[c-nsp] IPSec problems

Stephane MAGAND stmagconsulting at gmail.com
Tue Sep 28 09:35:30 EDT 2010 

Hi

i have a new problems with my IPSec tunnels ...

Two routers:

Cisco 2821 with AIM connected in FastEthernet at Internet
Cisco 1721 connected in Adsl.


When i ping from 2821 to 1721 and use public internet address no
problems:

C2821#ping 84.xx.xx.1 size 600 repeat 150

Type escape sequence to abort.
Sending 150, 600-byte ICMP Echos to 84.xx.xx.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!
Success rate is 100 percent (150/150), round-trip min/avg/max = 44/46/68 ms


but when i ping using Ipsec tunnel :

C2821#ping vrf VPN003 10.11.12.254 size 600 repeat 150

Type escape sequence to abort.
Sending 150, 600-byte ICMP Echos to 10.11.12.254, timeout is 2 seconds:
!!!!!!!!.!!!!!!!!!!!!!!..!!!!..!.!.!!!!.!.!!....!..!!.!!!!!.!!!!!!.!!!
!!!!!!!!!!!.!.!!!!!.!!.!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!.!!!!.!!!!!!!!!.
!!!!!!!!.!
Success rate is 81 percent (122/150), round-trip min/avg/max = 52/58/104 ms



20 percent of lost.

Where i can debug the problems ?

thanks
Stephane





C2821:
crypto isakmp key l55xxxxxx8gjJ address 84.xx.xx.1

crypto isakmp profile VPN003
   keyring default
   match identity address 84.xx.xx.1 255.255.255.255

crypto ipsec profile ipsec_vpn_vpn003
 set transform-set ipsec_tunnel_vpn003
 set isakmp-profile VPN003

interface Tunnel5
 ip vrf forwarding VPN003
 ip address 172.16.1.209 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source 78.xx.xx.92
 tunnel destination 84.xx.xx.1
 tunnel protection ipsec profile ipsec_vpn_vpn003








C1721:
crypto isakmp key l5584jjHK8gjJ address 78.xx.xx.92

crypto isakmp profile vpn
   keyring default
   match identity address 78.xx.xx.92 255.255.255.255

crypto ipsec transform-set ipsec_tunnel esp-3des
 mode transport

crypto ipsec profile ipsec_vpn
 set transform-set ipsec_tunnel
 set isakmp-profile vpn

interface Tunnel0
 ip address 172.16.1.210 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source Dialer0
 tunnel destination 78.xx.xx.92
 tunnel protection ipsec profile ipsec_vpn

interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 0/38
  pppoe-client dial-pool-number 1

interface FastEthernet0
 ip address 10.11.12.254 255.255.255.0
 ip nat inside
 ip tcp adjust-mss 1452
 speed auto
 full-duplex

interface Dialer0
 mtu 1492
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname xxxx at adsllogin.co.uk
 ppp chap password 0 yyyyyyy

More information about the cisco-nsp mailing list