[c-nsp] 2621 to SonicWall VPN Trouble
Seth Mattinen
sethm at rollernet.us
Sun Apr 1 19:49:33 EDT 2007
I've been having some trouble with a VPN between a 2600 and a SonicWall
working. The 2600 has 10.0.0.0/24 behind it, the SonicWall has
10.1.0.0/24 behind it. The 2621 is running c2600-jk8o3s-mz.122-10a.bin
and both ends are in DES mode. The VPN appears to come up fine, but no
traffic passes. Any ideas?
tanager#show crypto map
Crypto Map "sonicwalmap" 10 ipsec-isakmp
Description: vpn tunnel to sonicwall firewall
Peer = 207.228.13.226
Extended IP access list 120
access-list 120 permit ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255
Current peer: 207.228.13.226
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ sonicwal, }
Interfaces using crypto map sonicwalmap:
FastEthernet0/0
tanager#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: sonicwalmap, local addr. 68.190.179.54
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.255.0/0/0)
current_peer: 207.228.13.226
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 6954, #pkts decrypt: 6954, #pkts verify 6954
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 68.190.179.54, remote crypto endpt.:
207.228.13.226
path mtu 1500, media mtu 1500
current outbound spi: E2C6A7F1
inbound esp sas:
spi: 0x29380156(691536214)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2002, flow_id: 3, crypto map: sonicwalmap
sa timing: remaining key lifetime (k/sec): (4607932/39)
IV size: 8 bytes
replay detection support: Y
spi: 0x28893C27(680082471)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2004, flow_id: 5, crypto map: sonicwalmap
sa timing: remaining key lifetime (k/sec): (4607982/28677)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x26A0B2B4(648065716)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2003, flow_id: 4, crypto map: sonicwalmap
sa timing: remaining key lifetime (k/sec): (4608000/39)
IV size: 8 bytes
replay detection support: Y
spi: 0xE2C6A7F1(3804669937)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2005, flow_id: 6, crypto map: sonicwalmap
sa timing: remaining key lifetime (k/sec): (4608000/28674)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
2621 Config:
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname tanager
!
aaa new-model
enable secret 5 qwertyuiop
!
username admin password 7 qwertyuiop
ip subnet-zero
!
!
ip domain-name tanager.net
!
ip audit notify log
ip audit po max-events 100
ip ssh authentication-retries 5
!
class-map match-all voice
match access-group 104
!
!
policy-map QoS
class voice
priority 512
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
lifetime 28800
crypto isakmp key myfancykey address 207.228.13.226
!
!
crypto ipsec transform-set sonicwal esp-des esp-md5-hmac
!
crypto map sonicwalmap 10 ipsec-isakmp
description vpn tunnel to sonicwall firewall
set peer 207.228.13.226
set security-association lifetime seconds 28800
set transform-set sonicwal
match address 120
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 68.190.179.54 255.255.255.248
ip nat outside
speed 100
full-duplex
crypto map sonicwalmap
!
interface Serial0/0
ip unnumbered FastEthernet0/0
ip nat outside
no ip mroute-cache
no fair-queue
!
interface FastEthernet0/1
no ip address
ip route-cache flow
duplex auto
speed 100
!
interface FastEthernet0/1.1
description main office
encapsulation isl 1
ip address 10.0.0.1 255.255.255.0
ip access-group 1 in
no ip redirects
ip nat inside
!
interface FastEthernet0/1.101
description roffice
encapsulation isl 101
ip address 10.0.1.1 255.255.255.0
ip helper-address 10.0.0.64
no ip redirects
ip nat inside
!
interface FastEthernet0/1.103
description phones
encapsulation isl 103
ip address 10.0.3.1 255.255.255.0
no ip redirects
!
interface FastEthernet0/1.104
description roffice phones
encapsulation isl 104
ip address 10.0.4.1 255.255.255.0
no ip redirects
!
interface Serial0/1
ip unnumbered FastEthernet0/0
ip nat inside
encapsulation ppp
no ip mroute-cache
service-policy output QoS
compress stac
service-module t1 clock source internal
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.0.0.64 25 interface FastEthernet0/0 25
ip nat inside source static tcp 10.0.0.64 80 interface FastEthernet0/0 80
ip nat inside source static tcp 10.0.0.64 1723 interface FastEthernet0/0
1723
ip nat inside source static tcp 10.0.0.125 3389 interface
FastEthernet0/0 3389
ip classless
ip route 0.0.0.0 0.0.0.0 68.190.179.49
no ip http server
ip pim bidir-enable
!
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 104 permit tcp any any eq 3456
access-list 104 permit udp any any eq 3456
access-list 104 permit tcp any any eq 50000
access-list 104 permit udp any any eq 50000
access-list 104 permit tcp any any eq 51216
access-list 104 permit udp any any eq 51216
access-list 104 permit tcp any any range 1025 1039
access-list 104 permit udp any any range 1025 1039
access-list 104 permit tcp any any eq 60000
access-list 104 permit udp any any eq 60000
access-list 104 permit tcp any any eq 60030
access-list 104 permit udp any any eq 60030
access-list 120 permit ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255
!
--
sethm at rollernet.us
Ne cede malis sed contra audentior ito
More information about the cisco-nsp
mailing list