[c-nsp] IPSEC VPN

Mohammad Khalil eng_mssk at hotmail.com
Thu Dec 24 10:06:57 EST 2009


Thanks Zivl for your support
i made the exact thing u told me before i post this mail thats y i got complicated !!

> From: zivl at gilat.net
> To: cisco-nsp at puck.nether.net
> Date: Thu, 24 Dec 2009 16:45:26 +0200
> Subject: Re: [c-nsp] IPSEC VPN
> 
> IF I get it right, what you're trying to achieve is connectivity between 192.168.1.x and 192.168.2.x.
> 
> In order for the IPSEC tunnel to go up there is need for "interesting traffic" meaning a 192.168.1.x host tries to reach a 192.168.2.x host.
> If you what to do with with the routers then you must make sure you're pinging with the router's proper source IP or interface, because if not, the router will use it's default interface towards the other network wich is the serial and not the fast interface.
> Hope this helps
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
> Sent: Thursday, December 24, 2009 2:55 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] IPSEC VPN
> 
> 
> hi all
> 
> i have the following topology
> router1 F0/0 --> F0/0 router2 S0/0 --> S0/0 router3 S0/1 --> s0/0 router4 F0/0 --> router5 F0/0
> 
> below is the configuration:
> router1:
> interface FastEthernet0/0
>  ip address 192.168.1.100 255.255.255.0
>  no ip route-cache
>  speed 100
>  full-duplex
> 
> router2:
> crypto isakmp policy 10
>  hash md5
>  authentication pre-share
> crypto isakmp key cisco address 92.62.113.1 no-xauth
> 
> crypto ipsec transform-set kulacom esp-des esp-md5-hmac 
> 
> crypto map MAP 10 ipsec-isakmp 
>  set peer 92.62.113.1
>  set transform-set kulacom 
>  match address 110
> 
> interface Loopback0
>  ip address 2.2.2.2 255.255.255.255
> !
> interface FastEthernet0/0
>  ip address 192.168.1.1 255.255.255.0
>  speed 100
>  full-duplex
> !
> interface Serial0/0
>  ip address 212.118.0.1 255.255.255.0
>  clock rate 64000
>  crypto map MAP
> !
> router ospf 1
>  router-id 2.2.2.2
>  log-adjacency-changes
>  network 2.2.2.2 0.0.0.0 area 0
>  network 212.118.0.1 0.0.0.0 area 0
> 
> access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
> 
> router3:
> interface Loopback0
>  ip address 3.3.3.3 255.255.255.255
> !
> interface Serial0/0
>  ip address 212.118.0.2 255.255.255.0
> !
> interface Serial0/1
>  ip address 92.62.113.2 255.255.255.0
> 
> router ospf 1
>  router-id 3.3.3.3
>  log-adjacency-changes
>  network 3.3.3.3 0.0.0.0 area 0
>  network 92.62.113.2 0.0.0.0 area 0
>  network 212.118.0.2 0.0.0.0 area 0
> 
> router4:
> crypto isakmp policy 10
>  hash md5
>  authentication pre-share
> crypto isakmp key cisco address 212.118.0.1 no-xauth
> !
> !
> crypto ipsec transform-set kulacom esp-des esp-md5-hmac 
> !
> crypto map MAP 10 ipsec-isakmp 
>  set peer 212.118.0.1
>  set transform-set kulacom 
>  match address 120
> 
> interface Loopback0
>  ip address 4.4.4.4 255.255.255.255
> !
> interface FastEthernet0/0
>  ip address 192.168.2.1 255.255.255.0
>  speed 100
>  full-duplex
> !
> interface Serial0/0
>  ip address 92.62.113.1 255.255.255.0
>  crypto map MAP
> 
> !
> router ospf 1
>  router-id 4.4.4.4
>  log-adjacency-changes
>  network 4.4.4.4 0.0.0.0 area 0
>  network 92.62.113.1 0.0.0.0 area 0
> !         
> access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
> 
> router5:
> interface FastEthernet0/0
>  ip address 192.168.2.100 255.255.255.0
>  no ip route-cache
>  speed 100
>  full-duplex
> 
> the IPSEC is not established and nothing appears when issuing the command show crypto isakmp sa
> and neither the ping from both sides is successful
> 
> am i missing anything here ?
> 
> thanks in advance
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>  		 	   		  
> _________________________________________________________________
> Keep your friends updated-even when you're not signed in.
> http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>  
>  
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
> 
> 
>  
>  
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
 		 	   		  
_________________________________________________________________
Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail®.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009


More information about the cisco-nsp mailing list