Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ipSec over ADSL 827

Has anyone out there got a working ipSec config for an 827 using dialer interface they can send me?

I have converted a config from a serial interface router and find the outbound tunnel packets are encrypted but not transmitted as NAT is taking over and the acl is denying them. The crypto session is up okay, and I can send packets the other way.

The NAT config is exactly the same as for a serial router which bench tests fine, without NAT'ing tunnel packets.

regards,

6 REPLIES
Cisco Employee

Re: ipSec over ADSL 827

It would be similar to:

http://www.cisco.com/warp/customer/707/overload_private.shtml

except the ethernet is a dialer interface. I assume that you get a static ip address for your dialer interface.

New Member

Re: ipSec over ADSL 827

Thanks,

that example was one of the ones I've been working from. My senario has static IP's at both sites, with an e-mail server at the main site running through an 805, which is similar to the Cisco example http://www.cisco.com/warp/customer/707/static.html

I think the problem is related to having the 827 having an ATM interface, the ATM subinterface & the Dialer interface, because the exact same config works fine on a serial interface router. I have the local Cisco folk also scratching their heads!

New Member

Re: ipSec over ADSL 827

Have you tried to configure an ipsec encryption schema over a generic GRE tunnel? In this way you should avoid the ATM interface problem.

Bye GV

New Member

Re: ipSec over ADSL 827

I've just encountered the same problem.

I've solved the NAT problem using the exampled cited in other replies (route-map nonat), but I now I have another problem:

- packet are encrypted but not sent out on the Dialer interface (I've checked with a sniffer on the ISP's ADSL router)

Consider that:

- IPSec handshaking between the 827 and a PIX is OK

- SAs are rightly set up

- show crypto ipsec sa states that packet are succesfully encrypted

Any hint?

Thanks a lot.

L

New Member

Re: ipSec over ADSL 827

Thanks for the GRE suggestion, The local Cisco folk have managed to find a GRE sample config for an 827 so hope to try that out this week. Will post the config here once I've got it working.

cheers.

New Member

Re: ipSec over ADSL 827

Found the problem. It's called Cisco IOS 12.1(3)XG3

as per the release notes:

CSCdr69152

For IPSec to work properly on some IPSec interfaces, fast switching must be explicitly disabled by entering the commands no ip route-cache and no ip mroute-cache. This might impact IPSec functionality under certain encapsulation modes.

For example, if you use a dialer interface to configure PPP over ATM encapsulation or PPP over Ethernet encapsulation and apply IPSec to the interface, fast switching must be explicitly disabled for IPSec to work. For a bridge group virtual interface to function properly as an IPSec interface, fast switching must also be disabled. IPSec works properly with fast switching enabled when applied on other interfaces, such as ATM or virtual interfaces.

Fast switching is automatically enabled by default. To work around this problem, disable fast switching on IPSec interfaces.

217
Views
0
Helpful
6
Replies
CreatePlease to create content