Routing IPSec problem?

Hi all. I have a problem with an IPSec tunnel that I am trying to create between two sites. Transformations and pre-shared keys have been configured, and the tunnel came briefly last night. The problem is that I can't ping across the tunnel's private network. I send a ping and it shuts the public rather than be encrypted in the tunnel. Both sides are using rfc1918 address... but those different spaces therefore routing should not be a problem in this regard. I specify interesting traffic for IPSec using one as follows:

IPSEC extended access list

IP 172.16.86.0 allow 0.0.0.255 192.168.0.0 0.0.255.255

refuse an entire ip

and the card encryption uses "corresponds to the address IPSEC."

The ACL IPSEC shows no match. Someone at - it ideas? Thank you.

It seems that the order of the two lines in the access list 111 is back. Because the first line is more general than the second, the other will never get used and you'll always have NAT traffic to your 172.16.86.0 hosts, even if the traffic is destined for an 192.168 address through the VPN. Swap the two lines, and I bet it'll start working.

Note that you must be careful when you make changes to an ACL used for NAT and VPN, since the withdrawal of such a list is equivalent to "license ip any any" cause by you be disconnected and locked out of the router, if you are remotely. It is safer to remove NAT and/or the card encryption interface in question before making changes to a remote router.

HTH - good luck!

Tags: Cisco Security

Similar Questions

  • LRT224 with IPSEC problem - not

    Hi, I have the following router Linksys LRT224.

    I want to configure the IPSEC tunnel (by user or group).

    The OpenVpn works great for users, but it is limited to 5! That's why I want more Tunnel VPN.

    Then I configured the IPSEC tunnel and I connect very well either in the Tunnel, the VPN group.

    The problem is:

    -The client cannot ping of the network

    -LRT224 /VPN:

    Synthesis of information, always check pending connection to the Tunnel and the Client IPSEC (Schrew) is well served, the newspaper I (c2gips1) [2] IP:660 #61: [created Tunnel] ISAKMP Security Association established

    -When I use the VPN group, I see the customer connected, but I couldn't ping from the client to the network router/subnet and vice versa

    In advanced routing, I can see the IP address of the connected client...

    I also use the doc http://support.linksys.com/en-eu/support/business/LRT224 ...

    in the configuration of VPN network schrew, I put:

    Auto Config: Disabled and use an existing adapter and current address

    Please let me know... help! Thank you

    I have done some testing and think it's great. With this feature, you can have a 45 addition VPN tunnels as you mention. I tested with two devices connected at the same time as different IPSec tunnels and the two were able to ping on the Remote LAN devices.

    Material used:

    1. LRT224
    2. Windows 7 x 64 Desktop
    3. HP Jet 7 Tablet
    4. LAPN300
    5. Galaxy S4

    VPN client:

    1. Client VPN Shew app for Windows
    2. Show me how instructions

    LRT224 VPN Client for the Configuration of the gateway:

    Shew VPN Client configuration:

  • Subnet VPN IPSec problem

    Hello

    I am configuring site to site connection using the pre-shared key VPN. The VPN connection is getting up and running, but I'm having problems on information routing between subnets.

    Our subnet is 192.168.1.0 and we cannot use that subnet for VPN. Because of this, we use 10.240.86.33 for are created the IPSec traffic and destination network (PC) is on 164.2.107.56.

    We cannot connect to the 164.2.107.56 computer network, can someone help us acomplishing this \windows\system32\conifg\system?

    Our configuration is below:

    interface FastEthernet0/0
    Description $FW_OUTSIDE$
    IP 200.111.XXX.XXX 255.255.255.248
    no ip redirection
    no ip unreachable
    no ip proxy-arp
    NBAR IP protocol discovery
    NAT outside IP
    IP virtual-reassembly
    route IP cache flow
    automatic duplex
    automatic speed
    No mop enabled
    map SDM_CMAP_1 crypto
    service-policy output SDM-QoS-policy-1
    !
    interface FastEthernet0/1
    Description $ES_LAN$ $FW_INSIDE$
    IP 192.168.1.1 255.255.255.0
    no ip redirection
    no ip unreachable
    no ip proxy-arp
    IP nat inside
    IP virtual-reassembly
    route IP cache flow
    automatic duplex
    automatic speed
    No mop enabled
    !
    Router eigrp 1
    10.0.0.0 network
    network 192.168.1.0
    No Auto-resume
    !
    IP forward-Protocol ND
    IP route 0.0.0.0 0.0.0.0 200.111.XXX.XXX 2
    !
    !
    IP http server
    no ip http secure server
    IP nat pool INTERNET 200.111.XXX.XXX 200.111.XXX.XXX netmask 255.255.255.248
    overload INTERNET IP nat inside source map route SHEEP pool
    IP nat inside source static 192.168.1.0 network 164.2.107.0/24
    IP nat inside source 192.168.1.104 static 200.111.XXX.XXX
    IP NAT outside source static network 10.240.86.0 192.168.1.0/24
    !
    recording of debug trap
    access-list 10 permit 192.168.1.0 0.0.0.255
    access-list 15 allow 200.6.103.241
    access-list 15 permit 192.168.1.0 0.0.0.255
    Access-list 100 = 4 SDM_ACL category note
    Note access-list 100 IPSec rule
    access-list 100 permit ip 10.240.86.0 0.0.0.255 164.2.107.56 0.0.0.1
    not run cdp
    !
    !
    SHEEP allowed 10 route map
    corresponds to the IP 10
    !
    allowed SDM_RMAP_1 1 route map
    corresponds to the IP 150
    !
    !
    !

    Hello

    It is the router that ends the VPN tunnel? (I don't see the VPN configuration).

    Since you can't use your real address LAN, you need to NAT before you send the traffic through the tunnel.

    First, you apply the NAT rule to translate 192.168.1.0/24 to 10.240.86.33 when you go to 164.2.107.56

    NAT 192.168.1.0 ip access list allow 0.0.0.255 host 164.2.107.56

    NAT route map

    corresponds to the IP NAT

    IP pool local VPNPool 10.240.86.33 10.240.86.33

    IP nat inside source overload map route NAT pool VPNPool

    Next, you create the ACL list for interesting traffic to address coordinated at the address of the site to another

    VPN ip host 10.240.86.33 access list permit 164.2.107.56

    We will see the results.

    Federico.

  • HSRP with GRE ipsec problems

    I have the following scenario to connect my main HQ with other directorates:

    Two routers HQ and work by their internal Giga HSRP interface and use WAN connections by serial interfaces to create VPN site-to-site with other branches using GRE over ipsec.

    I need to know is - right configuration or there is another way to do.

    the following sample configuration on both active and standby routers and router for branch

    Active router

    ISAKMP crypto key password address 172.18.x.x

    Crypto ipsec transform-set aes aes - esp esp-sha-hmac

    Crypto card secure ipsec-isakmp 13
    the value of 172.18.x.x peer
    Set transform-set aes
    match address 101

    interface Tunnel3
    Description branch01
    IP 10.100.30.1 255.255.255.0
    KeepAlive 10 3
    source 10.100.0.x tunnel
    destination 172.18.x.x tunnel
    secure cryptographic card

    interface GigabitEthernet0/0
    IP 10.100.0.y 255.255.255.0
    automatic duplex
    automatic speed
    Watch 1 ip 10.100.0.x
    1 standby preempt

    point-to-point interface Serial0/0/0.16
    IP address 172.20.x.x 255.255.255.252

    secure cryptographic card

    access-list 101 permit will host 10.100.0.x host 172.18.x.x

    Standby router

    ISAKMP crypto key password address 172.18.x.x

    Crypto ipsec transform-set aes aes - esp esp-sha-hmac

    Crypto card secure ipsec-isakmp 13
    the value of 172.18.x.x peer
    Set transform-set aes
    match address 101

    interface Tunnel3
    Description branch01
    IP 10.100.30.3 255.255.255.0
    KeepAlive 10 3
    source 10.100.0.x tunnel
    destination 172.18.x.x tunnel
    secure cryptographic card

    interface GigabitEthernet0/0
    IP 10.100.0.z 255.255.255.0
    automatic duplex
    automatic speed
    Watch 1 ip 10.100.0.x
    1 standby preempt

    point-to-point interface Serial0/0/0.16

    IP address 172.19.x.x 255.255.255.252

    secure cryptographic card

    access-list 101 permit will host 10.100.0.x host 172.18.x.x

    Branch router

    ISAKMP crypto key password address 172.20.x.x
    ISAKMP crypto key password address 172.19.x.x
    ISAKMP crypto key password address 10.100.0.x

    Crypto ipsec transform-set aes aes - esp esp-sha-hmac

    Crypto card secure ipsec-isakmp 13
    the value of 172.19.x.x peer
    the value of 172.20.x.x peer
    Set transform-set aes
    match address 101

    interface Tunnel3
    Description branch01
    IP 10.100.30.3 255.255.255.0
    KeepAlive 10 3
    tunnel source 172.18.x.x
    destination of the 10.100.0.x tunnel
    secure cryptographic card

    point-to-point interface Serial0/0/0.16
    IP address 172.18.x.x 255.255.255.252
    secure cryptographic card

    access-list 101 permit will host 172.18.x.x host 10.100.0.x

    I had lots of massages of error with active or standby router and all the VPN settings are correct to the routers of the AC and branches

    % CRYPTO-6-IKMP_MODE_FAILURE: the mode of information processing failed with the peer to 172.18.x.x

    In your current design, I can see HSRP used to provide evacuation route VPN HA outwards.  IPSec plan HA, HSRP is usually deployed when the Wan is attached Ethernet.  In this case, we can build the tunnel using the virtual address HSRP giving a permanent IP address.  The problem with your design, is that to reach the HSRP virtual IP address, you must cross a single hosted serial interface. If this interface is unsuccessful or if there is a problem in the path routed between cryptographic peer, you will never be able to reach the HSRP virtual IP address so the resulting solution will fail.

    If it is the topology we work with, so the only recommendations I can do is to incorporate IP SLAS and followed in your design.  For example, you may track the status of the interface the main router series.  If the interface fails, you could decrement the HSRP interface boot priority in order to force traffic to converge on the backup router path.  With star-ISAKMP KeepAlive configured on the routers in topology, routers should be able to recognize the failure and the timeout of the old SAs.  Because the RADIUS is configured with two counterparts, the router can negotiae new SAs with the backup router.  When the serial interface comes back online, you can have the main router anticipate waking after a delay.  To detect indirect failures on the transit route, you could use ICMP IP SLA and monitoring instead.  This design, however, will be properly tested for stability during the failover process.

  • Factory reset wireless router connection problems?

    Hello

    I recently did a factory reset on my HP6745f desktop running Win7 sp1 and I don't know if my problem is with HP or Linksys/Cisco (my router). I already contacted the support Cisco who reported the problem seems to be "a matter of HP, a corrupt driver or other third-party issue" and then offered to help, for a price. I'm hoping to avoid that if possible.

    This office computer is directly connected to the router via an Ethernet cable. Cisco software was that I want to install that 'control' of my router (called Cisco Connect) and when I try to install the software, I get a message saying: "We could not find your router" (that's why the software will not install) - although I am accessing internet through that router. Even if I try to enter my network name and the password, it cannot find anything. I am also unable to access the router via my browser "168.198.1.1".

    I am unable to connect wireless with the same desktop so, my 2 wireless laptops have no problem of connection at all, which leads me to believe it's something specific to my desktop pc.

    The Cisco Connect software has already been installed on my desktop and it worked fine. I guess my question is: someone has any suggestions for me? This could be a driver problem? How can I identify what (s) for 'check '?

    Any help would be greatly appreciated.

    I thought about it! My router can use a "network key" to connect other computers to the router. I guess when I reset my pc all this info has been removed and the router could not communicate.

    I have just created a network key on a flashdrive USB of my laptop, plugged the USB in my office and hop, I reconnected properly. Thanks for the suggestions, I really appreciate the help.

  • Satellite Pro R50-B-114 - time to ping to router WLan problem

    Hello!

    I have a new laptop Satellite Pro R50-B-114.
    Unofrtunetely, when I connected it to my home network (router), I spotted there is problem with wireless adapter.

    Sometimes, everything works fine (ping ~ 1 ms to the router), but sometimes he changes completely (2000 to 3000 ms to the router).

    These problems are present, even if I have 2-3 meteres of router.
    I'm sure this is problem laptop ' other cos my work cell phones / devices very well with this router.

    OS: Windows 7 drivers: update.

    Someone at - it an idea of what's going on?

    Thanks in advance.

    Hmm... have you tried using different stadards WLan (802.11 A / C / G or N)

    As I am not mistaken the laptop was equipped with wireless network cards of new generation of Intel Wireless-AC 3160 that supports the 802.11 standard ac + agn.

    I recommend you check this setting.
    For the wireless network card, you must go to
    Manager of devices-> tab advanced Wlan card → properties →
    Here, you can change the Wlan standard as well as other settings.

    I would recommend you also check the Wlan stadrd in the Wlan router configuration and to ensure that the same standard is used by the network router Wlan wireless card.

    Also, the use of different WiFi (WPA/WPA2 AES, TKIP) encryption can improve performance.

  • Router connection problems

    Hello
    So I'm having a problem, very frustrating to connect to my router. I can't connect to my router using the ip or routerlogin.net address after a certain period of time. If I restart my router, I can connect without any problems, do everything that I do and everything is fine, but it seems that after a while, can I connect my router delay and then I go to the page... I get a "This Page is not available" in Chrome.

    I tested with Chrome, Firefox Safari (on Mac and PC, 2.4 and 5 ghz connection, as well as directly connected to the router). I also tried the same settings on an IBM computer, including using IE

    Internet seems to work very well, (I can even ping the default gateway), but whenever I create a new virtual machine on my test server, I need to assign a static IP address and need to connect and hate that I have to keep rebooting my router must.

    Y at - it a setting or something escapes me?
    Thanks in advance for any help.

    Hi Andy -.

    Hard reset seems to have worked. Thank you!

    For the curious:

    The first thing that happened the router would be looking for another router on the network. Have not found an and proceeded to reset the router to factory specifications.

    Once that came, I restored my previous settings that I saved while I still had access to the router.

    Always curious, he has established for the last month when I tested my olde 3700 (who, by the way, works fine behind a router AT & T in my other House - and a lot more range and speed than the AT & T.)

    -Chuck

  • Pavilion dv4-2160us with Atheros AR9285 and D-Link WBR-2310 wireless router connection problem

    NB sometimes has problem connecting to the router. This occurs when the NP is booted from power, or when the connection of power mode after about a day of economy since his last connected. Although the network sharing Center sees the network to connect to, but shows only "restricted access". But if the power to the router is recycled, then the connection is established. The driver for the Atheros AR9285 is up-to-date. The firmware of the router is the latest v1.05.

    A test ping Google permanently on the NB and a computer that is connected to the router to isolate the problem. Whenever Google is ping successfully, it displays a message and the response time in milliseconds. If the ping fails, the message will be "Ping: transmit failed." General failure. "  It turns out that, while the test on the wired computer worked without a hitch, the NB has shown that at the same time, the internet connection was lost during the time of connection. He then recovered after a few 'pings '. At another time, the internet connection has been lost permanently without recovery, also during the time of connection.

    Anyone has the same problem?

    After changing the security mode WPA2 to WEP router wireless, the problem seems to have disappeared. It's been 3 days and the computer can still make the connection to the router. HP support says that HP wireless network adapter works best with the WEP security setting.

  • Windows xp routing table problem

    I'm having a problem with windows routing tables on the pc at my workplace.
    These computers are running windows xp sp3 and the problem occurs when I change the default gateway

    the PCs are on subnet 10.181.1.0/24 with d/g 10.181.1.11.
    with this configuration, the routing on each pc table works as expected [for example, it stores a
    Directions to its own subnet [10.181.1.0/24] but no way to other subnets [for example, it will not store
    a road to 10.180.1.0/24, it will simply send this default network traffic
    gateway].

    However, due to a re-design network, I need to change the default gateway for this lan
    to 10.181.1.254. When I do cela something strange happens. the windows routing table on
    each pc begins to store routes to the entire 10.0.0.0/8 network, even if the current
    config on the pc is still a 24 network [for example, 10.181.1.21/24, d/g 10.181.1.254].
    its as if when I change default gateway from the computer, windows, pleasures of the routing table of the
    10.181.1.0/24 subnet as if it were a network 10.0.0.0/8 classful.

    While, right? I can still connect to other networks, the pc is just using a route
    stored in its routing table local instead of sending traffic to its default gateway.
    The problem is that we have a 10.181.1.12 default backup gateway that we switch to
    If the primary gateway goes down. When we test failover to 10.181.1.12 pcs are always
    Send non-local traffic to 10.181.1.11 [because they still have these routes stored locally in their]
    Windows routing tables]. I want to send traffic to 10.181.1.254 [switch a core of layer 3, which then]
    two lanes of traffic to 10.181.1.11 or. [12]

    I tried to change the default gateway to a range of ip addresses and the same problem occurs every time.
    I rebooted each pc after having changed its d/g and the problem remains the same. I tried
    delete all the information off the power the pc ip address, then re-enter with the new d/g, then restart
    the pc but the problem remains the same.

    so, to summarize, when I change the d/g from any pc on the 10.181.1.0/24 subnet, computers table routing begins to store routes
    in its local routing table to the classful, instead of just the classless 10.181.1.0/24 network 10.0.0.0/8 network.

    Has anyone encountered this before?

    Hi biglouie2010,

    Your Windows XP question is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in the TechNet Windows XP forum.

    http://social.technet.Microsoft.com/forums/en/itproxpsp/threads

  • Application of Router WRT160N problem loading with LELA

    Bought router WRT160N downloaded software. everything works fine with the router. but when I tried to open LELA shortcut on my desktop, I have nothing. LELA will open in the taskbar. I went to the executable files and tried to open it y fron and nothing. I went to the Vista Task Manager and looked at my running applications, and it shows an easylink icon is labled ALERT POPUP that is running. and also the Linksys Easylink Advisor running. When I finish the task for the alert popup. I can now open with the shortcut.

    hope I have not confused.

    There is something called ALERT POPUP running in background. preventing me from opening my shortcut LELA.

    Try this McKieus

    I had exactly the same problems that you described with technical support. I found this link in a post by Basiltoo on 12/15/2008. It worked for me. Previously, I had the x 86 machine error when loading the software upgrade. I have a 64 bit system. There are still a few problems with some of the options, but most of the time it works.  The link is http://update.linksys.com/autoupdate/

    I also uninstalled LELA however add remove programs and restarted before I installed the new version. On the new version, he has a place where it asks if you have a 64 bit system. If you choose the download you receive will be correct and you should not get the 'x 86' mistake.'

    He seems also to stop correctly in this new version.

    Good luck.

    It worked for me.

    BRICS

  • RE6500 installation problems (possible router compatibility problem?)

    I'm trying to set up a RE6500 at home and I have no problem to see it on my computer when it made its own wireless network and I can start the installer very well but the problem comes when I try to sign and make the initial connection with my network.  It is hidden and I put the correct password and security type, so I think it's maybe a compatibility issue with my router.  I have a standard router verizon, I'm sure that, it's an Actiontec router any help would be great.

    For the initial installation of the RE6500, I do not recommend hide your wireless network. Then once the configuration is complete you can hide again. You must also give the RE6500 a static IP address so you can always connect.

  • E4200 (v1.0.05) IPSec problem

    Hello

    Cannot use my VPN (Watchguard) client to connecto my my Office VPN by E4200 v1 with the latest firmware.

    If I connect directly to a modem without router - that's fine.

    All safety-> VPN Passthrough (IPSec, PPTP, L2TP) devices are enabled.

    Can someone help me?

    Thank you.

    Changes of your route with the router as you have found out. Maybe it's a kind of Mac address routing on the side of the ISP.

    Try cloning the Mac from your computer that connects to the router.

  • New router BEFSR41 problems installing...

    I just installed a new version of my BEFSR41.  I had a version 2 and now have a version 4.3.  I have Road Runner internet and had no problem, just pick up my old router and hang a new.  A restart of the modem and I was able to connect to internet and my other 2 computers in the House.  However, I can't access the 192.168.1.1 configuration it won't let me past the password screen.  I tried the default "admin" with no luck.  A reset of the modem will fix this problem without screw it my internet connection and network...

    Also I had installed LELA and when I installed the new router it showed it as a gateway instead of the BEFSR41 router as he showed before.  I reinstalled but still the same bridge description. I uninstalled the program.

    TIA

    Your router must have a username is blank and the password "admin" (without the quotes).

    If this does not work, then the most likely cause for your problem is a problem of computer software firewall.  Go into your computer and temporarily disable your software firewall and see if that allows you to connect to your router.  With some computer software firewall, you will need to "trust" your router at 192.168.1.1

    If you still have problems, read on:

    Here are my tips for to connect you to your router:

    You need not be connected to the Internet to view the router's web pages.  These web pages are built into the router.
    Use Internet Explorer, it usually works.
    JavaScript must be enabled.
    Use a computer that is connected to the router.
    In the non-working computer, temporarily disable your firewall software.

    If you use Zone Alarm, do a right-click on the ZA icon in the taskbar (bottom right of screen) then click on "Shutdown ZoneAlarm" and see if that solves your problem. If this does not work, try the following with Zone Alarm: open the control center ZAISS, go to privacy, then temporarily disable Ad Blocking and Cookie Control and see if it solves your problem.

    If you use Noton Internet Security with the add-on Pack, don't forget to disable the blocker and ad blocker. Some users have reported that they needed to uninstall all Norton Add-on Pack.

    If you can not get anything to 192.168.1.1 then perhaps this is not the address of the router. Go to 'Start' > all programs > Accessories > command prompt.
    A black DOS window will appear. Type "ipconfig" (with no quotes), and press the Enter key. Look at the "default gateway". It is 192.168.1.1? Point your browser to the 'default gateway', can connect you to your router.

    If the above fails, unplug your modem router, then try again. If it solves your problem, then most likely your modem is actually a "modem-router". Check if your "modem" is using the same address as your Linksys router 192.168.1.x space. If this is the case, then the report with this problem and specify also the brand and exact model of your modem number.

    If all above fails them, turn off your entire system, unplug it from the wall, wait a minute, then lights up, then try again.

    If all the above tips fail, then reset the default router: power down the router and unplug all the wires. Wait a minute. Switch on the router, let it fully boot (1-2 minutes), then press and hold the reset for 30 seconds button, then release the button and allow the router to reset and restart (2-3 minutes). Turn off the router. Wait a minute. To connect to a computer, cable, a router's LAN port. Initialize the system. It should work.  Reset the default router will also reset your default Internet connection type.

    If the reset does not fix your system, then you must download and install (or reinstall) the latest firmware for your router. After the update of the firmware, you must reset the default router, and then configure the router again from scratch. If you have saved a router configuration file, DO NOT use it.

  • Router WRT320N to a wired BEFSX41 router connection problem

    Hello, I never thought it would be so difficult. I have problems to connect to a router (WRT320N) so it will be on the same network as my other cable firewall router (BEFSX41). The wireless router works fine because it connects to the internet via the BEFSX41 router. However, the two routers do not see each other and I can't connect two computers, a wired computer, the other laptop wireless to the same network.

    Wired BEFSX41 router uses 192.168.1.1 IP address and the router WRT320N wireless uses 192.168.0.1 IP address.

    Don't know what other information you need. I hope you can solve this problem for me.

    Thank you

    Mike

    For file sharing, it is always better to maintain the network in the same subnet... Connect the BEFSX41 on the Ethernet Port of the router WRT. (LAN-to-LAN connection)... Visit this link for that. If the IP address of the main router is 192.168.1.1 then, change the 2nd router's ip address is 192.168.1.2.

    Make sure that file and printer sharing is enabled... Also, make sure the computer are in the same workgroup...
    Default workgroup in Windows Vista has been renamed to WORKING group. In Windows XP, the default workgroup name is MSHOME...

  • the router firewall problem

    Hello

    could you please be so kind to help me with a problem I have with the firewall of the router (Linksys WRT110) Linksys Wireless.

    Run the firewall test, I get this message:

    Your system REPLIED to our requests for Ping (ICMP Echo), make it visible on the Internet. Personal firewall plus can be configured to block, delete and ignore these ping requests to better conceal systems against hackers. Is strongly recommended as 'Ping' is among the oldest and most common methods used to locate previous systems to further exploitation.

    Thank you very much.

    Fred

    Thanks for the info.  I run the test on the Gibson Research site with a scan named ShieldsUp.  But if you say that it gives false results, I am happy, I don't want someone hack into my system, my son we homeschooled tru internet and this school would be a big problem if someone with bad intentions hack here and do who knows what.

    Thanks again.

    Fred

Maybe you are looking for