Solved: Re: Why is IPsec NOT WORKING when encapsulation PPP is ON ?

Didier1966 · ‎01-07-2011

Hello,

I am really new in the CISCO world , so sorry if I ask stupid questions , I am still studying to have one day my CCNA ?!?!

By reading some books and browsing the net I was finally able to connect my to routers with a VPN IPsec link.

The setup is has follow :

NETWORK 192.168.1.0/24--->INT F0/0 ROUTER 2610XM INTS0/0 172.16.1.1-->INT S0/0 172.16.1.2 ROUTER 2610XM INT F0/0---->NETWORK 10.0.1.0/24

I can now PING :

192.168.1.1

172.16.1.1

172.16.1.2

10.0.1.1

Sins I have removed this :

encapsulation ppp

ppp authentication chap

Any idea what I forget when I implemented this ?

Here bellow the full working configuration if you remove the above lines (Maybe this can be useful for newbies like me) :

ROUTER A

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router_A

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

resource policy

!

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto isakmp key cisco address 172.16.1.2

!

crypto ipsec transform-set myset esp-aes esp-sha-hmac

!

crypto map router_A_to_router_B 10 ipsec-isakmp

set peer 172.16.1.2

set transform-set myset

match address 101

!

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

bandwidth 64

ip address 172.16.1.1 255.255.255.0

~~encapsulation ppp~~

clock rate 64000

~~ppp authentication chap~~

crypto map router_A_to_router_B

!

ip route 0.0.0.0 0.0.0.0 Serial0/0

!

no ip http server

no ip http secure-server

!

access-list 101 permit ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255

!

control-plane

!

line con 0

speed 115200

line aux 0

line vty 0 4

login

!

end

ROUTER B

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router_B

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

resource policy

!

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto isakmp key cisco address 172.16.1.1

!

crypto ipsec transform-set myset esp-aes esp-sha-hmac

!

crypto map Router_B_to_Router_A 10 ipsec-isakmp

set peer 172.16.1.1

set transform-set myset

match address 101

!

interface FastEthernet0/0

ip address 10.0.1.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

ip address 172.16.1.2 255.255.255.0

~~encapsulation ppp~~

~~ppp authentication chap~~

crypto map Router_B_to_Router_A

!

interface Serial0/1

no ip address

shutdown

!

interface Serial0/2

no ip address

shutdown

!

ip route 0.0.0.0 0.0.0.0 Serial0/0

!

no ip http server

no ip http secure-server

!

access-list 101 permit ip 10.0.1.0 0.0.0.255 192.168.1.0 0.0.0.255

!

control-plane

!

line con 0

speed 115200

line aux 0

line vty 0 4

!

end

Best Regards,

Didier Ribbens

Jennifer Halim · ‎01-08-2011

Yes, you are absolutely right. All the best with the learnings...

View solution in original post

Jennifer Halim · ‎01-07-2011

The reason why it wasn't working is perhaps you are connecting the serial interfaces back to back, and since no authentication is required, you do not need to configure the ppp authentication.

The serial connectivity itself might not working when you configure the ppp encapsulation, hence IPSec is not working on top of that.

Hope that makes sense.

Didier1966 · ‎01-08-2011

Hello Jenifer,

Thank you for your prompt reply

Yes, You are right , it is a BACK 2 BACK configuration with just 2 x DB60 MALE on a WIC1T.

If I understand you correctly , the PPP is only needed if you have a provider or leased line in between ?

Thank you for now , I continue my learnings

Best Regards,

Didier

Jennifer Halim · ‎01-08-2011

Yes, you are absolutely right. All the best with the learnings...