Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
344
Views
0
Helpful
2
Replies

IPSec tunnels, ping works - applications don't

n_parshina
Level 1
Level 1

‎01-09-2008 11:39 PM - edited ‎02-21-2020 03:28 PM

Hi,

I have a setup best described in the attached drawing. I am routing the 192.168.2.0 net to 192.168.8.0 net through the central 3845 router.

The related config of the 857 is as follows:

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key 0192837465 address X.X.X.X

crypto isakmp invalid-spi-recovery

!

!

crypto ipsec transform-set CO esp-3des esp-sha-hmac

!

crypto map OFFICE 10 ipsec-isakmp

set peer X.X.X.X

set transform-set CO

set pfs group2

match address 100

ip route 172.16.0.0 255.255.0.0 X.X.X.X

ip route 192.168.2.0 255.255.255.0 X.X.X.X

access-list 100 permit ip 192.168.8.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 100 permit tcp 192.168.8.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit udp 192.168.8.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit ip 192.168.8.0 0.0.0.255 192.168.2.0 0.0.0.255

The config on 3845 that allows traffic to pass between the networks:

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key 0192837465 address 10.0.23.42

crypto isakmp key 0192837465 address 10.1.17.106

crypto isakmp invalid-spi-recovery

!

!

crypto ipsec transform-set REMOTE esp-3des esp-sha-hmac

!

crypto map Computers 108 ipsec-isakmp

set peer Y.Y.Y.Y

set transform-set REMOTE

set pfs group2

match address 108

!

crypto map TD-corporate local-address Loopback0

crypto map TD-corporate 102 ipsec-isakmp

set peer 10.1.3.242

set transform-set REMOTE

set pfs group2

match address 102

ip route 192.168.2.0 255.255.255.0 10.1.3.242

ip route 192.168.8.0 255.255.255.0 Y.Y.Y.Y

access-list 102 permit ip 172.16.0.0 0.0.255.255 192.168.2.0 0.0.0.255

access-list 102 permit tcp 192.168.8.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 102 permit udp 192.168.8.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 102 permit ip 192.168.8.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 108 permit ip 172.16.0.0 0.0.255.255 192.168.8.0 0.0.0.255

access-list 108 permit tcp 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 108 permit udp 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 108 permit ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255

(I added the permit tcp/udp statements on top of the regular permit ip in hopes that it helps)

Problem: I can ping between the 2 networks fine - 192.168.2.200 to 192.168.8.59 flies with this config. As soon as I initiate a Terminal session (RDP) from one network to another, it not only does not go through (can't connect to remote host), pings stop working as well!

The thing is, when I intiate RDP sessions from the 172 network behind the 3845 router, they work just fine.

Here's output of something that looks not right to me:

#show crypto session

Crypto session current status

Interface: BVI1

Session status: UP-ACTIVE

Peer: X.X.X.X port 500

IKE SA: local Y.Y.Y.Y/500 remote X.X.X.X/500 Active

IPSEC FLOW: permit 17 192.168.8.0/255.255.255.0 192.168.2.0/255.255.255.0

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit ip 192.168.8.0/255.255.255.0 172.16.0.0/255.255.0.0

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit ip 192.168.8.0/255.255.255.0 192.168.2.0/255.255.255.0

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit 6 192.168.8.0/255.255.255.0 192.168.2.0/255.255.255.0

Active SAs: 2, origin: crypto map

What could it be?

P.S.: on the Mikrotik (Linux) end, routing/tunneling is done in a manner "send everything to 3845".

Labels:
Preview file
16 KB
0 Helpful
2 Replies 2

ajagadee
Cisco Employee
Cisco Employee

‎01-10-2008 06:26 AM

Have you tried, "ip tcp adjust-mss".

Use the ip tcp adjust-mss command so that the router will reduce the TCP MSS value in the TCP SYN packet. This will help the two end hosts (the TCP sender and receiver) to use packets small enough so that PMTUD is not needed.

Please refer the below URL for additional information.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

Regards,

Arul

0 Helpful

n_parshina
Level 1
Level 1
In response to ajagadee

‎01-10-2008 07:54 PM

I do have adjust-mss on the internal Lan interface:

interface Vlan1

ip address 192.168.8.254 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

The setting was recommended by the ISP for their DSL line (my WAN side).

Thanks for the link, I'm examining that material in hopes to find a solution.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents