Hi Rick,

Thanks for responding. I am attaching the configirations of both the ends. Please gothrough it and pl let me know if any thing wrong in that.

Murthy

Krishnamurthy

I have looked at the information that you have posted and I have several things that I do not understand well. The config of the main location router has this source address 172.22.72.0 0.0.7.255 so I would expect to see those addresses as destinations in the access list of the remote, but it is not there. Also the access list at the remote has this source address 172.22.74.0 0.0.0.255 which is contained within the range of addresses specified at the main site. I asked for some information about topology which we do not yet have but it certainly looks like the central site is planning to talk to addresses 172.16.0.0 and 172.20.0.0 but I am not sure that these addresses are at the remote site. I also note that the access list is only permitting tcp. This means that only tcp will be protected by IPSec. So any UDP traffic and any ICMP traffic will not be in IPSec.

That probably explains why you can ping but can not telnet. The ping is not going through IPSec but the telnet is trying to go through IPSec.

Perhaps you can clear up some of these things and let us know what happens.

HTH

Rick

Hi Rick,

Sorry for the incomplete information provided. Actually we have a Central site and around 50 locations connected through serial leased lines to it(64 Kbps).

So we are runnig IPSEC over the leased lines.(Point to Point).I have again attached the correct running configurations of the sample one remote location and also related main location Routers config. Pl gothrough it sujjest the solution.

Krishnamurthy

I have looked at the config elements that you posted and I have these comments:

1) there seems to be a bit of difference in the definition of the crypto key between the two peers:

crypto isakmp key Murphy_town-LL address 172.16.250.21

crypto isakmp key 6 Murphy_town-LL address 172.16.250.22

2) the access lists used to identify traffic to be protected by IPSec should be mirror images of each other. The first router specifies a source address of 172.16.6.0

access-list 101 permit tcp 172.16.6.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 101 permit tcp 172.16.6.0 0.0.0.255 172.20.0.0 0.0.255.255

so I would expect the second router to specify a destination of 172.16.6.0 but it specifies a much broader range of addresses

permit tcp 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255

permit tcp 172.20.0.0 0.0.255.255 172.16.0.0 0.0.255.255

3) again I note that the access list is only matching TCP traffic. So only TCP traffic will be protected by IPSec. Is that what you intend?

Since the addresses used here are significantly different from the other ones that you posted, perhaps you could also clarify what the problem is here. If there is a problem with telnet could you be specific about what source address is in the telnet and what destination address is used by the telnet?

HTH

Rick

Hi Rick,

Thanks for your valuable comments.

I will look in to all your suggestions and I will let you know. But here I just want to tell you that we are trying to telnet from 172.16.200.0 subnet to the remote branch ethernet(172.16.6.1). So we should be able to telnet with above ACL's right??? Pl clarify.....