Skip navigation
Login   |   Register
Cisco Learning Home > Certifications > Routing & Switching (CCNP) > Discussions

_Communities

This Question is Answered 2 Helpful Answers available (2 pts)
1894 Views 6 Replies Latest reply: Nov 23, 2011 3:34 AM by Usman Ali Butt RSS

Currently Being Moderated

Problem in IPsec

Nov 22, 2011 1:46 AM

Usman Ali Butt 151 posts since
Aug 28, 2008

I'm making an IPsec tunnel between Cisco 1841 router with Cisco 3G card HWIC 3G HSPA and GX400 airlink devicec, Please find the network diagram attached.

 

configuration on the Cisco side is as under

 

 

Router#show running-config

Building configuration...

Current configuration : 1962 bytes

!

! Last configuration change at 09:20:52 UTC Tue Nov 22 2011

!

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

!

no aaa new-model

!

dot11 syslog

ip source-route

!

!

!        

!        

!        

ip cef   

no ipv6 cef

!        

multilink bundle-name authenticated

!        

chat-script gsm "" "ATDT*98*1#" TIMEOUT 60 "CONNECT"

crypto pki token default removal timeout 0

!        

!        

!        

!        

license udi pid CISCO1841 sn FHK142576NU

!        

redundancy

!        

!        

controller Cellular 0/0

!        

!        

!        

crypto isakmp policy 1

encr aes

authentication pre-share

group 2 

lifetime 7200

crypto isakmp key cisco address 10.241.144.2

!        

!        

crypto ipsec transform-set tset esp-aes esp-sha-hmac

!        

crypto map smap 1 ipsec-isakmp

set peer 10.241.144.2

set security-association lifetime seconds 7200

set transform-set tset

set pfs group2

match address 101

!        

!        

!        

!        

!        

interface FastEthernet0/0

ip address 192.168.5.1 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Cellular0/0/0

ip address negotiated

ip virtual-reassembly in

encapsulation ppp

dialer in-band

dialer string gsm

dialer-group 1

async mode interactive

ppp authentication pap callin

ppp eap refuse

ppp chap refuse

ppp ms-chap refuse

ppp ms-chap-v2 refuse

ppp ipcp dns request

crypto map smap

!

interface Cellular0/0/1

no ip address

encapsulation ppp

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip route 0.0.0.0 0.0.0.0 Cellular0/0/0

!

logging esm config

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

!

!

!

!        

!

control-plane

!

!

line con 0

line aux 0

line 0/0/0

exec-timeout 0 0

script dialer gsm

modem InOut

no exec

rxspeed 7200000

txspeed 2000000

line 0/0/1

no exec

rxspeed 7200000

txspeed 2000000

line vty 0 4

login

transport input all

!

scheduler allocate 20000 1000

end

 

configuration on other device GX400 is attached, after the configuration IPsec tunnel comes up and i can ping both GX400 local ip address 192.168.2.1 and device IP 192.168.2.54, but from device attached to GX400 i can ping only my routers local address 192.168.5.1 but i cannot ping 192.168.5.2.

 

Ping from client attached to Cisco Router

 

ping 192.168.2.1 (Successfull)

ping 192.168.2.54 (Successfull)

 

Ping from client attached to GX400

 

Ping 192.168.5.1 (Successfull)

ping 192.168.5.2 (Fail)


I think some route is missing on Cisco router, can you please guide me what is most probably the reason of this ping failure?

 

Best Regards

Usman

Attachments:
  • cadetalain 2,728 posts since
    Sep 18, 2008
    Currently Being Moderated
    1. Nov 22, 2011 3:43 AM (in response to Usman Ali Butt)
    Re: Problem in IPsec

    Hi,

     

    You should change your crypto ACL to: access-list 101 permit 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255 because the 2 crypto ACLs on tunnel endpoints must be mirrored.

    Try this and let us know.

     

    Regards.

     

    Alain.

    Join this discussion now: Login / Register
  • cadetalain 2,728 posts since
    Sep 18, 2008
    Currently Being Moderated
    3. Nov 22, 2011 5:10 AM (in response to Usman Ali Butt)
    Re: Problem in IPsec

    Hi,

     

    ip access-list extended 101

    no 20

    15 permit ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255

    no 10

    sh access-list 101 should give you this:

    15 pemit 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255

     

    Regards.

     

    Alain.

    Join this discussion now: Login / Register
  • cadetalain 2,728 posts since
    Sep 18, 2008
    Currently Being Moderated
    5. Nov 23, 2011 2:48 AM (in response to Usman Ali Butt)
    Re: Problem in IPsec

    Hi,

    verify firewall settings on the 192.168.5.2 client.

    verify also the client is receiving the icmp echo packets by sniffing the NIC

    what is the output of sh crypto ipsec sa on the Cisco router when doing this ping ?

     

    Regards.

     

    Alain

    Join this discussion now: Login / Register

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)