Has anoyone successfully managed to setup an IPSEC tunnel with a Cisco router and Linksys WAG54g ?
As I have managed to establish an actual tunnel but nothing will route between the networks. Cant ping machines at either end.
Any ideas ?
Well have a Cisco 837 at one end of connection on 192.168.0.0 with NAT running on the internal range.
Other end has Linksys WAG54g 192.168.1.0 also with NAT.
I can see the tunnel establish under the connections screen on the linksys and also when debug on the Cisco router.
But when trying to ping either end just get no replies from either end.
Do you have an example of a configuration you have got working successfully ?
Thanks Matt
Systematic schrieb:
Not a Linksys WAG54g, but Allnet 1294VPN and Netgear FVS318 and Safenet Softremote IPsec client (and other Cisco IOS routers) Don't have a 837, but a 836 instead ;-)
Yes. But there are many traps with FW, NAT, ACLs and the routing table. Describe your setup a little closer.
Systematic schrieb:
So have to exclude traffic from 192.168.0.0/24 to 192.168.1.0/24 from being natted.
What do you mean by "see tunnel establish"? You'll need one SA for the IKE and two SAs for the dataflow in each direction.
When using ping from exec of the Cisco you'll need to specify "ping tag 192.168.1.1 source Ethernet0"
the following works for me with dynamic IPs on both sides. It is easier when you restrict by know WAN IP address, or at least a range of addresses for the preshared key.
3DES-SHA1 with PFS/DH group 2! crypto isakmp policy 5 encr 3des authentication pre-share group 2 ! crypto isakmp key YourPreSharedKey address 0.0.0.0 0.0.0.0 no-xauth ! crypto isakmp identity hostname ! crypto ipsec transform-set tfs-3des esp-3des esp-sha-hmac ! crypto identity id-list-100 description FQDN-OF-REMOTE-SITE fqdn yourremote-fqdn.domainname.dom ! crypto map your_cmap_1 10 ipsec-isakmp description YOUR-IPSEC-TUNNEL set peer yourremote-fqdn.domainname.dom dynamic set security-association lifetime kilobytes 256000 set security-association lifetime seconds 28800 set transform-set tfs-3des set pfs group2 set identity id-list-100 match address 120 reverse-route ! interface Dialer 0 crypto map your_cmap_1 ! ip nat inside source route-map NAT_ROUTEMAP interface Dialer0 overload ! ! route-map NAT_ROUTEMAP permit 1 match ip address 102 ! access-list 102 remark First exclude IPsec Tunnel from natting access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 102 remark Now the traffic being natted access-list 102 permit ip 192.168.0.0 0.0.0.255 any access-list 102 deny ip any any ! access-list 120 remark Traffic matching will be protected access-list 120 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 !
If it won't work with the Linksys, try using MD5 instead of SHA1 and perhaps turning of PFS. If you want AES instead of 3DES you'll need to turn of hardware encryption.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.