Re: Unable to establish IPSec LAN to LAN tunnel through a DSL li

justinfvoeller · ‎04-29-2008

I have configured a 1710 to do all of the PPPoE stuff. I have set the DSL modem to "bridged" mode and I still have not been able to bring the tunnel up. Here is my config, please help!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname CovingtonLA_1710

!

enable password cta

!

memory-size iomem 25

ip subnet-zero

!

ip dhcp excluded-address 10.10.173.1 10.10.173.49

ip dhcp excluded-address 10.10.173.61 10.10.173.254

!

ip dhcp pool Local_LAN

network 10.10.173.0 255.255.255.0

default-router 10.10.173.1

dns-server 10.2.2.10 205.152.132.23

lease 7

!

ip audit notify log

ip audit po max-events 100

vpdn enable

!

vpdn-group 1

request-dialin

protocol pppoe

!

crypto isakmp policy 100

hash md5

authentication pre-share

group 2

crypto isakmp key XXXXXX address X.X.X.X

!

crypto ipsec transform-set TAStandard esp-des esp-md5-hmac

!

crypto map VPN 1 ipsec-isakmp

set peer X.X.X.X

set transform-set TAStandard

match address acl-crypto-blngmt

!

interface Ethernet0

no ip address

ip nat outside

half-duplex

pppoe enable

pppoe-client dial-pool-number 1

!

interface FastEthernet0

ip address 10.10.173.1 255.255.255.0

ip nat inside

speed auto

!

interface Dialer1

mtu 1492

bandwidth 700

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication pap callin

ppp pap sent-username XXXX@bellsouth.net password 0 XXXXXXX

crypto map VPN

!

line con 0

logging synchronous

line aux 0

line vty 0 4

password cta

login

!

end

william.caban · ‎04-29-2008

Where is your "interesting" traffic? The traffic that you will encrypt. That must be defined by an ACL which is not defined (at least on this snapshot).

Take a look into the other part of "match address acl-crypto-blngmt". That should be defined.

At minimum, define the IPSec tunnel end points:

!

ip access-list extended acl-crypto-blngmt

permit ip host 10.10.173.1 host "remote-end-ip-addr"

!

HTH,

-W

/rate post if it helps

justinfvoeller · ‎04-30-2008

I took out the ACL's, but they are required so here they are:

ip access-list extended acl-crypto-blngmt

permit ip 10.10.173.0 0.0.0.255 10.10.186.0 0.0.0.255

permit ip 10.10.173.0 0.0.0.255 10.2.2.0 0.0.0.255

permit ip 10.10.173.0 0.0.0.255 10.4.186.0 0.0.0.255

permit ip 10.10.173.0 0.0.0.255 10.10.190.0 0.0.0.255

permit ip 10.10.173.0 0.0.0.255 10.10.188.0 0.0.0.255

permit ip 10.10.173.0 0.0.0.255 10.4.188.0 0.0.0.255

permit ip 10.10.173.0 0.0.0.255 10.10.183.0 0.0.0.255

permit ip 10.10.173.0 0.0.0.255 10.4.183.0 0.0.0.255

permit ip 10.10.173.0 0.0.0.255 10.10.184.0 0.0.0.255

permit ip 10.10.173.0 0.0.0.255 10.4.184.0 0.0.0.255

permit ip 10.10.173.0 0.0.0.255 10.10.180.0 0.0.0.255

permit ip 10.10.173.0 0.0.0.255 10.4.180.0 0.0.0.255

permit ip 10.10.173.0 0.0.0.255 10.10.181.0 0.0.0.255

permit ip 10.10.173.0 0.0.0.255 10.4.181.0 0.0.0.255

Richard Burts · ‎04-30-2008

Justin

I agreed with the previous post that the obvious fault in the original post was the lack of access list. If the access list was in the config and just omitted from the post then we need to look for some other issue.

This access list has a single subnet as the source and has 14 subnets as destinations. Is this correct? Are those 14 subnets reached through that remote peer?

Is the access list at the remote peer a mirror image of this access list?

Other possible problems to consider:

- is IP routing working? I do not see any route information in what you posted. Is this another thing that is in the config but that you omitted from the post?

- is the router establishing a working connection to outside resources? when the connection comes up is the router able to ping and traceroute to outside resources? Are PCs on the LAN able to browse to web servers in the Internet?

- do you have good IP connectivity with the remote peer? can the routers ping the VPN peer address?

- is the IPSec attempting to negotiate? Perhaps running debug crypto isakmp and posting the output would help us understand what is going on.

HTH

Rick

HTH

Rick

dwatson777 · ‎05-01-2008

I'm pretty new at VPN as a backup and not familiar with the 1700 series but if you are trying to get a tunnel to open don't you need a tunnel interface? I don't see one in this config.

Richard Burts · ‎05-01-2008

Donnie

The terminology here gets a bit confusing. We talk about IPSec VPN as a tunneling technology because it takes an IP packet to be protected and encapsulates it in a new IP header, which is essentially what a GRE tunnel does. We frequently talk about IPSec tunnels as the way that the encapsulated traffic is sent. But IPSec does not require a tunnel interface. So this config does not need a tunnel interface.

HTH

Rick

HTH

Rick

Unable to establish IPSec LAN to LAN tunnel through a DSL line