[c-nsp] IPSec problems

omar parihuana omar.parihuana at gmail.com
Tue Sep 28 15:02:19 EDT 2010


Hi,

The router 1721 is an older router, could you check the CPU in the 1721, and
check the BW usage in the ADSL side.

Rgds.



On Tue, Sep 28, 2010 at 8:35 AM, Stephane MAGAND
<stmagconsulting at gmail.com>wrote:

> Hi
>
> i have a new problems with my IPSec tunnels ...
>
> Two routers:
>
> Cisco 2821 with AIM connected in FastEthernet at Internet
> Cisco 1721 connected in Adsl.
>
>
> When i ping from 2821 to 1721 and use public internet address no
> problems:
>
> C2821#ping 84.xx.xx.1 size 600 repeat 150
>
> Type escape sequence to abort.
> Sending 150, 600-byte ICMP Echos to 84.xx.xx.1, timeout is 2 seconds:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!
> Success rate is 100 percent (150/150), round-trip min/avg/max = 44/46/68 ms
>
>
> but when i ping using Ipsec tunnel :
>
> C2821#ping vrf VPN003 10.11.12.254 size 600 repeat 150
>
> Type escape sequence to abort.
> Sending 150, 600-byte ICMP Echos to 10.11.12.254, timeout is 2 seconds:
> !!!!!!!!.!!!!!!!!!!!!!!..!!!!..!.!.!!!!.!.!!....!..!!.!!!!!.!!!!!!.!!!
> !!!!!!!!!!!.!.!!!!!.!!.!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!.!!!!.!!!!!!!!!.
> !!!!!!!!.!
> Success rate is 81 percent (122/150), round-trip min/avg/max = 52/58/104 ms
>
>
>
> 20 percent of lost.
>
> Where i can debug the problems ?
>
> thanks
> Stephane
>
>
>
>
>
> C2821:
> crypto isakmp key l55xxxxxx8gjJ address 84.xx.xx.1
>
> crypto isakmp profile VPN003
>   keyring default
>   match identity address 84.xx.xx.1 255.255.255.255
>
> crypto ipsec profile ipsec_vpn_vpn003
>  set transform-set ipsec_tunnel_vpn003
>  set isakmp-profile VPN003
>
> interface Tunnel5
>  ip vrf forwarding VPN003
>  ip address 172.16.1.209 255.255.255.252
>  ip mtu 1400
>  ip tcp adjust-mss 1360
>  tunnel source 78.xx.xx.92
>  tunnel destination 84.xx.xx.1
>  tunnel protection ipsec profile ipsec_vpn_vpn003
>
>
>
>
>
>
>
>
> C1721:
> crypto isakmp key l5584jjHK8gjJ address 78.xx.xx.92
>
> crypto isakmp profile vpn
>   keyring default
>   match identity address 78.xx.xx.92 255.255.255.255
>
> crypto ipsec transform-set ipsec_tunnel esp-3des
>  mode transport
>
> crypto ipsec profile ipsec_vpn
>  set transform-set ipsec_tunnel
>  set isakmp-profile vpn
>
> interface Tunnel0
>  ip address 172.16.1.210 255.255.255.252
>  ip mtu 1400
>  ip tcp adjust-mss 1360
>  tunnel source Dialer0
>  tunnel destination 78.xx.xx.92
>  tunnel protection ipsec profile ipsec_vpn
>
> interface ATM0
>  no ip address
>  no atm ilmi-keepalive
>  dsl operating-mode auto
>  pvc 0/38
>  pppoe-client dial-pool-number 1
>
> interface FastEthernet0
>  ip address 10.11.12.254 255.255.255.0
>  ip nat inside
>  ip tcp adjust-mss 1452
>  speed auto
>  full-duplex
>
> interface Dialer0
>  mtu 1492
>  ip address negotiated
>  no ip redirects
>  no ip unreachables
>  no ip proxy-arp
>  ip nat outside
>  encapsulation ppp
>  ip route-cache flow
>  dialer pool 1
>  dialer-group 1
>  no cdp enable
>  ppp authentication chap callin
>  ppp chap hostname xxxx at adsllogin.co.uk
>  ppp chap password 0 yyyyyyy
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
Omar E.P.T
-----------------
Certified Networking Professionals make better Connections!


More information about the cisco-nsp mailing list