Re: Router-to-Router Dynamic-to-Static IPSec with NAT

Hello Alex,

I feel I provided all the information and problem, sorry if you didnt get
it clear.
Let me clear this confusion

*So you are still hiding from us what the problem is, are you? :-)*
Site-C cannot establish VPN with Site-B [ problem getting Tunnel up with
Dynamic IP ] I mentioned in my initial post

*In the config extract you provided for Site-B you don't have NAT. Do you
have it in reality?*
I mentioned *Dynamic IP with NAT* [ This is on Site-C ] ; i send complete
config of Site-C
Site-B has static IP without NAT

I wanted someone to look at my config and input if anything I missed out.

On Fri, Nov 25, 2011 at 1:37 AM, Alexei Monastyrnyi <alexeim73_at_gmail.com>wrote:

> Hi again.
>
>
>
> So you are still hiding from us what the problem is, are you? :-)
>
>
>
> From the ISAKMP/IPSec standpoint it looks good, unless you have such
> different versions of IOS on both ends so they use different default DH
> groups (the ones you did not specify on your isakmp policy maps).
>
>
>
> In the config extract you provided for Site-B you don't have NAT. Do you
> have it in reality?
>
>
>
> Anyway, I would encourage you to run some debugs on both ends to see where
> it breaks.
>
>
>
> Try to build a model in Dynamips and do some debugging there. Took me 5
> minutes to clear your configs off unnecessary stuff without changing any
> ISAKMP/IPSec core part and put them on Dynamips, the tunnel went up
> straight away.
>
>
>
> Cheers
>
> A.
> On 25 November 2011 00:10, Arbaaz Khan <arbaazkhan83_at_gmail.com> wrote:
>
>> Hi A
>>
>> The configuration of Site-B
>> Site-B got other tunnels and to make it simple i removed the Access-list
>> for tunnels which are working.
>>
>> %%%%%%%%%%%%%%%%%%%%%
>> Site-B configuration
>> %%%%%%%%%%%%%%%%%%%%%
>>
>> crypto isakmp policy 1
>>
>> encr 3des
>> hash md5
>> authentication pre-share
>>
>> crypto isakmp policy 2
>> hash md5
>> authentication pre-share
>>
>> crypto isakmp key cisco address 97.12.118.X
>> crypto isakmp key cisco address 217.218.185.x
>> crypto isakmp key cisco address 62.249.x.x
>> crypto isakmp key cisco address 0.0.0.0 0.0.0.0
>> crypto isakmp keepalive 300
>>
>> crypto ipsec transform-set PAC1 esp-des esp-md5-hmac
>> crypto ipsec transform-set PAC2 esp-3des esp-md5-hmac
>> crypto ipsec transform-set PAC3 esp-3des esp-md5-hmac
>> crypto ipsec transform-set PAC4 esp-3des esp-md5-hmac
>>
>> crypto dynamic-map MAP 10
>> set transforim-set PAC4
>> match address PAC4
>>
>> crypto map IMAP 5 ipsec-isakmp dynamic MAP
>>
>> crypto map IMAP 6 ipsec-isakmp
>> set peer 97.12.118.X
>> set transform-set PAC1
>> match address PAC1
>>
>> crypto map IMAP 7 ipsec-isakmp
>> set peer 217.218.185.x
>> set transform-set PAC2
>> match address PAC2
>>
>> crypto map IMAP 8 ipsec-isakmp
>> set peer 62.249.x.x
>> set transform-set PAC3
>> match address PAC3
>>
>> interface GigabitEthernet0/0
>> description Network
>> ip address 172.20.20.1 255.255.255.0
>>
>> interface GigabitEthernet0/1
>> description ISP
>> ip address 217.90.12.x 255.255.255.248
>> crypto map IMAP
>>
>> router eigrp 2
>> network 172.20.20.1 0.0.0.0
>> no auto-summary
>>
>> ip route 0.0.0.0 0.0.0.0 217.90.12.x
>> ip route 172.20.245.1 255.255.255.255 217.90.12.x
>>
>> ip access-list extended PAC4
>> permit ip 172.20.20.0 0.0.0.255 172.20.245.0 0.0.0.255
>> permit ip 192.168.2.0 0.0.0.255 172.20.245.0 0.0.0.255
>>
>> Thanks
>> A Khan
>>
>> On Thu, Nov 24, 2011 at 2:15 PM, Alexei Monastyrnyi <
>> alexeim73_at_gmail.com> wrote:
>>
>>> Hi Arbaaz.
>>>
>>> What exactly is the problem? Does the connection progress from phase 1
>>> to phase 2?
>>> Any debug outputs?
>>> Better post at least the config of site B to have a full picture of both
>>> ends.
>>>
>>> Cheers,
>>> A.
>>>
>>>
>>>
>>> On 11/24/2011 9:03 PM, Arbaaz Khan wrote:
>>>
>>> Hi Experts
>>> I got Simple VPN setup but have problem getting Tunnel up with Dynamic IP.
>>> Any input is appreciated.
>>> To simplify the setup I labled the sites as A,B,C. here goes the details
>>> and my configuration.
>>>
>>>
>>> Site-A connects to Site-C [ Firewall-to-Router Static-to-Dynamic IPSec with
>>> NAT ]
>>> Site-B connects to Site-C [ Router-to-Router Static-to-Dynamic IPSec with
>>> NAT ]
>>>
>>> Site-A terminates the VPN on Pix 525
>>> Site-B terminates the VPN on IOS Router with static Public IP
>>> site-C terminates the VPN on IOS Router with Dynamic Public IP
>>> Site A - 217.18.1.x
>>> Site B - 217.90.12.x
>>> Site C - 0.0.0.0 [ Dynamic IP ]
>>>
>>>
>>> %%%%%%%%%%%%
>>> Site-C configuration %%
>>> %%%%%%%%%%%%%
>>>
>>> crypto isakmp policy 10
>>> hash md5
>>> authentication pre-share
>>>
>>> crypto isakmp policy 11
>>> encr 3des
>>> hash md5
>>> authentication pre-share
>>>
>>> crypto isakmp key cisco address 217.18.1.X
>>> crypto isakmp key cisco address 217.90.12.X
>>> crypto isakmp keepalive 300
>>> !
>>> !
>>> crypto ipsec transform-set trans1 esp-des esp-md5-hmac
>>> crypto ipsec transform-set trans2 esp-3des esp-md5-hmac
>>> !
>>> crypto map CMAP 10 ipsec-isakmp
>>> set peer 217.18.1.X
>>> set transform-set trans1
>>> match address FL1
>>>
>>> crypto map CMAP 10 ipsec-isakmp
>>> set peer 217.90.12.X
>>> set transform-set trans2
>>> match address GW1
>>>
>>>
>>> interface Ethernet0
>>> ip address 172.20.245.1 255.255.255.0
>>> ip nat inside
>>> ip virtual-reassembly
>>> ip tcp adjust-mss 1300
>>> hold-queue 100 out
>>> !
>>> interface Ethernet2
>>> no ip address
>>> pppoe enable
>>> pppoe-client dial-pool-number 1
>>> hold-queue 100 out
>>> !
>>> interface ATM0
>>> bandwidth 4160
>>> no ip address
>>> load-interval 30
>>> shutdown
>>> no atm ilmi-keepalive
>>> dsl operating-mode auto
>>> pvc 0/50
>>> encapsulation aal5mux ppp dialer
>>> dialer pool-member 1
>>>
>>> interface Dialer0
>>> bandwidth 4160
>>> ip address negotiated
>>> ip mtu 1492
>>> ip nat outside
>>> ip virtual-reassembly
>>> encapsulation ppp
>>> no ip mroute-cache
>>> dialer pool 1
>>> dialer-group 1
>>> no cdp enable
>>> ppp authentication pap callin
>>> ppp chap refuse
>>> ppp pap sent-username cisco password 7 cisco
>>> ppp ipcp address accept
>>> crypto map CMAP
>>>
>>> ip route 0.0.0.0 0.0.0.0 Dialer0
>>>
>>> ip nat source list INTERNET interface Dialer0 overload
>>> !
>>> !
>>> ip access-list extended INTERNET
>>> deny ip 172.20.245.0 0.0.0.255 172.20.100.0 0.0.1.255
>>> deny ip 172.20.245.0 0.0.0.255 192.168.30.0 0.0.0.255
>>> deny ip 172.20.245.0 0.0.0.255 172.20.20.0 0.0.0.255
>>> deny ip 172.20.245.0 0.0.0.255 192.168.2.0 0.0.0.255
>>> permit ip 172.20.245.0 0.0.0.255 any
>>>
>>> ip access-list extended FL1
>>> permit ip 172.20.245.0 0.0.0.255 172.20.100.0 0.0.1.255
>>> permit ip 172.20.245.0 0.0.0.255 192.168.30.0 0.0.0.255
>>>
>>> ip access-list extended GW1
>>> permit ip 172.20.245.0 0.0.0.255 172.20.20.0 0.0.0.255
>>> permit ip 172.20.245.0 0.0.0.255 192.168.2.0 0.0.0.255
>>>
>>> I have no problems on the Tunnel between Site-A and Site-C
>>>
>>> Thanks
>>> A Khan
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Nov 25 2011 - 10:09:54 ART