Solved: VPN Tunnel comes up, but traffic will not travel

jfinley · ‎05-14-2007

Can't understand why this is not working. I perform extended pings but will not ping at all when before it did. I did make some changes since a new T1 was installed. ANyone take a quick peek at this config....

------------------------------

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key MYKEY address YYY.YYY.YYY.YYY

!

crypto ipsec transform-set TUNNELSET esp-3des esp-md5-hmac

!

crypto map TUNNEL 1 ipsec-isakmp

set peer YYY.YYY.YYY.YYY

set transform-set TUNNELSET

match address BIZ-hq

!

interface Loopback1

ip address XXX.XXX.XXX.9 255.255.255.248

ip nat outside

ip virtual-reassembly

crypto map TUNNEL

crypto ipsec df-bit clear

!

interface FastEthernet0/0/3

description LOCAL_LAN_INTERFACE

!

interface Serial0/1/0

ip address XXX.XXX.XXX.2 255.255.255.252

ip nat outside

ip virtual-reassembly

encapsulation ppp

!

interface Vlan1

ip address 192.168.150.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.1

!

ip nat pool T1 XXX.XXX.XXX.9 XXX.XXX.XXX.9 netmask 255.255.255.248

ip nat inside source route-map nonat pool T1 overload

!

ip access-list extended DONOTNAT

deny ip 192.168.150.0 0.0.0.255 192.100.100.0 0.0.0.255

deny ip 192.168.150.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 192.168.150.0 0.0.0.255 any

ip access-list extended BIZ-hq

permit ip 192.168.150.0 0.0.0.255 192.100.100.0 0.0.0.255

permit ip 192.168.150.0 0.0.0.255 192.168.1.0 0.0.0.255

!

access-list 20 permit NN.NN.162.160 0.0.0.31

access-list 20 permit NN.NN.197.192 0.0.0.31

access-list 20 permit 192.168.150.0 0.0.0.255

access-list 20 permit 192.168.9.0 0.0.0.255

!

route-map nonat permit 10

match ip address DONOTNAT

oabduo983 · ‎05-14-2007

You need to make sure that set peer x.x.x.x and crypto isakmp key xxxx address x.x.x.x on the other router are actually pointing to the new ip address of your router...

Yes you can terminate on the loopback interface the command to do this is:

crypto map map-name local-address interface-id

where you interface id will be your loopback interface...

for more information on this command, please refer to the following link:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800ca7b6.html#wp1018189

please rate this post if it helps!

Regards,

View solution in original post

jfinley · ‎05-14-2007

The VPN tunnel used to work until I moved to a different ISP which I'm using a loopback as the tunnel endpoint. Is this even possible?

oabduo983 · ‎05-14-2007

You need to make sure that set peer x.x.x.x and crypto isakmp key xxxx address x.x.x.x on the other router are actually pointing to the new ip address of your router...

Yes you can terminate on the loopback interface the command to do this is:

crypto map map-name local-address interface-id

where you interface id will be your loopback interface...

for more information on this command, please refer to the following link:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800ca7b6.html#wp1018189

please rate this post if it helps!

Regards,

jfinley · ‎05-14-2007

If found out about this command a few hours ago. Thank you though.

jfinley · ‎05-22-2007

After adding the line as recommended, it changed nothing.