11-17-2008 09:14 PM - edited 02-21-2020 04:02 PM
Hi every one.im trying to run L2L vpn with ipsec tunnel between my pix and 3745 router.my problem is that tunnel goes up only when traffic flows from one direction.let me describe my senario.
LAN1-->PIX<----->R3745<---LAN2
!!!PIX!!!
ethernet 1:connected to host A
Host A:10.10.1.3
ethernet 0(17.17.17.1):connected to R3745
!!!R3745!!!
ethernet 0/0 (17.17.17.2):connected to pix
etherb=net 0/1(10.10.2.1):connected to Host B
Host B:10.10.2.3
!!!PIX!!!!
PIX Version 7.2(3)
!
interface Ethernet0
nameif outside
security-level 0
ip address 17.17.17.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.10.1.1 255.255.255.0
!
ftp mode passive
access-list nonat extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list tr extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list ping extended permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
access-group ping in interface outside
route outside 10.10.2.0 255.255.255.0 17.17.17.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ipsec esp-3des esp-sha-hmac
crypto map crymap 1 match address tr
crypto map crymap 1 set peer 17.17.17.2
crypto map crymap 1 set transform-set ipsec
crypto map crymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
tunnel-group 17.17.17.2 type ipsec-l2l
tunnel-group 17.17.17.2 ipsec-attributes
pre-shared-key *
!!!!R3745!!!!!
version 12.4
!
boot-start-marker
boot-end-marker
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key ***** address 17.17.17.1
crypto isakmp keepalive 10
!
crypto ipsec transform-set sec esp-3des esp-sha-hmac
!
crypto ipsec profile sevan
set transform-set sec
!
crypto map map 10 ipsec-isakmp
set peer 17.17.17.1
set transform-set sec
match address 110
!
interface Tunnel10
ip unnumbered Ethernet0/0
tunnel source Ethernet0/0
tunnel destination 17.17.17.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile sevan
!
interface Ethernet0/0
ip address 17.17.17.2 255.255.255.0
half-duplex
!
interface Ethernet0/1
ip address 10.10.2.1 255.255.255.0
ip policy route-map sevan
half-duplex
!
ip http server
no ip http secure-server
ip route 10.10.1.0 255.255.255.0 17.17.17.1
!
access-list 110 permit ip 10.10.2.0 0.0.0.255 10.10.1.0 0.0.0.255
!
route-map sevan permit 10
match interface Ethernet0/1
set interface Tunnel10
end
***when i ping host B from Host A ping is working and tunnel on Router 3745 goes up but when i do not ping host b from host A after some secondes tunnel goes down and if i first ping host A from host B ping never works and tunnel never comes up.so when traffic is generated from pix Lan every thing is ok but when traffic is generated from Router Lan nothing about vpn works.i dont know why this senario works in this way!!!???
11-18-2008 05:34 AM
Hi,
I dont think this set up is going to work. The reason being, your tunnel destination on the router is an ASA and ASA do not support GRE Tunnel termination. You have to terminate a GRE Tunnel on a router.
Reconfigure the router without using the GRE Tunnel interface and test the tunnel.
Regards
Arul
*Pls rate if it helps*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide