06-20-2007 05:18 AM - edited 03-05-2019 04:50 PM
we use two CISCO router 1841 to link two LAN,
the LAN1 router ,
inside ip 192.168.100.100
outside ip 10.3.13.100, gateway 10.3.13.254
the LAN2 router
inside ip 192.168.1.60
outside ip 10.3.38.100, gateway 10.3.38.1
now we create the VPN as the document.
use debug crypto isakmp, IKE phase 2 is ok.
use show crypto session, VPN is active.
use show crypto engine connections active. only have encrypt packet,donot have decrypt data.
Now the problem is external host cannot ping each other.
It is very strange, can anyone help?
06-20-2007 05:30 AM
LAN1 router config
crypto isakmp policy 50
hash md5
authentication pre-share
crypto isakmp key XXXX address 10.3.38.100
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer 10.3.38.100
set transform-set myset
match address 106
!
!
interface FastEthernet0/0
ip address 192.168.100.100 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.3.13.100 255.255.255.0
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
!
!
ip route 10.3.38.0 255.255.255.0 10.3.13.254
ip route 192.168.1.0 255.255.255.0 10.3.38.100
!
access-list 106 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
06-20-2007 05:31 AM
LAN2 router config
crypto isakmp policy 50
hash md5
authentication pre-share
crypto isakmp key XXXX address 10.3.13.100
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer 10.3.13.100
set transform-set myset
match address 106
!
!
interface FastEthernet0/0
ip address 192.168.1.60 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.3.38.100 255.255.255.0
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
!
!
ip route 10.3.13.0 255.255.255.0 10.3.38.1
ip route 192.168.100.0 255.255.255.0 10.3.13.100
!
access-list 106 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
06-20-2007 12:17 PM
Can you reconfigure the static route(s) as follows and test.
Router 1:
ip route 192.168.1.0 255.255.255.0 10.3.13.254
Router 2:
ip route 192.168.100.0 255.255.255.0 10.3.38.1
Moreover, why is the crypto map not applied to the outside interface?
HTH
Sundar
06-20-2007 11:59 PM
Ok,
we need goto site to do the test tommorrow.
outside interface have crypto map.
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide