Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
362
Views
0
Helpful
2
Replies

IOS LAN-to-LAN over GPRS

tgrundbacher
Level 1
Level 1

‎09-05-2003 12:09 AM - edited ‎03-09-2019 04:40 AM

Has anyone experience with IPSec over GPRS?

I have troubles in getting LAN-to-LAN IPSec with two 805s running. Initially, the connection works (ping), but after some seconds/minutes the ISAKMP SA's will get deleted:

deleting SA reason "death by retransmission P1" st

ate (R) MM_SA_SETUP (peer 193.247.250.1) input queue 0

The hub router has a fixed IP and sits in the Internet (leased line), the spoke router dials in over GPRS.

The caller will get a 10.x.x.x address in the GPRS cloud and will be NATed towards the Internet (where the spoke sits), so IOS will mutually negotiate UDP Encapsulation.

What might be the problem?

Setup hub:

----------

crypto isakmp policy 1

encr 3des

authentication pre-share

crypto isakmp key *** address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 30

crypto isakmp nat keepalive 15

!

crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac

!

crypto dynamic-map dynamic-tunnel 10

set transform-set esp-3des-sha

set pfs group2

!match address 120

!

crypto map to-Sites 10 ipsec-isakmp dynamic dynamic-tunnel

!

interface Loopback0

ip address 172.16.0.3 255.255.255.255

!

interface Ethernet0

ip address 3.3.3.3 255.0.0.0

no cdp enable

crypto map to-Sites

ip route 0.0.0.0 0.0.0.0 5.5.5.5

ip route 172.16.0.0 255.255.255.252 Ethernet0

ip route 192.168.0.0 255.255.255.0 Ethernet0

Setup spoke:

------------

crypto isakmp policy 1

encr 3des

authentication pre-share

crypto isakmp key *** address 3.3.3.3

crypto isakmp keepalive 30

crypto isakmp nat keepalive 15

!

crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac

!

crypto map ipsec-to-Central 10 ipsec-isakmp

set peer 3.3.3.3

set transform-set esp-3des-sha

set pfs group2

match address 120

!

interface Loopback0

ip address 172.16.0.1 255.255.255.255

!

interface Ethernet0

ip address 192.168.0.130 255.255.255.0

no keepalive

!

interface Serial0

physical-layer async

no ip address

encapsulation ppp

ppp authentication chap callin

dialer in-band

dialer pool-member 1

async mode dedicated

no keepalive

!

interface Dialer0

ip address negotiated

encapsulation ppp

dialer pool 1

dialer idle-timeout 3600

dialer string "*99***1#"

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname ***

ppp chap password 0 ***

crypto map ipsec-to-Central

!

ip route 0.0.0.0 0.0.0.0 Dialer0

!

access-list 120 permit ip host 172.16.0.1 host 172.16.0.2

access-list 120 permit ip host 172.16.0.1 host 172.16.0.3

dialer-list 1 protocol ip permit

Labels:
0 Helpful
2 Replies 2

drolemc
Level 6
Level 6

‎09-11-2003 11:49 AM

The problem probably does not have anything to do with GPRS. We were seeing these messages on a 'plain' network and the problem turned out to be BGP filters at our ISP. It would be a good idea to have a look at your configurations and also if the route learning process is ok.

0 Helpful

dan.agache
Level 1
Level 1

‎10-16-2003 06:56 AM

What kind of GPRS modem u are used and what kind of modemcap for modem configuration u are used?

0 Helpful
Customers Also Viewed These Support Documents