[c-nsp] crypto map working on outbound interface, need it to work on inbound interface
Joseph Mays
mays at win.net
Tue Dec 13 15:41:42 EST 2011
Have a crypto map that was working to build a tunnel between 65.119.118.75
and 24.235.0.25. Peers for the vpn tunnel were 24.235.0.26 and
65.119.118.136. Due to some network changes 24.235.0.26, which was the
egress interface toward the remote end, is now an ingress interface. Still,
I don't see why this should matter. The access list is the same, it's just
traffic coming in through the interface rather than out of it.
Crypto Map "WinnetToSyniverse" 20 ipsec-isakmp
Description: PHL-3845-SS7-VPN router
Peer = 65.119.118.136
Extended IP access list PHL-3845-SS7-VPN
access-list PHL-3845-SS7-VPN permit ip host 24.235.0.25 host
65.119.118.76
Current peer: 65.119.118.136
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
TSI2,
}
Interfaces using crypto map WinnetToSyniverse:
FastEthernet1/1
The packets for the access list should match regardless of direction, but it
acts like it's not matching packets to the access list and not even trying
to start the vpn.
Router#show crypto isakmp sa
dst src state conn-id slot status
Nothing there.
I can ping 65.119.118.136 from the router even when I set the source address
to the address of the ingress interface, 24.235.0.26, and can ping the host
we are trying to talk to across the vpn, 65.119.118.76, from 24.235.0.25.
I moved the crypto map command to the outside interface and it started
matching packets tried to bring the vpn tunnel up, but that failed, I'm
guessing because the source address changed to the address of the egress
interface, which would not be the address configured in the remote side. So
I want to use the ingress interface and its address so we don't have to go
through a complex process to get the other side to reconfigure.
More information about the cisco-nsp
mailing list