Re: IPSec question: VPN client to Router posted 09/22/2001
Hi Sam Munzani,
It does not work, config is:
(loopback 0) IPSEC Router(Eth0) ------ (Eth1) Router (Eth0) ------- VPN
10.10.10.1/24 220.127.116.11 18.104.22.168 22.214.171.124
access-list 101 permit ip host 126.96.36.199 10.10.10.0 0.0.0.255
I even tried: access-list 101 permit ip any any
but from Client I can Ping to 10.10.10.1/24 w/o crypto process.
I turned back to the original config:
(loopback 0) IPSEC Router(Eth0 ------VPN CLient
10.10.10.1/24 188.8.131.52 184.108.40.206
with this network, previously I cannot ping from Client to 10.10.10.1, but
now I can ping w/o crypto, nothing changed (except I just re-install my
Windows 98 & VPN client)
Have you ever work on R1603 for IPSec ? I suspect that there's no actual
process for IPSec on Cisco1603 (my IOS is quite new:
----- Original Message -----
From: Sam Munzani <sam@xxxxxxxxxxx>
To: Nguyen Hoang Long <long.nguyen@xxxxxxxxxxxxxxxxxx>; Menga, Justin
Sent: Friday, September 21, 2001 10:33 PM
Subject: Re: IPSec question: VPN client to Router
> Just for the hack of it try as below.
> Keep your configs as it is. However put a router betweer your client and
> ipsec router. All I can suspect now is IPSEC crypto map is not working for
> the packet leaving to your laptop. Have something like below.
> IPSEC Router --- Router(Pretending ISP) --- Client
> IPSEC router points it's def. g/w to ISP router and so does client PC.
> should work.
> > Let's talk about the original config:
> > Nothing appears on Client Log Viewer when I ping 10.10.10.1, error
> > R1603
> > I changed access-list:
> > <access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.1.0 0.0.0.255>
> > from Client I can ping 10.10.10.0 but encryption does not happens.
> > In my understanding, encryption should protect traffic from
> > (VPN client) to 10.10.1.0 (internal network).
> > Header w/ 10.10.10.0/24 is encapsulated in side 220.127.116.11 header
> > think you know what I mean)
> > suppose I have sniffer on Client to R1603, source address from Client to
> > R1603 should be 18.104.22.168, not 10.10.1.XXX
> > So how .....?
To unsubscribe from the CCIELAB list, send a message to
majordomo@xxxxxxxxxxxxxx with the body containing: