Re: Router-to-Router Dynamic-to-Static IPSec with NAT

Hi again.

So you are still hiding from us what the problem is, are you? :-)

From the ISAKMP/IPSec standpoint it looks good, unless you have such
different versions of IOS on both ends so they use different default DH
groups (the ones you did not specify on your isakmp policy maps).

In the config extract you provided for Site-B you don't have NAT. Do you
have it in reality?

Anyway, I would encourage you to run some debugs on both ends to see where
it breaks.

Try to build a model in Dynamips and do some debugging there. Took me 5
minutes to clear your configs off unnecessary stuff without changing any
ISAKMP/IPSec core part and put them on Dynamips, the tunnel went up
straight away.

Cheers

A.
On 25 November 2011 00:10, Arbaaz Khan <arbaazkhan83_at_gmail.com> wrote:

> Hi A
>
> The configuration of Site-B
> Site-B got other tunnels and to make it simple i removed the Access-list
> for tunnels which are working.
>
> %%%%%%%%%%%%%%%%%%%%%
> Site-B configuration
> %%%%%%%%%%%%%%%%%%%%%
>
> crypto isakmp policy 1
>
> encr 3des
> hash md5
> authentication pre-share
>
> crypto isakmp policy 2
> hash md5
> authentication pre-share
>
> crypto isakmp key cisco address 97.12.118.X
> crypto isakmp key cisco address 217.218.185.x
> crypto isakmp key cisco address 62.249.x.x
> crypto isakmp key cisco address 0.0.0.0 0.0.0.0
> crypto isakmp keepalive 300
>
> crypto ipsec transform-set PAC1 esp-des esp-md5-hmac
> crypto ipsec transform-set PAC2 esp-3des esp-md5-hmac
> crypto ipsec transform-set PAC3 esp-3des esp-md5-hmac
> crypto ipsec transform-set PAC4 esp-3des esp-md5-hmac
>
> crypto dynamic-map MAP 10
> set transforim-set PAC4
> match address PAC4
>
> crypto map IMAP 5 ipsec-isakmp dynamic MAP
>
> crypto map IMAP 6 ipsec-isakmp
> set peer 97.12.118.X
> set transform-set PAC1
> match address PAC1
>
> crypto map IMAP 7 ipsec-isakmp
> set peer 217.218.185.x
> set transform-set PAC2
> match address PAC2
>
> crypto map IMAP 8 ipsec-isakmp
> set peer 62.249.x.x
> set transform-set PAC3
> match address PAC3
>
> interface GigabitEthernet0/0
> description Network
> ip address 172.20.20.1 255.255.255.0
>
> interface GigabitEthernet0/1
> description ISP
> ip address 217.90.12.x 255.255.255.248
> crypto map IMAP
>
> router eigrp 2
> network 172.20.20.1 0.0.0.0
> no auto-summary
>
> ip route 0.0.0.0 0.0.0.0 217.90.12.x
> ip route 172.20.245.1 255.255.255.255 217.90.12.x
>
> ip access-list extended PAC4
> permit ip 172.20.20.0 0.0.0.255 172.20.245.0 0.0.0.255
> permit ip 192.168.2.0 0.0.0.255 172.20.245.0 0.0.0.255
>
> Thanks
> A Khan
>
> On Thu, Nov 24, 2011 at 2:15 PM, Alexei Monastyrnyi <alexeim73_at_gmail.com
> > wrote:
>
>> Hi Arbaaz.
>>
>> What exactly is the problem? Does the connection progress from phase 1 to
>> phase 2?
>> Any debug outputs?
>> Better post at least the config of site B to have a full picture of both
>> ends.
>>
>> Cheers,
>> A.
>>
>>
>>
>> On 11/24/2011 9:03 PM, Arbaaz Khan wrote:
>>
>> Hi Experts
>> I got Simple VPN setup but have problem getting Tunnel up with Dynamic IP.
>> Any input is appreciated.
>> To simplify the setup I labled the sites as A,B,C. here goes the details
>> and my configuration.
>>
>>
>> Site-A connects to Site-C [ Firewall-to-Router Static-to-Dynamic IPSec with
>> NAT ]
>> Site-B connects to Site-C [ Router-to-Router Static-to-Dynamic IPSec with
>> NAT ]
>>
>> Site-A terminates the VPN on Pix 525
>> Site-B terminates the VPN on IOS Router with static Public IP
>> site-C terminates the VPN on IOS Router with Dynamic Public IP
>> Site A - 217.18.1.x
>> Site B - 217.90.12.x
>> Site C - 0.0.0.0 [ Dynamic IP ]
>>
>>
>> %%%%%%%%%%%%
>> Site-C configuration %%
>> %%%%%%%%%%%%%
>>
>> crypto isakmp policy 10
>> hash md5
>> authentication pre-share
>>
>> crypto isakmp policy 11
>> encr 3des
>> hash md5
>> authentication pre-share
>>
>> crypto isakmp key cisco address 217.18.1.X
>> crypto isakmp key cisco address 217.90.12.X
>> crypto isakmp keepalive 300
>> !
>> !
>> crypto ipsec transform-set trans1 esp-des esp-md5-hmac
>> crypto ipsec transform-set trans2 esp-3des esp-md5-hmac
>> !
>> crypto map CMAP 10 ipsec-isakmp
>> set peer 217.18.1.X
>> set transform-set trans1
>> match address FL1
>>
>> crypto map CMAP 10 ipsec-isakmp
>> set peer 217.90.12.X
>> set transform-set trans2
>> match address GW1
>>
>>
>> interface Ethernet0
>> ip address 172.20.245.1 255.255.255.0
>> ip nat inside
>> ip virtual-reassembly
>> ip tcp adjust-mss 1300
>> hold-queue 100 out
>> !
>> interface Ethernet2
>> no ip address
>> pppoe enable
>> pppoe-client dial-pool-number 1
>> hold-queue 100 out
>> !
>> interface ATM0
>> bandwidth 4160
>> no ip address
>> load-interval 30
>> shutdown
>> no atm ilmi-keepalive
>> dsl operating-mode auto
>> pvc 0/50
>> encapsulation aal5mux ppp dialer
>> dialer pool-member 1
>>
>> interface Dialer0
>> bandwidth 4160
>> ip address negotiated
>> ip mtu 1492
>> ip nat outside
>> ip virtual-reassembly
>> encapsulation ppp
>> no ip mroute-cache
>> dialer pool 1
>> dialer-group 1
>> no cdp enable
>> ppp authentication pap callin
>> ppp chap refuse
>> ppp pap sent-username cisco password 7 cisco
>> ppp ipcp address accept
>> crypto map CMAP
>>
>> ip route 0.0.0.0 0.0.0.0 Dialer0
>>
>> ip nat source list INTERNET interface Dialer0 overload
>> !
>> !
>> ip access-list extended INTERNET
>> deny ip 172.20.245.0 0.0.0.255 172.20.100.0 0.0.1.255
>> deny ip 172.20.245.0 0.0.0.255 192.168.30.0 0.0.0.255
>> deny ip 172.20.245.0 0.0.0.255 172.20.20.0 0.0.0.255
>> deny ip 172.20.245.0 0.0.0.255 192.168.2.0 0.0.0.255
>> permit ip 172.20.245.0 0.0.0.255 any
>>
>> ip access-list extended FL1
>> permit ip 172.20.245.0 0.0.0.255 172.20.100.0 0.0.1.255
>> permit ip 172.20.245.0 0.0.0.255 192.168.30.0 0.0.0.255
>>
>> ip access-list extended GW1
>> permit ip 172.20.245.0 0.0.0.255 172.20.20.0 0.0.0.255
>> permit ip 172.20.245.0 0.0.0.255 192.168.2.0 0.0.0.255
>>
>> I have no problems on the Tunnel between Site-A and Site-C
>>
>> Thanks
>> A Khan
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Nov 25 2011 - 09:37:18 ART