Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1154
Views
0
Helpful
7
Replies

Tunnel between 831 and 3005

gclavadetscher
Level 1
Level 1

‎08-06-2003 06:14 AM

Hello,

I have to build a tunnel between a Router 831 and a VPN Concentrator 3005.

The router is connected to an ADSL Modem , The ADSL Modem give him a dynamic IP adress and make a NAT.

On the Concentrator side, I have a FW with 3 interfaces.

My first question is:

Do I have to use easy VPN.

Second:

What is the best design for the concentrator, and why?

a. Public interface on INTERNET, Private interface in DMZ

or

b. Public interface in DMZ, Private interface -> not used.

Thanks very much

Gael

Labels:
0 Helpful
7 Replies 7

gfullage
Cisco Employee
Cisco Employee

‎08-06-2003 09:44 PM

You don't have to use EzVPN, but you can if you like. Because the 831 is getting a dynamic address, you can't use a L2L config on the 3000, but you can configure it this way if you like (not using EzVPN):

http://www.cisco.com/warp/public/471/vpn3k_iosdhcp.html

As for your second question, probably a. This way you can set up rules in your firewall to only allow VPN traffic to specific internal hosts if you want.

0 Helpful

gclavadetscher
Level 1
Level 1
In response to gfullage

‎08-12-2003 12:44 AM

Hi thanks very much for your answer,

I just had a further question, will it work if the ADSL Router is using a Port translation?

Won't we have trouble with UDP500?

Thanks, Cheers, Gael

0 Helpful

gclavadetscher
Level 1
Level 1
In response to gclavadetscher

‎08-12-2003 12:49 AM

Hi again,

Do you know if it will be possible, on the router, to tell him to use the TCP port 10000 like a VPN client?

Thanks very much.

Gael

0 Helpful

gclavadetscher
Level 1
Level 1
In response to gfullage

‎08-18-2003 04:57 AM

Hi

I tried the document you gave me, but I always got those debug message and I doesn't work.

Do you have any Ideas why?

Target IP address: 172.19.0 6.0.1

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 172.19.0.1

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:

Packet sent with a source address of 172.19.0.1

00:28:38: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 10.0.0.3, remote= 212.249.197.4,

local_proxy= 172.19.0.0/255.255.0.0/0/0 (type=4),

remote_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0xE84C4C8E(3897314446), conn_id= 0, keysize= 0, flags= 0x400A

00:28:38: ISAKMP: received ke message (1/1)

00:28:38: ISAKMP (0:0): no idb in request

00:28:38: ISAKMP: local port 500, remote port 500

00:28:38: ISAKMP: set new node 0 to QM_IDLE

00:28:38: ISAKMP (0:1): constructed NAT-T vendor ID

00:28:38: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

00:28:38: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1

00:28:38: ISAKMP (0:1): beginning Main Mode exchange

00:28:38: ISAKMP (0:1): sending packet to 212.249.197.4 my_port 500 peer_port 500 (I) MM_NO_STATE

00:28:38: ISAKMP (0:1): received packet from 212.249.197.4 dport 500 sport 500 (I) MM_NO_STATE

00:28:38: .ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

00:28:38: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_I_MM2

00:28:38: ISAKMP (0:1): processing SA payload. message ID = 0

00:28:38: ISAKMP (0:1): processing vendor id payload

00:28:38: ISAKMP (0:1): vendor ID seems Unity/DPD but bad major

00:28:38: ISAKMP (0:1): found peer pre-shared key matching 212.249.197.4

00:28:38: ISAKMP (0:1) local preshared key found

00:28:38: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy

00:28:38: ISAKMP: encryption 3DES-CBC

00:28:38: ISAKMP: hash MD5

00:28:38: ISAKMP: default group 2

00:28:38: ISAKMP: auth pre-share

00:28:38: ISAKMP: life type in seconds

00:28:38: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

00:28:38: ISAKMP (0:1): atts are acceptable. Next payload is 0

00:28:38: ISAKMP (0:1): processing vendor id payload

00:28:38: ISAKMP (0:1): vendor ID seems Unity/DPD but bad major

00:28:38: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PRO.CESS_MAIN_MODE

00:28:38: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM2

00:28:38: ISAKMP (0:1): sending packet to 212.249.197.4 my_port 500 peer_port 500 (I) MM_SA_SETUP

00:28:38: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

00:28:38: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM3

00:28:38: ISAKMP (0:1): received packet from 212.249.197.4 dport 500 sport 500 (I) MM_SA_SETUP

00:28:38: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

00:28:38: ISAKMP (0:1): Old State = IKE_I_MM3 New State = IKE_I_MM4

00:28:38: ISAKMP (0:1): processing KE payload. message ID = 0

00:28:39: ISAKMP (0:1): processing NONCE payload. message ID = 0

00:28:39: ISAKMP (0:1): found peer pre-shared key matching 212.249.197.4

00:28:39: ISAKMP (0:1): SKEYID state generated

00:28:39: ISAKMP (0:1): processing vendor id payload

00:28:39: ISAKMP (0:1): vendor ID is Unity

00:28:39: ISAKMP (0:1): processing vendor id payload

00:28:39: ISAKMP (0:1): vendor ID seems Unity/DPD b.ut bad major

00:28:39: ISAKMP (0:1): vendor ID is XAUTH

00:28:39: ISAKMP (0:1): processing vendor id payload

00:28:39: ISAKMP (0:1): speaking to another IOS box!

00:28:39: ISAKMP (0:1): processing vendor id payload

00:28:39: ISAKMP (0:1): vendor ID seems Unity/DPD but bad major

00:28:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

00:28:39: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM4

00:28:39: ISAKMP (0:1): Send initial contact

00:28:39: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

00:28:39: ISAKMP (1): ID payload

next-payload : 8

type : 1

addr : 10.0.0.3

protocol : 17

port : 0

length : 8

00:28:39: ISAKMP (1): Total payload length: 12

00:28:39: ISAKMP (0:1): sending packet to 212.249.197.4 my_port 500 peer_port 500 (I) MM_KEY_EXCH

00:28:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

00:28:39: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM5

0.0:28:39: ISAKMP (0:1): received packet from 212.249.197.4 dport 500 sport 500 (I) MM_KEY_EXCH

00:28:39: ISAKMP: set new node 39767520 to QM_IDLE

00:28:39: ISAKMP (0:1): Unknown Input: state = IKE_I_MM5, major, minor = IKE_MESG_FROM_PEER, IKE_INFO_DELETE

00:28:39: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 212.249.197.4 .

Success rate is 0 percent (0/5)

Thanks.

0 Helpful

gclavadetscher
Level 1
Level 1
In response to gclavadetscher

‎08-18-2003 06:51 AM

Hi,

I found my mistake (Xtauth), it now work with static nat but as I thaught, not with port translation.

Is it possible to use IPSEC with port translation?

Cheers.

Gael

0 Helpful

gclavadetscher
Level 1
Level 1
In response to gclavadetscher

‎08-19-2003 02:53 AM

Hi everybody,

For people interested, I found the solution.

If you want to use nat overlapping (PAT), then you can use easyvpn and configure Nat-T on the concentrator (System -> Tunneling protocol -> Ipsec ->Nat-t).

It's maybe possible to create a tunnel without easyvpn when using PAT (see answer above) but I don't know how.

Cheers Gael

0 Helpful

jkittle99
Level 4
Level 4
In response to gfullage

‎03-10-2004 08:43 PM

Why would you use ezvpn vs not use ezvpn? I'm trying a similar setup - and ezvpn is giving me fits :)

0 Helpful
Customers Also Viewed These Support Documents