1. Home
  2. Cisco Systems
  3. IPSEC problem

IPSEC problem

I have a Cisco 3640 with an internal interface (192.168.0.1) and external interface (a.b.c.d). Everything on the internal is NAT to the external with overload. I have have an IPSEC tunnel setup betwenn the external and another router. The inside of the other router has ip of

10.0.0.1. Everything works great. Any machine on the internal network can ping a machine on the remove network (192.168.0.x to 10.0.0.x). Now, I add another internal interface to the 3640 (192.168.1.1). Setup the NAT with overload just like the first internal interface. Everything works great. Any machine on the second internal can see the internet, but, they cannot access 10.0.0.x ! My question is, can two internal interfaces access the same IPSEC tunnel ?

When I do a SHOW IPSEC CRYPTO SA I get this local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.0.9.0/255.255.255.0/0/0)

There is never a local ident with 192.168.1.0 for the second interface. When I ping from the second interface I get this debug error

34867: 21:43:56: IP: s=192.168.1.43 (FastEthernet1/0), d=10.0.0.1 (Loopback0), g=1.1.1.3, len 60, forward 34868: 21:43:56: ICMP type=8, code=0

34869: 21:43:56: IP: s=192.168.1.43 (Loopback0), d=10.0.0.1 (FastEthernet1/1), len 60, crypto map check failed.

34870: 21:43:56: ICMP type=8, code=0 Anybody have a solution ?
Reply to
kevin
Loading thread data ...

Yes.

Did you add 192.168.1/24 to the access list that defines the tunnels? Does the other end permit 192.168.1/24 ?

Note that if you add 192.168.1/24 to the ACL, then the two interfaces would use different Security Associations (SA), so in that sense they would not be accessing "the same" IPSec tunnel.

If, however, you were to change the ACL on both ends to be

192.168.0/23 then that would cover 192.168.0/24 and 192.168.1/24 within a single ACL entry, and that would involve only a single Security Association.

Each "permit" entry in the crypto map ACL triggers a distinct Security Association when traffic is encountered that matches that entry. [That is why it is important to use the same ACL entry structure on both sides of the IPSec tunnel: if you were to use different ACL entries that happened to match the same traffic, then the two ends would know the traffic under different Security Associations and That Would Be Bad (TM).]

Reply to
Walter Roberson

Thanx a bunch! Duh, stupid me. I changed the remote router to 192.168.0/23 and it worked. Thanx again.

Reply to
kevin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.