[c-nsp] IPSEC VPN

Thu Dec 24 09:45:26 EST 2009

IF I get it right, what you're trying to achieve is connectivity between 192.168.1.x and 192.168.2.x.

In order for the IPSEC tunnel to go up there is need for "interesting traffic" meaning a 192.168.1.x host tries to reach a 192.168.2.x host.
If you what to do with with the routers then you must make sure you're pinging with the router's proper source IP or interface, because if not, the router will use it's default interface towards the other network wich is the serial and not the fast interface.
Hope this helps

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
Sent: Thursday, December 24, 2009 2:55 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] IPSEC VPN

hi all

i have the following topology
router1 F0/0 --> F0/0 router2 S0/0 --> S0/0 router3 S0/1 --> s0/0 router4 F0/0 --> router5 F0/0

below is the configuration:
router1:
interface FastEthernet0/0
 ip address 192.168.1.100 255.255.255.0
 no ip route-cache
 speed 100
 full-duplex

router2:
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key cisco address 92.62.113.1 no-xauth

crypto ipsec transform-set kulacom esp-des esp-md5-hmac 

crypto map MAP 10 ipsec-isakmp 
 set peer 92.62.113.1
 set transform-set kulacom 
 match address 110

interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 speed 100
 full-duplex
!
interface Serial0/0
 ip address 212.118.0.1 255.255.255.0
 clock rate 64000
 crypto map MAP
!
router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes
 network 2.2.2.2 0.0.0.0 area 0
 network 212.118.0.1 0.0.0.0 area 0

access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

router3:
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Serial0/0
 ip address 212.118.0.2 255.255.255.0
!
interface Serial0/1
 ip address 92.62.113.2 255.255.255.0

router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 network 3.3.3.3 0.0.0.0 area 0
 network 92.62.113.2 0.0.0.0 area 0
 network 212.118.0.2 0.0.0.0 area 0

router4:
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key cisco address 212.118.0.1 no-xauth
!
!
crypto ipsec transform-set kulacom esp-des esp-md5-hmac 
!
crypto map MAP 10 ipsec-isakmp 
 set peer 212.118.0.1
 set transform-set kulacom 
 match address 120

interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.2.1 255.255.255.0
 speed 100
 full-duplex
!
interface Serial0/0
 ip address 92.62.113.1 255.255.255.0
 crypto map MAP

!
router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 network 4.4.4.4 0.0.0.0 area 0
 network 92.62.113.1 0.0.0.0 area 0
!         
access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

router5:
interface FastEthernet0/0
 ip address 192.168.2.100 255.255.255.0
 no ip route-cache
 speed 100
 full-duplex

the IPSEC is not established and nothing appears when issuing the command show crypto isakmp sa
and neither the ping from both sides is successful

am i missing anything here ?

thanks in advance

_________________________________________________________________
Keep your friends updated-even when you're not signed in.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************