01-09-2008 11:39 PM - edited 02-21-2020 03:28 PM
Hi,
I have a setup best described in the attached drawing. I am routing the 192.168.2.0 net to 192.168.8.0 net through the central 3845 router.
The related config of the 857 is as follows:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 0192837465 address X.X.X.X
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set CO esp-3des esp-sha-hmac
!
crypto map OFFICE 10 ipsec-isakmp
set peer X.X.X.X
set transform-set CO
set pfs group2
match address 100
ip route 172.16.0.0 255.255.0.0 X.X.X.X
ip route 192.168.2.0 255.255.255.0 X.X.X.X
access-list 100 permit ip 192.168.8.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 100 permit tcp 192.168.8.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit udp 192.168.8.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.8.0 0.0.0.255 192.168.2.0 0.0.0.255
The config on 3845 that allows traffic to pass between the networks:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 0192837465 address 10.0.23.42
crypto isakmp key 0192837465 address 10.1.17.106
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set REMOTE esp-3des esp-sha-hmac
!
crypto map Computers 108 ipsec-isakmp
set peer Y.Y.Y.Y
set transform-set REMOTE
set pfs group2
match address 108
!
crypto map TD-corporate local-address Loopback0
crypto map TD-corporate 102 ipsec-isakmp
set peer 10.1.3.242
set transform-set REMOTE
set pfs group2
match address 102
ip route 192.168.2.0 255.255.255.0 10.1.3.242
ip route 192.168.8.0 255.255.255.0 Y.Y.Y.Y
access-list 102 permit ip 172.16.0.0 0.0.255.255 192.168.2.0 0.0.0.255
access-list 102 permit tcp 192.168.8.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit udp 192.168.8.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.8.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 108 permit ip 172.16.0.0 0.0.255.255 192.168.8.0 0.0.0.255
access-list 108 permit tcp 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 108 permit udp 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 108 permit ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
(I added the permit tcp/udp statements on top of the regular permit ip in hopes that it helps)
Problem: I can ping between the 2 networks fine - 192.168.2.200 to 192.168.8.59 flies with this config. As soon as I initiate a Terminal session (RDP) from one network to another, it not only does not go through (can't connect to remote host), pings stop working as well!
The thing is, when I intiate RDP sessions from the 172 network behind the 3845 router, they work just fine.
Here's output of something that looks not right to me:
#show crypto session
Crypto session current status
Interface: BVI1
Session status: UP-ACTIVE
Peer: X.X.X.X port 500
IKE SA: local Y.Y.Y.Y/500 remote X.X.X.X/500 Active
IPSEC FLOW: permit 17 192.168.8.0/255.255.255.0 192.168.2.0/255.255.255.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip 192.168.8.0/255.255.255.0 172.16.0.0/255.255.0.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip 192.168.8.0/255.255.255.0 192.168.2.0/255.255.255.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit 6 192.168.8.0/255.255.255.0 192.168.2.0/255.255.255.0
Active SAs: 2, origin: crypto map
What could it be?
P.S.: on the Mikrotik (Linux) end, routing/tunneling is done in a manner "send everything to 3845".
01-10-2008 06:26 AM
Have you tried, "ip tcp adjust-mss".
Use the ip tcp adjust-mss command so that the router will reduce the TCP MSS value in the TCP SYN packet. This will help the two end hosts (the TCP sender and receiver) to use packets small enough so that PMTUD is not needed.
Please refer the below URL for additional information.
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
Regards,
Arul
01-10-2008 07:54 PM
I do have adjust-mss on the internal Lan interface:
interface Vlan1
ip address 192.168.8.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
The setting was recommended by the ISP for their DSL line (my WAN side).
Thanks for the link, I'm examining that material in hopes to find a solution.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide