IPSec tunnel and join a LAN router

Similar Questions

• IPSec tunnel and NetFlow packets

  I have a router 1841 IPSec running with an ASA. F0/0 is the source interface. I also set up NetFlow, which must be sent through the IPSec tunnel to the parser. The acl setting the IPSec interesting traffic covers addresses, source and destination of NetFlow. But NetFlow Traffic is not captured by the tunnel. When I ping the destination router, icmp traffic is picked up and goes through the tunnel. Are there ways to force NetFlow traffic to go to the tunnel?

  Thank you.

  Y at - it a route to the destination address of netflow? I have noted problems with traffic heading towards a destination that was not in the routing table is not made down a VPN.

• Protection of IPSEC Tunnel and tunnel QOS shaping does no formatting.

  I have an implosion of the little brain as to why it won't work.

  I tried the QOS policy on tunnel interfaces and the ATM interface. No formatting occurs. Interfaces to transmit at their leisure.

  Please can someone have a better day me to tell me what I am doing wrong?

  Here is the config relevant (and standard). without the political order applied anywhere. Any help appreciated.

  ---------------------------------------------------------------------------------

  class-map correspondence-everything APPSERVEURS
  match the name of group-access TERMINALSERVERS
  class-map correspondence-any VOICE
  sip protocol game
  match Protocol rtp
  match dscp ef
  !
  !
  Policy-map QOSPOLICY
  class VOICE
  priority 100
  class APPSERVEURS
  33% of bandwidth
  class class by default
  Fair/salon-tail 16
  Policy-map of TUNNEL
  class class by default
  form average 350000
  QOSPOLICY service-policy
  !
  !
  interface Tunnel0
  bandwidth 350
  IP 172.20.58.2 255.255.255.0
  IP mtu 1420
  load-interval 30
  QoS before filing
  source of Dialer0 tunnel
  destination tunnel X.X.X.X
  ipv4 ipsec tunnel mode
  tunnel path-mtu-discovery
  Tunnel IPSECPROFILE ipsec protection profile
  !
  Tunnel1 interface
  bandwidth 350
  IP 172.21.58.2 255.255.255.0
  IP mtu 1420
  load-interval 30
  delay 58000
  QoS before filing
  source of Dialer0 tunnel
  destination tunnel Y.Y.Y.Y
  ipv4 ipsec tunnel mode
  tunnel path-mtu-discovery
  Tunnel IPSECPROFILE ipsec protection profile
  !
  !
  ATM0/0/0 interface
  no ip address
  load-interval 30
  No atm ilmi-keepalive
  !
  point-to-point interface ATM0/0/0.1
  PVC 0/38
  aal5mux encapsulation ppp Dialer
  Dialer pool-member 1
  !
  !
  interface Dialer0
  bandwidth 400
  the negotiated IP address

  ---------------------------------------------------------------------------------------------------------

  Thank you

  Paul

  Paul,

  One of the reasons could be because of the VTI overload.

  That being said I don't know which is the way to go with your QoS:

  https://Tools.Cisco.com/bugsearch/bug/CSCsz63683/?reffering_site=dumpcr

  My suggestion: give it a try with 15.2 M/T and prosecute TAC with discount people rather than VPN QoS ;-)

  M.

• IPSEC tunnel and Routing Support protocols

  Hello world

  I read that IPSEC does not support routing with VPN's Site to the other protocols because both are Layer4.

  This means that if Site A must reach the B Site over a WAN link, we use static IP on the Site A and Site B router?

  In my lab at home I config Site to Site VPN systems and they work correctly using OSPF does that mean that IPSEC supports the routing protocol?

  IF someone can explain this please?

  OSPF config one side

  router ospf 1

  3.4.4.4 router ID

  Log-adjacency-changes

  area 10-link virtual 10.4.4.1

  passive-interface Vlan10

  passive-interface Vlan20

  3.4.4.4 to network 0.0.0.0 area 0

  network 192.168.4.0 0.0.0.255 area 10

  network 192.168.5.0 0.0.0.255 area 0

  network 192.168.10.0 0.0.0.255 area 0

  network 192.168.20.0 0.0.0.255 area 0

  network 192.168.30.0 0.0.0.255 area 0

  network 192.168.98.0 0.0.0.255 area 0

  network 192.168.99.0 0.0.0.255 area 0

  3550SMIA #sh ip route

  Code: C - connected, S - static, mobile R - RIP, M-, B - BGP

  D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone

  N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2

  E1 - OSPF external type 1, E2 - external OSPF of type 2

  i - IS - Su - summary IS, L1 - IS - IS level 1, L2 - IS level - 2

  -IS inter area, * - candidate failure, U - static route by user

  o - ODR, P - periodic downloaded route static

  Gateway of last resort is 192.168.5.3 to network 0.0.0.0

  192.168.12.0/24 [13/110] through 192.168.5.3, 3d17h, FastEthernet0/11

  100.0.0.0/32 is divided into subnets, subnets 1

  O 100.100.100.100 [110/3] through 192.168.5.3, 3d17h, FastEthernet0/11

  3.0.0.0/8 is variably divided into subnets, 2 subnets, 2 masks

  O 3.3.3.3/32 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11

  C 3.4.4.0/24 is directly connected, Loopback0

  C 192.168.30.0/24 is directly connected, Vlan30

  64.0.0.0/32 is divided into subnets, subnets 1

  O E2 64.59.135.150 [110/300] through 192.168.5.3, 1d09h, FastEthernet0/11

  4.0.0.0/32 is divided into subnets, subnets 1

  O 4.4.4.4 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11

  C 192.168.10.0/24 is directly connected, Vlan10

  172.31.0.0/24 is divided into subnets, 4 subnets

  O E2 172.31.3.0 [110/300] through 192.168.5.3, 3d17h, FastEthernet0/11

  O E2 172.31.2.0 [110/300] through 192.168.5.3, 3d17h, FastEthernet0/11

  O E2 172.31.1.0 [110/300] through 192.168.5.3, 3d17h, FastEthernet0/11

  O E2 172.31.0.0 [110/300] through 192.168.5.3, 3d17h, FastEthernet0/11

  O 192.168.11.0/24 [110/3] through 192.168.5.3, 3d17h, FastEthernet0/11

  O 192.168.98.0/24 [110/2] via 192.168.99.1, 3d17h, FastEthernet0/8

  C 192.168.99.0/24 is directly connected, FastEthernet0/8

  192.168.20.0/24 C is directly connected, Vlan20

  192.168.5.0/31 is divided into subnets, subnets 1

  C 192.168.5.2 is directly connected, FastEthernet0/11

  C 10.0.0.0/8 is directly connected, Tunnel0

  192.168.6.0/31 is divided into subnets, subnets 1

  O 192.168.6.2 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11

  192.168.1.0/24 [13/110] through 192.168.5.3, 3d17h, FastEthernet0/11

  O * E2 0.0.0.0/0 [110/1] via 192.168.5.3, 1d09h, FastEthernet0/11

  B side Config

  Side A

  router ospf 1

  Log-adjacency-changes

  network 192.168.97.0 0.0.0.255 area 0

  network 192.168.98.0 0.0.0.255 area 0

  network 192.168.99.0 0.0.0.255 area 0

  1811w # sh ip route

  Code: C - connected, S - static, mobile R - RIP, M-, B - BGP

  D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone

  N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2

  E1 - OSPF external type 1, E2 - external OSPF of type 2

  i - IS - Su - summary IS, L1 - IS - IS level 1, L2 - IS level - 2

  -IS inter area, * - candidate failure, U - static route by user

  o - ODR, P - periodic downloaded route static

  Gateway of last resort is 192.168.99.2 to network 0.0.0.0

  192.168.12.0/24 [110/14] through 192.168.99.2, 3d17h, FastEthernet0

  100.0.0.0/32 is divided into subnets, subnets 1

  O 100.100.100.100 [110/4] through 192.168.99.2, 3d17h, FastEthernet0

  3.0.0.0/32 is divided into subnets, 2 subnets

  O 3.3.3.3 [110/3] through 192.168.99.2, 3d17h, FastEthernet0

  O 3.4.4.4 [110/2] via 192.168.99.2, 3d17h, FastEthernet0

  O 192.168.30.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0

  64.0.0.0/32 is divided into subnets, subnets 1

  O E2 64.59.135.150 [110/300] through 192.168.99.2, 1d09h, FastEthernet0

  4.0.0.0/32 is divided into subnets, subnets 1

  O 4.4.4.4 [110/3] through 192.168.99.2, 3d17h, FastEthernet0

  O 192.168.10.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0

  172.31.0.0/24 is divided into subnets, 4 subnets

  O E2 172.31.3.0 [110/300] through 192.168.99.2, 3d17h, FastEthernet0

  O E2 172.31.2.0 [110/300] through 192.168.99.2, 3d17h, FastEthernet0

  O E2 172.31.1.0 [110/300] through 192.168.99.2, 3d17h, FastEthernet0

  O E2 172.31.0.0 [110/300] through 192.168.99.2, 3d17h, FastEthernet0

  O 192.168.11.0/24 [110/4] through 192.168.99.2, 3d17h, FastEthernet0

  C 192.168.98.0/24 is directly connected, BVI98

  C 192.168.99.0/24 is directly connected, FastEthernet0

  O 192.168.20.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0

  192.168.5.0/31 is divided into subnets, subnets 1

  O 192.168.5.2 [110/2] via 192.168.99.2, 3d17h, FastEthernet0

  192.168.6.0/31 is divided into subnets, subnets 1

  O 192.168.6.2 [110/3] through 192.168.99.2, 3d17h, FastEthernet0

  192.168.1.0/24 [110/14] through 192.168.99.2, 3d17h, FastEthernet0

  O * E2 0.0.0.0/0 [110/1] via 192.168.99.2, 1d09h, FastEthernet0

  Thank you

  Mahesh

  Mahesh.

  Indeed, solution based purely crypto-card are not compatible with a routing protocol.  Crypto card however is the legacy config we support on IOS. The best practice is to use the protection of tunnel. Any routing protocol would work then.

  for example

  https://learningnetwork.Cisco.com/docs/doc-2457

  It's the best solution we currenty have

• client ipSec VPN and NAT on the router Cisco = FAIL

  I have a Cisco 3825 router that I have set up for a Cisco VPN ipSec client.  The same router is NAT.

  ipSec logs, but can not reach the internal network unless NAT is disabled on the inside interface.  But I need both at the same time.

  Suggestions?

  crypto ISAKMP policy 3

  BA 3des

  preshared authentication

  Group 2

  !

  ISAKMP crypto client configuration group myclient

  key password!

  DNS 1.1.1.1

  Domain name

  pool myVPN

  ACL 111

  !

  !

  Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT

  !

  Crypto-map dynamic dynmap 10

  Set transform-set RIGHT

  market arriere-route

  !

  !
  list of card crypto clientmap client VPN - AAA authentication
  card crypto clientmap AAA - VPN isakmp authorization list
  client configuration address map clientmap crypto answer
  10 ipsec-isakmp crypto map clientmap Dynamics dynmap
  !

  interface Loopback0
  IP 10.88.0.1 255.255.255.0
  !
  interface GigabitEthernet0/0
  / / DESC it's external interface

  IP 192.168.168.5 255.255.255.0
  NAT outside IP
  IP virtual-reassembly
  automatic duplex
  automatic speed
  media type rj45
  clientmap card crypto
  !
  interface GigabitEthernet0/1

  / / DESC it comes from inside interface
  10.0.1.10 IP address 255.255.255.0
  IP nat inside<=================ipSec client="" connects,="" but="" cannot="" reach="" interior="" network="" unless="" this="" is="">
  IP virtual-reassembly
  the route cache same-interface IP
  automatic duplex
  automatic speed
  media type rj45

  !

  IP local pool myVPN 10.88.0.2 10.88.0.10

  p route 0.0.0.0 0.0.0.0 192.168.168.1
  IP route 10.0.0.0 255.255.0.0 10.0.1.4
  !

  IP nat inside source list 1 interface GigabitEthernet0/0 overload
  !
  access-list 1 permit 10.0.0.0 0.0.255.255
  access-list 111 allow ip 10.0.0.0 0.0.255.255 10.88.0.0 0.0.0.255
  access-list 111 allow ip 10.88.0.0 0.0.0.255 10.0.0.0 0.0.255.255

  Hello

  I think that you need to configure the ACL default PAT so there first statemts 'decline' for traffic that is NOT supposed to be coordinated between the local network and VPN pool

  For example, to do this kind of configuration, ACL and NAT

  Note access-list 100 NAT0 customer VPN
  

  access-list 100 deny ip 10.0.1.0 0.0.0.255 10.88.0.0 0.0.0.255
  

  Note access-list 100 default PAT for Internet traffic
  

  access-list 100 permit ip 10.0.1.0 0.0.0.255 ay

  overload of IP nat inside source list 100 interface GigabitEthernet0/0

  
  EDIT: seem to actually you could have more than 10 networks behind the router

  Then you could modify the ACL on this

  Note access-list 100 NAT0 customer VPN
  

  access-list 100 deny ip 10.0.1.0 0.0.255.255 10.88.0.0 0.0.0.255
  

  Note access-list 100 default PAT for Internet traffic
  

  access-list 100 permit ip 10.0.1.0 0.0.255.255 ay

  Don't forget to mark the answers correct/replys and/or useful answers to rate

  -Jouni

• Public static IPsec tunnel between two routers cisco [VRF aware]

  Hi all

  I am trying to configure static IPsec tunnel between two routers. Router R1 has [no VRF] only global routing table.

  Router R2 has two routing tables:

  * vrf INET - used for internet connectivity

  * global routing table - used for VPN connections

  Here are the basic configs:

  R1

  crypto ISAKMP policy 1
  BA 3des
  md5 hash
  preshared authentication
  Group 2
  ISAKMP crypto key 7V7u841k2D3Q7v98d6Y4z0zF address 203.0.0.3
  invalid-spi-recovery crypto ISAKMP
  !
  Crypto ipsec transform-set esp - aes 256 esp-sha-hmac TRSET_AES-256_SHA
  transport mode
  !
  Crypto ipsec TUNNEL-IPSEC-PROTECTION profile
  game of transformation-TRSET_AES-256_SHA
  !
  interface Loopback0
  10.0.1.1 IP address 255.255.255.255
  IP ospf 1 zone 0
  !
  interface Tunnel0
  IP 192.168.255.34 255.255.255.252
  IP ospf 1 zone 0
  source of tunnel FastEthernet0/0
  tunnel destination 203.0.0.3
  ipv4 ipsec tunnel mode
  Ipsec TUNNEL-IPSEC-PROTEC protection tunnel profile
  !
  interface FastEthernet0/0
  IP 102.0.0.1 255.255.255.0

  !

  IP route 203.0.0.3 255.255.255.255 FastEthernet0/0 102.0.0.2

  #######################################################

  R2

  IP vrf INET
  RD 1:1
  !
  Keyring cryptographic test vrf INET
  address of pre-shared-key 102.0.0.1 key 7V7u841k2D3Q7v98d6Y4z0zF
  !
  crypto ISAKMP policy 1
  BA 3des
  md5 hash
  preshared authentication
  Group 2
  invalid-spi-recovery crypto ISAKMP
  crypto isakmp profile test
  door-key test
  function identity address 102.0.0.1 255.255.255.255
  !
  Crypto ipsec transform-set esp - aes 256 esp-sha-hmac TRSET_AES-256_SHA
  transport mode
  !
  Crypto ipsec TUNNEL-IPSEC-PROTECTION profile
  game of transformation-TRSET_AES-256_SHA
  Test Set isakmp-profile
  !
  interface Loopback0
  IP 10.0.2.2 255.255.255.255
  IP ospf 1 zone 0
  !
  interface Tunnel0
  IP 192.168.255.33 255.255.255.252
  IP ospf 1 zone 0
  source of tunnel FastEthernet0/0
  tunnel destination 102.0.0.1
  ipv4 ipsec tunnel mode
  tunnel vrf INET
  Ipsec TUNNEL-IPSEC-PROTEC protection tunnel profile
  !
  interface FastEthernet0/0
  IP vrf forwarding INET
  IP 203.0.0.3 255.255.255.0

  !

  IP route 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2

  #######################################################

  There is a router between R1 and R2, it is used only for connectivity:

  interface FastEthernet0/0
  IP 102.0.0.2 255.255.255.0
  !
  interface FastEthernet0/1
  IP 203.0.0.2 255.255.255.0

  The problem that the tunnel is not coming, I can't pass through phase I.

  The IPsec VPN are not my strength. So if someone could show me what mistake I make, I'd appreciate it really.

  I joined ouptup #debug R2 crypto isakmp

  Source and destination Tunnel0 is belong to VRF INET, the static route need to be updated.

  IP route vrf INET 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2

  crypto isakmp profile test

  VRF INET

  door-key test
  function identity address 102.0.0.1 255.255.255.255

• Decision on DMVPN and L2L simple IPsec tunnels

  I have a project where I need to make a decision on which solution to implement... environment is as follows...

  • 4 branches.
  • Each branch has 2 subnets; one for DATA and another for VOICE
  • 2 ISPS in each (an Internet access provider and a provider of MPLS)
  • Branch #1 isn't necessarily the HUB office that all database servers and files are there are
  • Branch #2 is actually where the phone equipment
  • Other 2 branches are just branches speaks (may not need never DATA interconnectivy, but they do need interconnection VOICE when they call since we spoke directly to the other)
  • MPLS is currently used for telephone traffic.
  • ISP provider link is used for site to site tunnels that traverse the internet, and it is the primary path for DATA. Means that all branch DATA subnets use the tunnels from site to site as main road to join the #1 branch where all files and databases are located.
  • I'd like to have redundancy in case the network MPLS down for all traffic VOICE switch to L2L tunnels.

  My #1 Option

  Because it isn't really a star to the need, I don't really know if I want to apply DMVPN, although I read great things about it. In addition, another reason, I would have perhaps against DMVPN is the 'delay' involved, at least during initialization, communications having spoke-to-spoke. There is always a broken package when a department wants to initiate communication with one another.

  My #2 Option

  My other choice is just deploy L2L IPSec tunnels between all 4 branches. It's certainly much easier to install than DMVPN although DMVPN can without routing protocols that I think I'll need. But with these Plains L2L IPSec tunnels, I can also add the GRE tunnels and the routing of traffic protocols it as well as all multicast traffic. In addition, I can easily install simple IP SLA that will keep all tunnels upwards forever.

  Can someone please help to choose one over the other is? or if I'm just okay with the realization of the #2 option

  Thanks in advance

  Hi ciscobigcat

  Yes, OSPF will send periodic packets 'Hello' and they will maintain the tunnels at all times.

  The numbers that you see (143 and 1001) are the "cost" of the track, so OSPF (Simplified) will calculate what different paths there are to a destination and assign each of them a 'cost' (by assigning a cost to each segment of the path, for example GigabitEthernet is "lower cost" Fastethernet and then adding the costs of all segments).

  Then it will take the path to the lowest cost (143 in your case, in normal operation) and insert this in the routing table.

  So since traffic is already going the right way, I don't know if you still need any tweaking? Personally, I would not add a second routing protocol because, generally, makes things more complicated.

  QoS, it is important to use "prior qos rank".

  See for example

  http://www.Cisco.com/en/us/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html

  http://www.Cisco.com/en/us/Tech/tk543/tk757/technologies_tech_note09186a00800b3d15.shtml

  HTH

  Herbert

• IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and static

  Hello

  My problem isn't really the IPSec connection between two devices (it is already done...) But my problem is that I have a mail server on the site of Cisco, who have a static NAT from inside to outside. Due to the static NAT, I do not see the server in the VPN tunnel. I found a document that almost describes the problem:

  "Configuration of a router IPSEC Tunnel private-to-private network with NAT and static" (Document ID 14144)

  NAT takes place before the encryption verification!

  In this document, the solution is 'routing policy' using the loopback interface. But, how can I handle this with the Netscreen firewall. Someone has an idea?

  Thanks for any help

  Best regards

  Heiko

  Hello

  Try to change your static NAT with static NAT based policy.

  That is to say the static NAT should not be applicable for VPN traffic

  permissible static route map 1

  corresponds to the IP 104

  access-list 104 refuse host ip 10.1.110.10 10.1.0.0 255.255.0.0

  access-list 104 allow the host ip 10.1.110.10 all

  IP nat inside source static 10.1.110.10 81.222.33.90 map of static route

  HTH

  Kind regards

  GE.

• Policy Nat and IPSec tunnel

  Hello

  I have a Cisco IOS router and you want to configure an IPSec tunnel between myself and the client.  Unfortunately, we have two overlapping of 10 network IP addresses.

  Is it possible for me to just Nat addresses IP on my side or should the customer Nat as well?

  I have configured NAT on the inside of the interface for 10.134.206.1 to 192.168.156.6 so that Nat happens before that packages are encrypted in the tunnel, however tunnel is not coming.    The client uses a sonic firewall and allowed their 10.91.0.0/16 network 192.168.156.0/24.

  See attachment

  Kind regards

  They are wrong to installation.  Remote local networks are not 10.134.206.0 and 10.134.206/42.  It is simply your public IP address.

• Deployment to connect on a router that is already running an ssh IPSec tunnel

  I have a bunch of routers that have been made (by someone else!) with Internet IPsec tunnels to the base, but with a telnet vty access network. It must be updated so that only ssh is available for use vty.

  Its pretty easy to deploy ssh, but part of the task is to generate an encryption key, "generate the rsa encryption key" etc, if I try to do the configuration without this command, I get an error message asking me to do.

  And there is the problem: when I generate a key, it screws the existing IPsec tunnel somehow. Worse still, is not do so immediately, he's waiting for an indefinite period, probably (I guess) until after the tunnel IPsec has been idle for a period and has stopped/started, while I * think * is happening is that on the re-opening of the tunnel, he picks up the wrong key, and the other end kills the link. Newspapers have nothing relevant in them, and I always try to have the failure occur on a router running the debugging.

  Has anyone tried to do this before update? should we put ssh first, and then rebuild the config of IPsec tunnel?

  Thanks for your ideas/comments

  Jim

  If the IPSec VPN using certificate authentication, RSA keys regeneration may be bad. Without knowing your IPSec configuration, I would say that the best approach would be to generate an SSH key that will not interfere with it. Try something like this:

   crypto key generate rsa modulus 2048 label RSA_Key_SSH ip ssh rsa keypair-name RSA_Key_SSH

  This will generate a new key, which is independent of any existing keys and configure SSH to use.

• PIX IPSec tunnel - IOS, routing Options

  Hello

  I have an IPSec Tunnel between a PIX firewall and a router Cisco 1721.

  Have I not all options about any routing protocol can I use?

  Are there plans to add GRE support to PIX, so that EIGRP, OSPF can be used?

  ------Naman

  Here's a URL that tells how to configure GRE over IPSEC with OSPF. http://www.Cisco.com/warp/public/707/gre_ipsec_ospf.html

• IPSec tunnels between duplicate LAN subnets

  Hi all

  Please help to connect three sites with our Central site has all the resources for users, including internet access.

  The three sites will be the ASA 5505 like their WAN device.

  We need to know is - it possible, allowing to configure an IPsec Tunnel between the three ASA with duplicate LAN subnets.

  Central site two networks 192.168.1.x 24, 192.168.100.x 24

  Distance a 24 192.168.1.x subnet

  Two remote a subnet 192.168.100.x 24

  If it is possible we also do hair distance one ping, above two remote to the Central Site to access internet, what sites need are on the Central Site, including e-mail, network, other resource also records.

  We have no other way to make this network, as all security is on our Central Site, website filtering, Application filtering, filtering of network traffic all.

  We understand that we can change two remote sites to a different subnet from the Central Site, but we have so many host devices, it will take weeks or months, so to change the MS AD domain for all users, servers too.

  We really need your expertise to do this in a laboratory and then in production.

  Thank you

  Hello Stephen,

  You can check the following links for the subnets overlap talk to each other:-

  1 LAN-to-LAN IPsec VPN with overlapping networks

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

  2 IPsec between two IOS routers with overlapping of private networks

  http://www.Cisco.com/en/us/products/ps5855/products_configuration_example09186a0080a0ece4.shtml

  Important point is local network must connect to the remote network via the translated addresses.

  for example, you won't be ablt to use real IP of the communication.

  For haripinning or turning U:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml

  Hope that helps.

  Kind regards

  Dinesh Moudgil

• How to disable a particular IPSec tunnel on Cisco router

  Hi guys,.

  Someone knows a way to termporarily disable an IPSec tunnel on a Cisco router provided individual:

  -No configuration changes

  -Without affecting the other IPSec tunnels running

  -GRE is not used, so there is no tunnel interface to close

  Or in any event nearest to you to meet the requirement above?

  Thank you

  Andrew

  Andrew,

  There is no way to 'turn off' the tunnel without changing the config.

  I think the easiest would be to get the card crypto for this particular tunnel and remove the peer or the ACL:

  for example:

  labmap 10 ipsec-isakmp crypto map

  no counterpart set 10.0.0.1

  labmap 10 ipsec-isakmp crypto map

  no correspondence address 100

  or you can remove the key isakmp for this tunnel, that would, for example:

  No cisco123 key crypto isakmp 10.0.0.1 address

  That would prevent the tunnel to come without affecting the other tunnels.

  I hope this helps.

  Raga

• DMVPN Tunnel and EIGRP routing problem

  I have redundant paths to a remote 2811 router on my network of sites.  The first links is a T1 frame relay connection that has been in place for years, and the new link is on a 54 Mbps fixed wireless that was recently created.

  I'm under EIGRP to my process of routing protocol 100 for the two links.

  I installed a DMVPN Tunnel between the remote 2811 and no. 2851 router on my host site.  The tunnel interface shows to the top and to the top of both sides and I can ping the IP remote tunnel of my networks side host.

  However my eigrp routes are not spread over this new tunnel link and if I run a command show ip eigrp neighbor on each router I show only the neighbor for the frame relay link and not the new wireless link.

  What I'm missing here?

  A tunnel0 to see the shows the following:

  Tunnel0 is up, line protocol is up
  Material is Tunnel
  The Internet address is 10.x.x.x/24
  MTU 1514 bytes, BW 54000 Kbps, DLY 10000 usec,
  reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  KeepAlive not set
  Tunnel source (FastEthernet0/1), destination 172.x.x.x 10.x.x.x
  Tunnel/GRE/IP transport protocol
  Key 0x186A0, sequencing of the people with reduced mobility
  Disabled packages parity check
  TTL 255 tunnel
  Quick tunneling enabled
  Tunnel of transmission bandwidth 8000 (Kbps)
  Tunnel to receive 8000 (Kbps) bandwidth
  Tunnel of protection through IPSec (profile "CiscoCP_Profile1")
  Last entry of 00:00:01, exit ever, blocking of output never
  Final cleaning of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/dumps); Total output drops: 947
  Strategy of queues: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bps, 0 packets/s
  5 minute output rate 0 bps, 0 packets/s
  packages of 880, 63000 bytes, 0 no buffer entry
  Received 0 broadcasts, 0 Runts, 0 Giants 0 shifters
  errors entry 0, 0 CRC, overgrown plot of 0, 0, 0 ignored, 0 abort
  output of 910 packages, 81315 bytes, 0 underruns
  0 output errors, 0 collisions, 0 resets interface
  unknown protocol 0 drops
  output buffer, the output buffers 0 permuted 0 failures

  Please go ahead and add a static route on the hub, so it goes through the wireless link and let me know if everything works correctly.

  Federico.

• IPSec tunnel between a client connection mobility and WRV200

  Someone has set up an IPSec tunnel between a client connection mobility and WRV200? I can't get the right configuration.

  Agitation, these products are treated by the Cisco Small Business support community. Please refer to the URL: https://supportforums.cisco.com/community/netpro/small-business