Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Telnet problem with IPSEC

Hi,I have configured IPSEC Tunnel between my remote location to main location. And mapped to the serial interface. After this IPSEC is working fine. I am able to see the encryption and Dycription in "sh crypto engine conn active " command. But I am not able to telnet to the remote branch Ethernet IP(But I able to ping to it). This is happening even after configuring proper ACL's at both the ends. Can any one help out to resolve this Telnet problem??????

  • Other Security Subjects
6 REPLIES
Hall of Fame Super Silver

Re: Telnet problem with IPSEC

Krishnamurthy

We do not have enough information here to diagnose very well what is the problem. Can you provide some information about the topology, details of how IPSec is configured, and most especially the details of the access lists (from both ends). If we have this perhaps we will be able to help find the problem.

HTH

Rick

New Member

Re: Telnet problem with IPSEC

Hi Rick,

Thanks for responding. I am attaching the configirations of both the ends. Please gothrough it and pl let me know if any thing wrong in that.

Murthy

Hall of Fame Super Silver

Re: Telnet problem with IPSEC

Krishnamurthy

I have looked at the information that you have posted and I have several things that I do not understand well. The config of the main location router has this source address 172.22.72.0 0.0.7.255 so I would expect to see those addresses as destinations in the access list of the remote, but it is not there. Also the access list at the remote has this source address 172.22.74.0 0.0.0.255 which is contained within the range of addresses specified at the main site. I asked for some information about topology which we do not yet have but it certainly looks like the central site is planning to talk to addresses 172.16.0.0 and 172.20.0.0 but I am not sure that these addresses are at the remote site. I also note that the access list is only permitting tcp. This means that only tcp will be protected by IPSec. So any UDP traffic and any ICMP traffic will not be in IPSec.

That probably explains why you can ping but can not telnet. The ping is not going through IPSec but the telnet is trying to go through IPSec.

Perhaps you can clear up some of these things and let us know what happens.

HTH

Rick

New Member

Re: Telnet problem with IPSEC

Hi Rick,

Sorry for the incomplete information provided. Actually we have a Central site and around 50 locations connected through serial leased lines to it(64 Kbps).

So we are runnig IPSEC over the leased lines.(Point to Point).I have again attached the correct running configurations of the sample one remote location and also related main location Routers config. Pl gothrough it sujjest the solution.

Hall of Fame Super Silver

Re: Telnet problem with IPSEC

Krishnamurthy

I have looked at the config elements that you posted and I have these comments:

1) there seems to be a bit of difference in the definition of the crypto key between the two peers:

crypto isakmp key Murphy_town-LL address 172.16.250.21

crypto isakmp key 6 Murphy_town-LL address 172.16.250.22

2) the access lists used to identify traffic to be protected by IPSec should be mirror images of each other. The first router specifies a source address of 172.16.6.0

access-list 101 permit tcp 172.16.6.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 101 permit tcp 172.16.6.0 0.0.0.255 172.20.0.0 0.0.255.255

so I would expect the second router to specify a destination of 172.16.6.0 but it specifies a much broader range of addresses

permit tcp 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255

permit tcp 172.20.0.0 0.0.255.255 172.16.0.0 0.0.255.255

3) again I note that the access list is only matching TCP traffic. So only TCP traffic will be protected by IPSec. Is that what you intend?

Since the addresses used here are significantly different from the other ones that you posted, perhaps you could also clarify what the problem is here. If there is a problem with telnet could you be specific about what source address is in the telnet and what destination address is used by the telnet?

HTH

Rick

New Member

Re: Telnet problem with IPSEC

Hi Rick,

Thanks for your valuable comments.

I will look in to all your suggestions and I will let you know. But here I just want to tell you that we are trying to telnet from 172.16.200.0 subnet to the remote branch ethernet(172.16.6.1). So we should be able to telnet with above ACL's right??? Pl clarify.....

130
Views
4
Helpful
6
Replies
This widget could not be displayed.