VPN created, but cannot ping

Unanswered Question
Jun 20th, 2007

we use two CISCO router 1841 to link two LAN,

the LAN1 router ,

inside ip 192.168.100.100

outside ip 10.3.13.100, gateway 10.3.13.254

the LAN2 router

inside ip 192.168.1.60

outside ip 10.3.38.100, gateway 10.3.38.1

now we create the VPN as the document.

use debug crypto isakmp, IKE phase 2 is ok.

use show crypto session, VPN is active.

use show crypto engine connections active. only have encrypt packet,donot have decrypt data.

Now the problem is external host cannot ping each other.

It is very strange, can anyone help?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
qianlei273 Wed, 06/20/2007 - 05:30

LAN1 router config

crypto isakmp policy 50

hash md5

authentication pre-share

crypto isakmp key XXXX address 10.3.38.100

!

!

crypto ipsec transform-set myset esp-des esp-md5-hmac

!

crypto map mymap 1 ipsec-isakmp

set peer 10.3.38.100

set transform-set myset

match address 106

!

!

interface FastEthernet0/0

ip address 192.168.100.100 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.3.13.100 255.255.255.0

no ip route-cache

no ip mroute-cache

duplex auto

speed auto

!

!

ip route 10.3.38.0 255.255.255.0 10.3.13.254

ip route 192.168.1.0 255.255.255.0 10.3.38.100

!

access-list 106 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255

qianlei273 Wed, 06/20/2007 - 05:31

LAN2 router config

crypto isakmp policy 50

hash md5

authentication pre-share

crypto isakmp key XXXX address 10.3.13.100

!

!

crypto ipsec transform-set myset esp-des esp-md5-hmac

!

crypto map mymap 1 ipsec-isakmp

set peer 10.3.13.100

set transform-set myset

match address 106

!

!

interface FastEthernet0/0

ip address 192.168.1.60 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.3.38.100 255.255.255.0

no ip route-cache

no ip mroute-cache

duplex auto

speed auto

!

!

ip route 10.3.13.0 255.255.255.0 10.3.38.1

ip route 192.168.100.0 255.255.255.0 10.3.13.100

!

access-list 106 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255

sundar.palaniappan Wed, 06/20/2007 - 12:17

Can you reconfigure the static route(s) as follows and test.

Router 1:

ip route 192.168.1.0 255.255.255.0 10.3.13.254

Router 2:

ip route 192.168.100.0 255.255.255.0 10.3.38.1

Moreover, why is the crypto map not applied to the outside interface?

HTH

Sundar

qianlei273 Wed, 06/20/2007 - 23:59

Ok,

we need goto site to do the test tommorrow.

outside interface have crypto map.

thanks

Actions

This Discussion