz router
access-list 100 permit ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255
access-list 100 permit ip 1.1.1.0 0.0.0.255 192.168.22.0 0.0.0.255
access-list 100 permit ip 1.1.1.0 0.0.0.255 192.168.21.0 0.0.0.255
like that on torun router also add acl.
HTH
"Don't forget to rate me"
04-22-2014 09:42 PM
04-23-2014 11:06 AM
Hello skmkazim552
I switched off ospf process and deployed static routing, everything works fine.
I need to consider VPN implementation with dynamic routing. I need to learn more before I'll try that. Thanks for help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide