Routing between VPN`s fails

Hi, i cannot get the routing between two ipsec connected network working.

The setup looks like this: (192.168.x.x/16) NET A (.150/24) NET B (.253/24) | | | -- -- NET C (.3/24) -- -- | | NET D (.1/24)

I get the following error message when trying to ping from a host in Net B to Net A:

*Mar 27 10:47:41.219: IP: s=192.168.253.1 (Dialer0), d=192.168.150.1 (Dialer0), len 84, crypto map check failed.

At the same time, traffic flows fine back and forth between Net D to A and B. Basically i want to route all connected 192.168.x.x/16 Networks between the sites.

Im suspecting it`s somewhere in the access lists ?

#sho ip access-lists Standard IP access list 1 10 permit 192.168.3.0, wildcard bits 0.0.0.255 (128 matches) 20 permit 192.168.0.0, wildcard bits 0.0.255.255 (26 matches) 40 deny any log (7 matches) Extended IP access list NET_A 10 permit ip 192.168.150.0 0.0.0.255 192.168.0.0 0.0.255.255 (1 match) 20 permit ip 192.168.0.0 0.0.255.255 192.168.150.0 0.0.0.255 (193586 matches) Extended IP access list NET_B 10 permit ip 192.168.253.0 0.0.0.255 any (9493 matches) 20 permit ip 192.168.0.0 0.0.255.255 192.168.253.0 0.0.0.255 (151845 matches) Extended IP access list NO_NAT_DEST 10 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 30 permit ip any any

The remote peers are using a dynamic-map like like this one:

crypto dynamic-map DYNMAP-1 1 description dynamic cryptomap 1 set transform-set IPSEC-Set match address NET_B reverse-route remote-peer

could someone point to me were i fouled up ?

many tia! Dirk

Reply to
Dirk Westfal
Loading thread data ...

You can't do it...

Both are seen as being on one interface and you can't define rules that map the endpoints on a single interface.

This is how I understand it anyway.....

*** Free account sponsored by SecureIX.com *** *** Encrypt your Internet usage with a free VPN account from
formatting link
***
Reply to
Kelvin J. Hill

Kelvin J. Hill schrieb:

Well, i think you`re right - after i had wound fingers from googling and trying, i finally cam eto the conclusion that there`s a readon why every description of a setup like mine involves either GRE or NRHP :) (tried even a vti setup before...)

Then i found, that with using the "set peer dynamic" statement for both of my peers in the lab everything worked (routing between all networks described in previous post) - until one of the peers got a new ip.

The message "cannot resolve peer, will do that when negotiating isakmp" lead me to the false conclusion that it should work even after change-of-ip of one the peers ... Alas - the ios still stored the resolved ip (despite telling otherwise)...

After some big biting into the desk and analyzing traffic, i found out that no dns-resolution took place whatsoever.

Then i took a deep breath, discarded the dynamic cryptomaps setup and tried it again with static onces.

and lo, it works! (though I'm kinda carefull now ... but the currently running transfer-test seems to go fine )

Would have been really helpfull though, to find a cookbook example for "setting up vpn with inter-network routing and dynamic peers using static crypto maps and the 'realtime dns resolution features in 12.4' " ... now i need a new desk ... :)

Implementing qos will be the next challenging task ...

Dirk

Reply to
Dirk Westfal

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.