Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
324
Views
0
Helpful
1
Replies

could they access each other with vpn ipsec?

guoliang.wu
Level 1
Level 1

‎06-05-2002 06:55 PM - edited ‎02-21-2020 11:47 AM

I built a VPN between two points. One point uses ADSL (with CISCO 1720 plus wic-1enet, without fixed IP adress), the other point uses DDN line (with CISCO 2611, with fixed IP adress). The VPN only use ipsec encryption without building tunnel.With transporting in vpn,the two points' computer can ping each other, but they can't find out eachother in 'MS windows network neighbor'.

I want to know how can i make tow points find out eachother?

Router#sh run

Building configuration...

Current configuration : 1695 bytes

!

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Router

!

no logging buffered

no logging buffered

logging rate-limit console 10 except errors

enable secret 5 $1$1wN5$AWKZpt5/WiT7ERgcv6kgJ0

!

memory-size iomem 25

ip subnet-zero

no ip finger

!

vpdn enable

no vpdn logging

!

vpdn-group pppoe

request-dialin

protocol pppoe

!

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key cisco123 address 202.96.192.17

!

!

crypto ipsec transform-set rtpset esp-des esp-md5-hmac

!

crypto map rtp 1 ipsec-isakmp

set peer 202.96.192.17

set transform-set rtpset

match address 115

!

!

!

!

interface Ethernet0

no ip address

half-duplex

pppoe enable

pppoe-client dial-pool-number 1

!

interface FastEthernet0

ip address 10.0.0.1 255.255.255.0

ip nat inside

speed auto

!

interface Dialer1

ip address negotiated

ip mtu 1410

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username ad50045108 password 7 11390E5C023A522216

crypto map rtp

!

ip nat inside source route-map nonat interface Dialer1 overload

ip kerberos source-interface any

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

!

access-list 115 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 115 deny ip 10.0.0.0 0.0.0.255 any

access-list 120 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 120 permit ip 10.0.0.0 0.0.0.255 any

dialer-list 1 protocol ip permit

route-map nonat permit 10

match ip address 120

!

!

line con 0

transport input none

line aux 0

line vty 0 4

password cisco

login

!

end

Router#

Router#sh run

Building configuration...

Current configuration : 1348 bytes

!

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Router

!

enable secret 5 $1$Q7n0$7O7pK/8tKcsV87mJMk82v1

enable password cisco

!

!

!

!

!

ip subnet-zero

!

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key cisco123 address 0.0.0.0

!

!

crypto ipsec transform-set rtpset esp-des esp-md5-hmac

!

crypto dynamic-map rtpmap 10

set transform-set rtpset

match address 115

!

!

crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap

!

!

!

!

!

!

interface Ethernet0/0

ip address 202.96.192.17 255.255.255.252

ip nat outside

crypto map rtptrans

!

interface Ethernet0/1

ip address 202.96.192.30 255.255.255.248 secondary

ip address 61.129.60.234 255.255.255.252 secondary

ip address 10.0.1.254 255.255.255.0

ip nat inside

!

ip nat inside source route-map nonat interface Ethernet0/1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 202.96.192.18

no ip http server

!

access-list 115 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 115 deny ip 10.0.1.0 0.0.0.255 any

access-list 120 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 120 permit ip 10.0.1.0 0.0.0.255 any

route-map nonat permit 10

match ip address 120

!

!

!

!

line con 0

line aux 0

line vty 0 4

password ibm

login

!

end

Labels:
0 Helpful
1 Reply 1

vijkrish
Cisco Employee
Cisco Employee

‎06-10-2002 12:56 AM

Assuming there is ip connectivity & browsing is now the problem, this is probably a Microsoft issue. Essentially, the WINS needs to be set up at the central site, and

the remote client has to use this service, since we can not pass the broadcast packets through IPSEC tunnel. I would suggest that you had a look at the following

URLs:

98

Chapter 18 - Logon, Browsing, and Resource Sharing

http://www.microsoft.com/TechNet/win98/Reskit/Part3/wrkc18.asp

95

Chapter 11 Logon, Browsing, and Resource Sharing

http://www.microsoft.com/TechNet/win95/reskit/part3/rk11_res.asp

95

http://support.microsoft.com/support/kb/articles/Q150/8/00.asp

Domain Browsing with TCP/IP and LMHOSTS Files

95, 98, NT

http://support.microsoft.com/support/kb/articles/Q210/3/27.ASP

Manually Populating Network Neighborhood with Static Entries for Browsing

NT

MS Windows NT Browser

http://www.microsoft.com/TechNet/winnt/Winntas/technote/ntbrowse.asp

Win95/98/NT Dialup, Authentication, Browsing Using TCPIP, IPX/SPX, or

NetBEUI

http://support.microsoft.com/support/kb/articles/q232/5/11.asp

Also, some more information that might be useful for you, regarding logging into the domain:

Domain Logon

Make sure that the PC is set up to log into the Domain when it boots up. Put in the user information and password when the computer boots up and prompts for a

domain logon. It will return a message about being unable to find domain controller. Hit OK. This will cache the information for use after you've established your

VPN connection. Log into your ISP and then connect with the VPN Client. Once connected, right click on Network Neighborhood and select "Find Computer".

Put in the IP address of the Primary Domain Controller. Once it is found, double click on the blue computer icon that it's found. Since the PDC is also the Master

Browser for the domain, connecting also prompts the remote PC to get the browse list from the PDC. Now you should be able to browse the Network

Neighborhood. In order to make the Find Computer easier, it is recommended to create a shortcut for the PDC on the desktop so that double clicking it will make

the connection and establish the browse list easily. You may also use an LMHOSTS file instead of the Find Computer method. Put an LMHOSTS file on the remote

workstation with information pointing to the PDC. Information on LMHOSTS files may be found in the LMHOSTS.SAM file found on all Windows platforms.

If you do not have an ethernet card in your PC, then you'll have to enable the Domain Login prompt in your dialup settings. It's a check box that asks if you'd like to

login to network. You'll find it if you right click on your dialup connection icon in dialup networking and select properties. Then select the Server Type button.

Note** On Win95/98 workstations, the Workgroup name of the workstation MUST be the same as the Domain name they are trying to log into or they will NOT

be able to see a browse list. Also, due to the nature of NT and it's browsing method, it sometimes fails to find the PDC when using Autologon. If this occurs, use the

"Find Computer" mentioned above for the PDC before attempting to open the Network Neighborhood.

0 Helpful
Customers Also Viewed These Support Documents