IPSec tunnel problem

oshechodanov · ‎05-03-2007

Using SDM (V2.34) i create GRE tunnel between cisco routers (2811 and 2801). Tunnel is up, and Test connection (SDM tool) write that tunnel is ok. Ping of sites on other side is ok. But any application (netbios, rdp, www) not work.

Please, say, where i mistake.

Configurations

On one side (Cisco router 2811)

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key KEY1 address X.X.X.189

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to X.X.X.189

set peer X.X.X.189

set transform-set ESP-3DES-SHA

match address 110

!

interface Tunnel0

ip unnumbered FastEthernet0/0

ip mtu 1420

ip virtual-reassembly

keepalive 10 3

tunnel source FastEthernet0/1

tunnel destination X.X.X.189

tunnel path-mtu-discovery

crypto map SDM_CMAP_1

!

interface FastEthernet0/0

description LAN$ETH-LAN$$FW_INSIDE$

ip address 192.168.0.245 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description Internet$ETH-WAN$$FW_OUTSIDE$

ip address Y.Y.Y.101 255.255.255.252

ip nat outside

ip virtual-reassembly

crypto map SDM_CMAP_1

!

ip route 0.0.0.0 0.0.0.0 Y.Y.Y.102

ip route 192.168.1.0 255.255.255.0 Tunnel0

!

ip nat inside source list 101 interface FastEthernet0/1 overload

!

access-list 101 remark ACL for NAT

access-list 101 deny gre host Y.Y.Y.101 host X.X.X.189

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

!

access-list 110 remark SDM_ACL Category=4

access-list 110 permit gre host Y.Y.Y.101 host X.X.X.189

!

On other side (Cisco router 2801)

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key KEY1 address Y.Y.Y.210

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to Y.Y.Y.210

set peer Y.Y.Y.210

set transform-set ESP-3DES-SHA

match address 110

!

interface Tunnel0

ip unnumbered FastEthernet0/0

ip mtu 1420

ip virtual-reassembly

keepalive 10 3

tunnel source FastEthernet0/1

tunnel destination Y.Y.Y.210

tunnel path-mtu-discovery

crypto map SDM_CMAP_1

!

interface FastEthernet0/0

description LAN$ETH-LAN$$FW_INSIDE$

ip address 192.168.1.245 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description Internet$ETH-WAN$$FW_OUTSIDE$

ip address X.X.X.189 255.255.255.252

ip nat outside

ip virtual-reassembly

crypto map SDM_CMAP_1

!

ip route 0.0.0.0 0.0.0.0 X.X.X.189

ip route 192.168.0.0 255.255.255.0 Tunnel0

!

ip nat inside source list 101 interface FastEthernet0/1 overload

!

access-list 101 remark ACL for NAT

access-list 101 deny gre host X.X.X.190 host Y.Y.Y.210

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

!

access-list 110 remark SDM_ACL Category=4

access-list 110 permit gre host Y.Y.Y.101 host X.X.X.189

!

sundar.palaniappan · ‎05-04-2007

Try configuring 'ip tcp adjust-mss 1420' under the int f0/0 and test the connectivity.

HTH

Sundar

oshechodanov · ‎05-07-2007

Thank for you answer. This is resolve my problem.

If it possible i have question.

When i try solve problem i find example

http://www.cisco.com/en/US/products/ps6635/products_white_paper09186a0080189153.shtml

This example different from my config in ACL that apply on crypto map (in my config access-list 110).

In my config ACL permit gre between internet interfaces of router

access-list 110 permit gre host Y.Y.Y.101 host X.X.X.189

In example ACL permit all ip between private subnets

access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

When i modify ACL and all work correct.

My question is.

What config is more correct? (where i can read about this)

Why in first config it not work without "'ip tcp adjust-mss 1420' under the int f0/0", and why with modified ACL it work without this command.

Thank for you consideration.