GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: IPSec question: VPN client to Router posted 09/22/2001
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Hi Sam Munzani,

It does not work, config is:

(loopback 0) IPSEC Router(Eth0) ------ (Eth1) Router (Eth0) ------- VPN
CLient
10.10.10.1/24            128.235.0.2       128.235.0.1     129.100.101.71
129.100.101.73

ACL is:
access-list 101 permit ip host 129.100.101.73 10.10.10.0 0.0.0.255

I even tried: access-list 101 permit ip any any

but from Client I can Ping to 10.10.10.1/24 w/o crypto process.

I turned back to the original config:
(loopback 0) IPSEC Router(Eth0 ------VPN CLient
10.10.10.1/24         129.100.101.71         129.100.101.73
with this network, previously I cannot ping from Client to 10.10.10.1, but
now I can ping w/o crypto, nothing changed (except I just re-install my
Windows 98 & VPN client)

Have you ever work on  R1603 for IPSec ? I suspect that there's no actual
process for IPSec on Cisco1603 (my IOS is quite new:
c1600-k8sy-mz.122-1a.bin)

Rgds!
Long.

----- Original Message -----
From: Sam Munzani <sam@xxxxxxxxxxx>
To: Nguyen Hoang Long <long.nguyen@xxxxxxxxxxxxxxxxxx>; Menga, Justin
<Justin.Menga@xxxxxxxxxx>; <ccielab@xxxxxxxxxxxxxx>
Sent: Friday, September 21, 2001 10:33 PM
Subject: Re: IPSec question: VPN client to Router


> Just for the hack of it try as below.
> Keep your configs as it is. However put a router betweer your client and
> ipsec router. All I can suspect now is IPSEC crypto map is not working for
> the packet leaving to your laptop. Have something like below.
>
> IPSEC Router    --- Router(Pretending ISP) --- Client
>
> IPSEC router points it's def. g/w to ISP router and so does client PC.
This
> should work.
>
> Sam
>
>
> > Let's talk about the original config:
> > Nothing appears on Client Log Viewer when I ping 10.10.10.1, error
appear
> on
> > R1603
> >
> > I changed access-list:
> > <access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.1.0 0.0.0.255>
> > from Client I can ping 10.10.10.0 but encryption does not happens.
> >
> > In my understanding, encryption should protect traffic from
129.100.101.73
> > (VPN client) to 10.10.1.0 (internal network).
> > Header w/ 10.10.10.0/24 is encapsulated in side  129.100.101.73 header
(I
> > think you know what I mean)
> > suppose I have sniffer on Client to R1603, source address from Client to
> > R1603 should be 129.100.101.73, not 10.10.1.XXX
> >
> > So how .....?
**Please read:http://www.groupstudy.com/list/posting.html
_______________________________________________________
To unsubscribe from the CCIELAB list, send a message to
majordomo@xxxxxxxxxxxxxx with the body containing:
unsubscribe ccielab