Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8789
Views
0
Helpful
17
Replies

VTI VPN - problem

Go to solution
birka.izik
Level 1
Level 1

‎09-10-2012 03:26 PM

hi

I'm trying to set up Site to Site VPN between ciso 3925 to PFsense firewall, phase one is up but when it tries to initiate phase 2 I get an error at the PFsense firewall that said networks in SA is not configured correctly

as far as i know on the CISCO router that configured with VTI I'm not supposed to set up a local network and remote network is simply encrypts everything that goes in tunnel

how am I supposed to configured the second FW ?  I tried all the options including the establishment tunnel on the far side, without encryption everything works fine with genric tunnel.

this is my configuration on the cisco :

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

crypto isakmp key XXXXXXXXX address PEER-IP-ADDRESS

crypto ipsec transform-set YYYYY esp-aes 256 esp-sha-hmac

crypto ipsec profile ABCD

set transform-set YYYYY

interface tunnel201

description *******************

ip address 1.1.1.1 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1400

ip flow ingress

ip tcp adjust-mss 1360

load-interval 30

tunnel source MY IP ADDRESS

tunnel destination PEER IP ADDRESS

tunnel protection ipsec profile ABCD

ip route REMOTE-LAN REMOTE-SUBNET tunnel 201

Labels:
0 Helpful
17 Replies 17

Go to solution
birka.izik
Level 1
Level 1

‎09-14-2012 04:39 AM

ok

i configured the first choice , and it's seems that the IPSEC Tunnel is UP in the cisco(show crypto session - it show UP-ACTIVE)

but now i lost connectivty to the remote FW even to the public IP ,

in this mode the cisco encrypted according to routing right ?

i have one route on the cisco :

ip route REMOTE-LAN REMOTE-SUBNET tunnel201

and route to the REMOTE-WAN-IP

ip route REMOTE-WAN 255.255.255.252 gig0/1

as far as i understand when i try to get to the wan ip , it should not encrypted the packets right ?

anyway when i ping the remote lan i get - " replay from MY-TUNNEL-IP ttl expired in transit"

and when i trace to that IP i get

1. IP

2. IP

3. IP

4.REQUEST timed out

5. MY IP TUNNEL

6.REQUEST timed out

7.MY IP TUNNEL

8.REQUEST timed out

so.. there is any problem with my routing ?

0 Helpful

Go to solution
olpeleri
Cisco Employee
Cisco Employee
In response to birka.izik

‎09-14-2012 04:44 AM

It depends of the implementation of this 3rd party device. I had the impression where protecting a tunnel interface.

It seems your box places the crypto map on the public interface.

Possibly you can reach the management interface via the tunnel interface. If not you should revert the config.

It seems the crypto map config seems the only way.

0 Helpful

Go to solution
birka.izik
Level 1
Level 1

‎09-14-2012 10:25 AM

but why i can't reach the REMOTE-LAN ?

what route should i add to the cisco ?

my route now is :

ip route REMOTE-LAN 255.255.255.0 tunnel201 is it ok ?

and what route should i add in the 3rd party device ?

the route that configured is - to get to CISCO_LAN go to GRE TUNNEL - is it ok ?

if i will configure the crypto map , and apply it on the egrees interface like u said,it's going to Interfere  the other ipsec tunnel that use the same interface ?

0 Helpful
Customers Also Viewed These Support Documents