[c-nsp] crypto map working on outbound interface, need it to work on inbound interface
Clint Wade
jarod.wade at gmail.com
Tue Dec 13 17:29:17 EST 2011
Joseph,
With anything VPN related it may be better to either post outputs of a
'debug isakmp sa' or 'debug ipsec sa' or the relevent portions of the
configurations on both devices. It's not easy to get an idea of what is
going on with small config snippets.
Regards,
Clint Wade
On Tue, Dec 13, 2011 at 4:22 PM, Joseph Mays <mays at win.net> wrote:
> So, in the example below, will this cause the vpn to connect to the peer
> from FastEthernet0/0, but identify as the ip address of FastEthernet1/1?
>
> crypto map WinnetToSyniverse local-address FastEthernet1/1
> crypto map WinnetToSyniverse 20 ipsec-isakmp
> description PHL-3845-SS7-VPN router
> set peer 65.119.118.136
> set transform-set TSI2
> match address PHL-3845-SS7-VPN
> !
> !
> !
> interface FastEthernet0/0
> ip address 216.135.80.50 255.255.255.252
> duplex auto
> speed auto
> crypto map WinnetToSyniverse
>
> ----- Original Message ----- From: "Joseph Mays" <mays at win.net>
> To: <cisco-nsp at puck.nether.net>
> Sent: Tuesday, December 13, 2011 3:41 PM
> Subject: [c-nsp] crypto map working on outbound interface,need it to work
> on inbound interface
>
>
>
> Have a crypto map that was working to build a tunnel between
>> 65.119.118.75 and 24.235.0.25. Peers for the vpn tunnel were 24.235.0.26
>> and 65.119.118.136. Due to some network changes 24.235.0.26, which was the
>> egress interface toward the remote end, is now an ingress interface. Still,
>> I don't see why this should matter. The access list is the same, it's just
>> traffic coming in through the interface rather than out of it.
>>
>> Crypto Map "WinnetToSyniverse" 20 ipsec-isakmp
>> Description: PHL-3845-SS7-VPN router
>> Peer = 65.119.118.136
>> Extended IP access list PHL-3845-SS7-VPN
>> access-list PHL-3845-SS7-VPN permit ip host 24.235.0.25 host
>> 65.119.118.76
>> Current peer: 65.119.118.136
>> Security association lifetime: 4608000 kilobytes/3600 seconds
>> PFS (Y/N): N
>> Transform sets={
>> TSI2,
>> }
>> Interfaces using crypto map WinnetToSyniverse:
>> FastEthernet1/1
>>
>> The packets for the access list should match regardless of direction, but
>> it acts like it's not matching packets to the access list and not even
>> trying to start the vpn.
>>
>> Router#show crypto isakmp sa
>> dst src state conn-id slot status
>>
>> Nothing there.
>>
>> I can ping 65.119.118.136 from the router even when I set the source
>> address to the address of the ingress interface, 24.235.0.26, and can ping
>> the host we are trying to talk to across the vpn, 65.119.118.76, from
>> 24.235.0.25.
>>
>> I moved the crypto map command to the outside interface and it started
>> matching packets tried to bring the vpn tunnel up, but that failed, I'm
>> guessing because the source address changed to the address of the egress
>> interface, which would not be the address configured in the remote side. So
>> I want to use the ingress interface and its address so we don't have to go
>> through a complex process to get the other side to reconfigure.
>>
>>
>> ______________________________**_________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/**mailman/listinfo/cisco-nsp<https://puck.nether.net/mailman/listinfo/cisco-nsp>
>> archive at http://puck.nether.net/**pipermail/cisco-nsp/<http://puck.nether.net/pipermail/cisco-nsp/>
>>
>
> ______________________________**_________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/**mailman/listinfo/cisco-nsp<https://puck.nether.net/mailman/listinfo/cisco-nsp>
> archive at http://puck.nether.net/**pipermail/cisco-nsp/<http://puck.nether.net/pipermail/cisco-nsp/>
>
More information about the cisco-nsp
mailing list