IPSec Tunnels set up, but can't pass traffic
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||
|
Posted by philbo30 on August 9, 2007, 5:20 pm
Please log in for more thread options router, but cannot pass traffic. A firewall, not under our control, sits immediately in front of the 3845, so I suspect that it is causing the problem. Here's the config on the 1811 side: crypto isakmp policy 2 encr aes authentication pre-share group 2 ! crypto isakmp key xxxx address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 60 30 periodic ! crypto ipsec transform-set backup esp-aes esp-sha-hmac ! crypto ipsec profile backup set transform-set backup The tunnels look absolutely fine and are working on other interfaces where the firewall isn't present. Any ideas? | |||||||||||||
|
Posted by Brian V on August 10, 2007, 1:24 am
Please log in for more thread options Do you have the correct routes in place? | |||||||||||||
|
Posted by Scott Perry on August 10, 2007, 9:03 am
Please log in for more thread options Apply the crypto map to the interface and add static routes to send traffic
to that destination through the crypto map interface. Check to see the progress with these commands: show crypto isakmp sa show crypto ipsec sa debug crypto isakmp Your desired output for the "show crypto isakmp sa" command is a QM_IDLE status for your connection. -- =========== Scott Perry =========== Indianapolis, Indiana ________________________________________ > I'm able to set up AES IPSec tunnels from an 1811 router to a 3845
> router, but cannot pass traffic. A firewall, not under our control, > sits immediately in front of the 3845, so I suspect that it is causing > the problem. > > Here's the config on the 1811 side: > > crypto isakmp policy 2 > encr aes > authentication pre-share > group 2 > ! > crypto isakmp key xxxx address 0.0.0.0 0.0.0.0 > crypto isakmp keepalive 60 30 periodic > ! > crypto ipsec transform-set backup esp-aes esp-sha-hmac > ! > crypto ipsec profile backup > set transform-set backup > > > The tunnels look absolutely fine and are working on other interfaces > where the firewall isn't present. Any ideas? > | |||||||||||||
|
Posted by philbo30 on August 10, 2007, 2:20 pm
Please log in for more thread options > Apply the crypto map to the interface and add static routes to send traffic
in message
> to that destination through the crypto map interface. > > Check to see the progress with these commands: > show crypto isakmp sa > show crypto ipsec sa > debug crypto isakmp > > Your desired output for the "show crypto isakmp sa" command is a QM_IDLE > status for your connection. > > -- > > =========== > Scott Perry > =========== > Indianapolis, Indiana >
> > > I'm able to set up AES IPSec tunnels from an 1811 router to a 3845
> > router, but cannot pass traffic. A firewall, not under our control, > > sits immediately in front of the 3845, so I suspect that it is causing > > the problem. >
> > Here's the config on the 1811 side:
>
> > crypto isakmp policy 2
> > encr aes > > authentication pre-share > > group 2 > > ! > > crypto isakmp key xxxx address 0.0.0.0 0.0.0.0 > > crypto isakmp keepalive 60 30 periodic > > ! > > crypto ipsec transform-set backup esp-aes esp-sha-hmac > > ! > > crypto ipsec profile backup > > set transform-set backup >
> > The tunnels look absolutely fine and are working on other interfaces
> > where the firewall isn't present. Any ideas? Those have been applied...see tunnel configuration below: interface Tunnel1 description BACKUP TUNNEL ip address 10.190.1.253 255.255.255.252 ip virtual-reassembly tunnel source 80.123.123.123 tunnel destination 121.212.111.121 tunnel mode ipsec ipv4 tunnel protection ipsec profile backup In addition, the routes look like this: ip route 0.0.0.0 0.0.0.0 80.123.118.209 ip route 10.0.0.0 255.0.0.0 Tunnel0 ip route 10.0.0.0 255.0.0.0 Tunnel1 2 ip route 10.128.0.1 255.255.255.255 10.160.224.1 ip route 172.0.0.0 255.0.0.0 Tunnel0 ip route 172.22.0.0 255.255.0.0 Tunnel0 ip route 172.22.0.0 255.255.0.0 Tunnel1 2 ip route 121.212.111.0 255.255.0.0 Tunnel1 ip route 121.212.111.121 255.255.255.255 80.123.123.123 With tunnel0 shutdown, the routing table looks like: Gateway of last resort is 80.123.123.123 to network 0.0.0.0 80.0.0.0/28 is subnetted, 1 subnets C 80.123.123.123 is directly connected, FastEthernet1 172.22.0.0/16 is variably subnetted, 2 subnets, 2 masks C 172.22.20.0/28 is directly connected, Vlan2 S 172.22.0.0/16 is directly connected, Tunnel1 10.0.0.0/8 is variably subnetted, 6 subnets, 5 masks S 10.0.0.0/8 is directly connected, Tunnel1 C 10.190.1.252/30 is directly connected, Tunnel1 C 10.160.224.0/26 is directly connected, FastEthernet0 S 10.128.0.1/32 [1/0] via 10.160.224.1 C 10.160.224.254/32 is directly connected, Loopback0 C 10.33.224.0/24 is directly connected, Vlan2 121.212.111.0/32 is subnetted, 1 subnets S 121.212.111.121 [1/0] via 80.123.123.123 S* 0.0.0.0/0 [1/0] via 80.123.123.122 S 121.212.0.0/16 is directly connected, Tunnel1 Any ideas ?? | |||||||||||||
|
Posted by Al on August 11, 2007, 8:45 am
Please log in for more thread options >
> > > > Apply the crypto map to the interface and add static routes to send traffic
> > to that destination through the crypto map interface. >
> > Check to see the progress with these commands:
> > show crypto isakmp sa > > show crypto ipsec sa > > debug crypto isakmp >
> > Your desired output for the "show crypto isakmp sa" command is a QM_IDLE
> > status for your connection. >
> > --
>
> > ===========
wrote in message
> > Scott Perry > > =========== > > Indianapolis, Indiana >
> > > > I'm able to set up AES IPSec tunnels from an 1811 router to a 3845
> > > router, but cannot pass traffic. A firewall, not under our control, > > > sits immediately in front of the 3845, so I suspect that it is causing > > > the problem. >
> > > Here's the config on the 1811 side:
>
> > > crypto isakmp policy 2
> > > encr aes > > > authentication pre-share > > > group 2 > > > ! > > > crypto isakmp key xxxx address 0.0.0.0 0.0.0.0 > > > crypto isakmp keepalive 60 30 periodic > > > ! > > > crypto ipsec transform-set backup esp-aes esp-sha-hmac > > > ! > > > crypto ipsec profile backup > > > set transform-set backup >
> > > The tunnels look absolutely fine and are working on other interfaces
> > > where the firewall isn't present. Any ideas? >
> Those have been applied...see tunnel configuration below: > > interface Tunnel1 > description BACKUP TUNNEL > ip address 10.190.1.253 255.255.255.252 > ip virtual-reassembly > tunnel source 80.123.123.123 > tunnel destination 121.212.111.121 > tunnel mode ipsec ipv4 > tunnel protection ipsec profile backup > > In addition, the routes look like this: > > ip route 0.0.0.0 0.0.0.0 80.123.118.209 > ip route 10.0.0.0 255.0.0.0 Tunnel0 > ip route 10.0.0.0 255.0.0.0 Tunnel1 2 > ip route 10.128.0.1 255.255.255.255 10.160.224.1 > ip route 172.0.0.0 255.0.0.0 Tunnel0 > ip route 172.22.0.0 255.255.0.0 Tunnel0 > ip route 172.22.0.0 255.255.0.0 Tunnel1 2 > ip route 121.212.111.0 255.255.0.0 Tunnel1 > ip route 121.212.111.121 255.255.255.255 80.123.123.123 > > With tunnel0 shutdown, the routing table looks like: > > Gateway of last resort is 80.123.123.123 to network 0.0.0.0 > > 80.0.0.0/28 is subnetted, 1 subnets > C 80.123.123.123 is directly connected, FastEthernet1 > 172.22.0.0/16 is variably subnetted, 2 subnets, 2 masks > C 172.22.20.0/28 is directly connected, Vlan2 > S 172.22.0.0/16 is directly connected, Tunnel1 > 10.0.0.0/8 is variably subnetted, 6 subnets, 5 masks > S 10.0.0.0/8 is directly connected, Tunnel1 > C 10.190.1.252/30 is directly connected, Tunnel1 > C 10.160.224.0/26 is directly connected, FastEthernet0 > S 10.128.0.1/32 [1/0] via 10.160.224.1 > C 10.160.224.254/32 is directly connected, Loopback0 > C 10.33.224.0/24 is directly connected, Vlan2 > 121.212.111.0/32 is subnetted, 1 subnets > S 121.212.111.121 [1/0] via 80.123.123.123 > S* 0.0.0.0/0 [1/0] via 80.123.123.122 > S 121.212.0.0/16 is directly connected, Tunnel1 > > Any ideas ?? Do you control the firewall? Can it be monitored/checked to see if protocol 50 (ESP) is permitted as necessary to/from your vpn endpoint? | |||||||||||||
| Similar Threads | Posted |
| IPSec Tunnels set up, but can't pass traffic | August 9, 2007, 5:20 pm |
| Number of IKE Tunnels and IPSec Tunnels | April 11, 2007, 12:48 pm |
| IPSec tunnels through IOS with PAT and ACL | January 6, 2006, 11:35 am |
| GRE and IPsec tunnels | May 10, 2006, 3:39 pm |
| VPN Not able to pass traffic. | January 6, 2006, 11:45 am |
| which are the ports needed to be opened for ipsec vpn to pass through? | August 27, 2006, 1:44 am |
| pix ipsec tunnels problem | July 24, 2005, 12:04 pm |
| Re: redundat ipsec tunnels with nat | October 4, 2005, 12:07 pm |
| Dual IPSEC tunnels | September 13, 2006, 6:07 am |
| Multicast over IPSec Tunnels? | April 28, 2008, 10:23 am |
| IPSec tunnels + NAT overload + NAT static | January 12, 2006, 10:01 am |
| cheap cisco with ipsec tunnels | July 6, 2005, 2:16 pm |
| 837 won't pass traffic from eth0 to internet | July 3, 2005, 9:34 pm |
| Cisco 501 (6.3(5)) with VPN Client Does Not Pass Traffic | September 27, 2008, 7:14 pm |
| Multiple IPSEC Tunnels into common PIX 515e | February 20, 2007, 7:14 pm |
> router, but cannot pass traffic. A firewall, not under our control,
> sits immediately in front of the 3845, so I suspect that it is causing
> the problem.
>
> Here's the config on the 1811 side:
>
> crypto isakmp policy 2
> encr aes
> authentication pre-share
> group 2
> !
> crypto isakmp key xxxx address 0.0.0.0 0.0.0.0
> crypto isakmp keepalive 60 30 periodic
> !
> crypto ipsec transform-set backup esp-aes esp-sha-hmac
> !
> crypto ipsec profile backup
> set transform-set backup
>
>
> The tunnels look absolutely fine and are working on other interfaces
> where the firewall isn't present. Any ideas?
>