Routing IPSec problem?
Hi all. I have a problem with an IPSec tunnel that I am trying to create between two sites. Transformations and pre-shared keys have been configured, and the tunnel came briefly last night. The problem is that I can't ping across the tunnel's private network. I send a ping and it shuts the public rather than be encrypted in the tunnel. Both sides are using rfc1918 address... but those different spaces therefore routing should not be a problem in this regard. I specify interesting traffic for IPSec using one as follows:
IPSEC extended access list
IP 172.16.86.0 allow 0.0.0.255 192.168.0.0 0.0.255.255
refuse an entire ip
and the card encryption uses "corresponds to the address IPSEC."
The ACL IPSEC shows no match. Someone at - it ideas? Thank you.
It seems that the order of the two lines in the access list 111 is back. Because the first line is more general than the second, the other will never get used and you'll always have NAT traffic to your 172.16.86.0 hosts, even if the traffic is destined for an 192.168 address through the VPN. Swap the two lines, and I bet it'll start working.
Note that you must be careful when you make changes to an ACL used for NAT and VPN, since the withdrawal of such a list is equivalent to "license ip any any" cause by you be disconnected and locked out of the router, if you are remotely. It is safer to remove NAT and/or the card encryption interface in question before making changes to a remote router.
HTH - good luck!
Tags: Cisco Security
Similar Questions
-
LRT224 with IPSEC problem - not
Hi, I have the following router Linksys LRT224.
I want to configure the IPSEC tunnel (by user or group).
The OpenVpn works great for users, but it is limited to 5! That's why I want more Tunnel VPN.
Then I configured the IPSEC tunnel and I connect very well either in the Tunnel, the VPN group.
The problem is:
-The client cannot ping of the network
-LRT224 /VPN:
Synthesis of information, always check pending connection to the Tunnel and the Client IPSEC (Schrew) is well served, the newspaper I (c2gips1) [2] IP:660 #61: [created Tunnel] ISAKMP Security Association established
-When I use the VPN group, I see the customer connected, but I couldn't ping from the client to the network router/subnet and vice versa
In advanced routing, I can see the IP address of the connected client...
I also use the doc http://support.linksys.com/en-eu/support/business/LRT224 ...
in the configuration of VPN network schrew, I put:
Auto Config: Disabled and use an existing adapter and current address
Please let me know... help! Thank you
I have done some testing and think it's great. With this feature, you can have a 45 addition VPN tunnels as you mention. I tested with two devices connected at the same time as different IPSec tunnels and the two were able to ping on the Remote LAN devices.
Material used:
- LRT224
- Windows 7 x 64 Desktop
- HP Jet 7 Tablet
- LAPN300
- Galaxy S4
VPN client:
LRT224 VPN Client for the Configuration of the gateway:
Shew VPN Client configuration:
-
Hello
I am configuring site to site connection using the pre-shared key VPN. The VPN connection is getting up and running, but I'm having problems on information routing between subnets.
Our subnet is 192.168.1.0 and we cannot use that subnet for VPN. Because of this, we use 10.240.86.33 for are created the IPSec traffic and destination network (PC) is on 164.2.107.56.
We cannot connect to the 164.2.107.56 computer network, can someone help us acomplishing this \windows\system32\conifg\system?
Our configuration is below:
interface FastEthernet0/0
Description $FW_OUTSIDE$
IP 200.111.XXX.XXX 255.255.255.248
no ip redirection
no ip unreachable
no ip proxy-arp
NBAR IP protocol discovery
NAT outside IP
IP virtual-reassembly
route IP cache flow
automatic duplex
automatic speed
No mop enabled
map SDM_CMAP_1 crypto
service-policy output SDM-QoS-policy-1
!
interface FastEthernet0/1
Description $ES_LAN$ $FW_INSIDE$
IP 192.168.1.1 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly
route IP cache flow
automatic duplex
automatic speed
No mop enabled
!
Router eigrp 1
10.0.0.0 network
network 192.168.1.0
No Auto-resume
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 200.111.XXX.XXX 2
!
!
IP http server
no ip http secure server
IP nat pool INTERNET 200.111.XXX.XXX 200.111.XXX.XXX netmask 255.255.255.248
overload INTERNET IP nat inside source map route SHEEP pool
IP nat inside source static 192.168.1.0 network 164.2.107.0/24
IP nat inside source 192.168.1.104 static 200.111.XXX.XXX
IP NAT outside source static network 10.240.86.0 192.168.1.0/24
!
recording of debug trap
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 15 allow 200.6.103.241
access-list 15 permit 192.168.1.0 0.0.0.255
Access-list 100 = 4 SDM_ACL category note
Note access-list 100 IPSec rule
access-list 100 permit ip 10.240.86.0 0.0.0.255 164.2.107.56 0.0.0.1
not run cdp
!
!
SHEEP allowed 10 route map
corresponds to the IP 10
!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 150
!
!
!Hello
It is the router that ends the VPN tunnel? (I don't see the VPN configuration).
Since you can't use your real address LAN, you need to NAT before you send the traffic through the tunnel.
First, you apply the NAT rule to translate 192.168.1.0/24 to 10.240.86.33 when you go to 164.2.107.56
NAT 192.168.1.0 ip access list allow 0.0.0.255 host 164.2.107.56
NAT route map
corresponds to the IP NAT
IP pool local VPNPool 10.240.86.33 10.240.86.33
IP nat inside source overload map route NAT pool VPNPool
Next, you create the ACL list for interesting traffic to address coordinated at the address of the site to another
VPN ip host 10.240.86.33 access list permit 164.2.107.56
We will see the results.
Federico.
-
I have the following scenario to connect my main HQ with other directorates:
Two routers HQ and work by their internal Giga HSRP interface and use WAN connections by serial interfaces to create VPN site-to-site with other branches using GRE over ipsec.
I need to know is - right configuration or there is another way to do.
the following sample configuration on both active and standby routers and router for branch
Active router
ISAKMP crypto key password address 172.18.x.x
Crypto ipsec transform-set aes aes - esp esp-sha-hmac
Crypto card secure ipsec-isakmp 13
the value of 172.18.x.x peer
Set transform-set aes
match address 101interface Tunnel3
Description branch01
IP 10.100.30.1 255.255.255.0
KeepAlive 10 3
source 10.100.0.x tunnel
destination 172.18.x.x tunnel
secure cryptographic cardinterface GigabitEthernet0/0
IP 10.100.0.y 255.255.255.0
automatic duplex
automatic speed
Watch 1 ip 10.100.0.x
1 standby preemptpoint-to-point interface Serial0/0/0.16
IP address 172.20.x.x 255.255.255.252secure cryptographic card
access-list 101 permit will host 10.100.0.x host 172.18.x.x
Standby router
ISAKMP crypto key password address 172.18.x.x
Crypto ipsec transform-set aes aes - esp esp-sha-hmac
Crypto card secure ipsec-isakmp 13
the value of 172.18.x.x peer
Set transform-set aes
match address 101interface Tunnel3
Description branch01
IP 10.100.30.3 255.255.255.0
KeepAlive 10 3
source 10.100.0.x tunnel
destination 172.18.x.x tunnel
secure cryptographic cardinterface GigabitEthernet0/0
IP 10.100.0.z 255.255.255.0
automatic duplex
automatic speed
Watch 1 ip 10.100.0.x
1 standby preemptpoint-to-point interface Serial0/0/0.16
IP address 172.19.x.x 255.255.255.252
secure cryptographic card
access-list 101 permit will host 10.100.0.x host 172.18.x.x
Branch router
ISAKMP crypto key password address 172.20.x.x
ISAKMP crypto key password address 172.19.x.x
ISAKMP crypto key password address 10.100.0.xCrypto ipsec transform-set aes aes - esp esp-sha-hmac
Crypto card secure ipsec-isakmp 13
the value of 172.19.x.x peer
the value of 172.20.x.x peer
Set transform-set aes
match address 101interface Tunnel3
Description branch01
IP 10.100.30.3 255.255.255.0
KeepAlive 10 3
tunnel source 172.18.x.x
destination of the 10.100.0.x tunnel
secure cryptographic cardpoint-to-point interface Serial0/0/0.16
IP address 172.18.x.x 255.255.255.252
secure cryptographic cardaccess-list 101 permit will host 172.18.x.x host 10.100.0.x
I had lots of massages of error with active or standby router and all the VPN settings are correct to the routers of the AC and branches
% CRYPTO-6-IKMP_MODE_FAILURE: the mode of information processing failed with the peer to 172.18.x.x
In your current design, I can see HSRP used to provide evacuation route VPN HA outwards. IPSec plan HA, HSRP is usually deployed when the Wan is attached Ethernet. In this case, we can build the tunnel using the virtual address HSRP giving a permanent IP address. The problem with your design, is that to reach the HSRP virtual IP address, you must cross a single hosted serial interface. If this interface is unsuccessful or if there is a problem in the path routed between cryptographic peer, you will never be able to reach the HSRP virtual IP address so the resulting solution will fail.
If it is the topology we work with, so the only recommendations I can do is to incorporate IP SLAS and followed in your design. For example, you may track the status of the interface the main router series. If the interface fails, you could decrement the HSRP interface boot priority in order to force traffic to converge on the backup router path. With star-ISAKMP KeepAlive configured on the routers in topology, routers should be able to recognize the failure and the timeout of the old SAs. Because the RADIUS is configured with two counterparts, the router can negotiae new SAs with the backup router. When the serial interface comes back online, you can have the main router anticipate waking after a delay. To detect indirect failures on the transit route, you could use ICMP IP SLA and monitoring instead. This design, however, will be properly tested for stability during the failover process.
-
Factory reset wireless router connection problems?
Hello
I recently did a factory reset on my HP6745f desktop running Win7 sp1 and I don't know if my problem is with HP or Linksys/Cisco (my router). I already contacted the support Cisco who reported the problem seems to be "a matter of HP, a corrupt driver or other third-party issue" and then offered to help, for a price. I'm hoping to avoid that if possible.
This office computer is directly connected to the router via an Ethernet cable. Cisco software was that I want to install that 'control' of my router (called Cisco Connect) and when I try to install the software, I get a message saying: "We could not find your router" (that's why the software will not install) - although I am accessing internet through that router. Even if I try to enter my network name and the password, it cannot find anything. I am also unable to access the router via my browser "168.198.1.1".
I am unable to connect wireless with the same desktop so, my 2 wireless laptops have no problem of connection at all, which leads me to believe it's something specific to my desktop pc.
The Cisco Connect software has already been installed on my desktop and it worked fine. I guess my question is: someone has any suggestions for me? This could be a driver problem? How can I identify what (s) for 'check '?
Any help would be greatly appreciated.
I thought about it! My router can use a "network key" to connect other computers to the router. I guess when I reset my pc all this info has been removed and the router could not communicate.
I have just created a network key on a flashdrive USB of my laptop, plugged the USB in my office and hop, I reconnected properly. Thanks for the suggestions, I really appreciate the help.
-
Satellite Pro R50-B-114 - time to ping to router WLan problem
Hello!
I have a new laptop Satellite Pro R50-B-114.
Unofrtunetely, when I connected it to my home network (router), I spotted there is problem with wireless adapter.Sometimes, everything works fine (ping ~ 1 ms to the router), but sometimes he changes completely (2000 to 3000 ms to the router).
These problems are present, even if I have 2-3 meteres of router.
I'm sure this is problem laptop ' other cos my work cell phones / devices very well with this router.OS: Windows 7 drivers: update.
Someone at - it an idea of what's going on?
Thanks in advance.
Hmm... have you tried using different stadards WLan (802.11 A / C / G or N)
As I am not mistaken the laptop was equipped with wireless network cards of new generation of Intel Wireless-AC 3160 that supports the 802.11 standard ac + agn.
I recommend you check this setting.
For the wireless network card, you must go to
Manager of devices-> tab advanced Wlan card → properties →
Here, you can change the Wlan standard as well as other settings.I would recommend you also check the Wlan stadrd in the Wlan router configuration and to ensure that the same standard is used by the network router Wlan wireless card.
Also, the use of different WiFi (WPA/WPA2 AES, TKIP) encryption can improve performance.
-
Hello
So I'm having a problem, very frustrating to connect to my router. I can't connect to my router using the ip or routerlogin.net address after a certain period of time. If I restart my router, I can connect without any problems, do everything that I do and everything is fine, but it seems that after a while, can I connect my router delay and then I go to the page... I get a "This Page is not available" in Chrome.I tested with Chrome, Firefox Safari (on Mac and PC, 2.4 and 5 ghz connection, as well as directly connected to the router). I also tried the same settings on an IBM computer, including using IE
Internet seems to work very well, (I can even ping the default gateway), but whenever I create a new virtual machine on my test server, I need to assign a static IP address and need to connect and hate that I have to keep rebooting my router must.
Y at - it a setting or something escapes me?
Thanks in advance for any help.Hi Andy -.
Hard reset seems to have worked. Thank you!
For the curious:
The first thing that happened the router would be looking for another router on the network. Have not found an and proceeded to reset the router to factory specifications.
Once that came, I restored my previous settings that I saved while I still had access to the router.
Always curious, he has established for the last month when I tested my olde 3700 (who, by the way, works fine behind a router AT & T in my other House - and a lot more range and speed than the AT & T.)
-Chuck
-
Pavilion dv4-2160us with Atheros AR9285 and D-Link WBR-2310 wireless router connection problem
NB sometimes has problem connecting to the router. This occurs when the NP is booted from power, or when the connection of power mode after about a day of economy since his last connected. Although the network sharing Center sees the network to connect to, but shows only "restricted access". But if the power to the router is recycled, then the connection is established. The driver for the Atheros AR9285 is up-to-date. The firmware of the router is the latest v1.05.
A test ping Google permanently on the NB and a computer that is connected to the router to isolate the problem. Whenever Google is ping successfully, it displays a message and the response time in milliseconds. If the ping fails, the message will be "Ping: transmit failed." General failure. " It turns out that, while the test on the wired computer worked without a hitch, the NB has shown that at the same time, the internet connection was lost during the time of connection. He then recovered after a few 'pings '. At another time, the internet connection has been lost permanently without recovery, also during the time of connection.
Anyone has the same problem?
After changing the security mode WPA2 to WEP router wireless, the problem seems to have disappeared. It's been 3 days and the computer can still make the connection to the router. HP support says that HP wireless network adapter works best with the WEP security setting.
-
Windows xp routing table problem
I'm having a problem with windows routing tables on the pc at my workplace.
These computers are running windows xp sp3 and the problem occurs when I change the default gatewaythe PCs are on subnet 10.181.1.0/24 with d/g 10.181.1.11.
with this configuration, the routing on each pc table works as expected [for example, it stores a
Directions to its own subnet [10.181.1.0/24] but no way to other subnets [for example, it will not store
a road to 10.180.1.0/24, it will simply send this default network traffic
gateway].However, due to a re-design network, I need to change the default gateway for this lan
to 10.181.1.254. When I do cela something strange happens. the windows routing table on
each pc begins to store routes to the entire 10.0.0.0/8 network, even if the current
config on the pc is still a 24 network [for example, 10.181.1.21/24, d/g 10.181.1.254].
its as if when I change default gateway from the computer, windows, pleasures of the routing table of the
10.181.1.0/24 subnet as if it were a network 10.0.0.0/8 classful.While, right? I can still connect to other networks, the pc is just using a route
stored in its routing table local instead of sending traffic to its default gateway.
The problem is that we have a 10.181.1.12 default backup gateway that we switch to
If the primary gateway goes down. When we test failover to 10.181.1.12 pcs are always
Send non-local traffic to 10.181.1.11 [because they still have these routes stored locally in their]
Windows routing tables]. I want to send traffic to 10.181.1.254 [switch a core of layer 3, which then]
two lanes of traffic to 10.181.1.11 or. [12]I tried to change the default gateway to a range of ip addresses and the same problem occurs every time.
I rebooted each pc after having changed its d/g and the problem remains the same. I tried
delete all the information off the power the pc ip address, then re-enter with the new d/g, then restart
the pc but the problem remains the same.so, to summarize, when I change the d/g from any pc on the 10.181.1.0/24 subnet, computers table routing begins to store routes
in its local routing table to the classful, instead of just the classless 10.181.1.0/24 network 10.0.0.0/8 network.Has anyone encountered this before?
Hi biglouie2010,
Your Windows XP question is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in the TechNet Windows XP forum.
http://social.technet.Microsoft.com/forums/en/itproxpsp/threads
-
Application of Router WRT160N problem loading with LELA
Bought router WRT160N downloaded software. everything works fine with the router. but when I tried to open LELA shortcut on my desktop, I have nothing. LELA will open in the taskbar. I went to the executable files and tried to open it y fron and nothing. I went to the Vista Task Manager and looked at my running applications, and it shows an easylink icon is labled ALERT POPUP that is running. and also the Linksys Easylink Advisor running. When I finish the task for the alert popup. I can now open with the shortcut.
hope I have not confused.
There is something called ALERT POPUP running in background. preventing me from opening my shortcut LELA.
Try this McKieus
I had exactly the same problems that you described with technical support. I found this link in a post by Basiltoo on 12/15/2008. It worked for me. Previously, I had the x 86 machine error when loading the software upgrade. I have a 64 bit system. There are still a few problems with some of the options, but most of the time it works. The link is http://update.linksys.com/autoupdate/
I also uninstalled LELA however add remove programs and restarted before I installed the new version. On the new version, he has a place where it asks if you have a 64 bit system. If you choose the download you receive will be correct and you should not get the 'x 86' mistake.'
He seems also to stop correctly in this new version.
Good luck.
It worked for me.
BRICS
-
RE6500 installation problems (possible router compatibility problem?)
I'm trying to set up a RE6500 at home and I have no problem to see it on my computer when it made its own wireless network and I can start the installer very well but the problem comes when I try to sign and make the initial connection with my network. It is hidden and I put the correct password and security type, so I think it's maybe a compatibility issue with my router. I have a standard router verizon, I'm sure that, it's an Actiontec router any help would be great.
For the initial installation of the RE6500, I do not recommend hide your wireless network. Then once the configuration is complete you can hide again. You must also give the RE6500 a static IP address so you can always connect.
-
E4200 (v1.0.05) IPSec problem
Hello
Cannot use my VPN (Watchguard) client to connecto my my Office VPN by E4200 v1 with the latest firmware.
If I connect directly to a modem without router - that's fine.
All safety-> VPN Passthrough (IPSec, PPTP, L2TP) devices are enabled.
Can someone help me?
Thank you.
Changes of your route with the router as you have found out. Maybe it's a kind of Mac address routing on the side of the ISP.
Try cloning the Mac from your computer that connects to the router.
-
New router BEFSR41 problems installing...
I just installed a new version of my BEFSR41. I had a version 2 and now have a version 4.3. I have Road Runner internet and had no problem, just pick up my old router and hang a new. A restart of the modem and I was able to connect to internet and my other 2 computers in the House. However, I can't access the 192.168.1.1 configuration it won't let me past the password screen. I tried the default "admin" with no luck. A reset of the modem will fix this problem without screw it my internet connection and network...
Also I had installed LELA and when I installed the new router it showed it as a gateway instead of the BEFSR41 router as he showed before. I reinstalled but still the same bridge description. I uninstalled the program.
TIA
Your router must have a username is blank and the password "admin" (without the quotes).
If this does not work, then the most likely cause for your problem is a problem of computer software firewall. Go into your computer and temporarily disable your software firewall and see if that allows you to connect to your router. With some computer software firewall, you will need to "trust" your router at 192.168.1.1
If you still have problems, read on:
Here are my tips for to connect you to your router:
You need not be connected to the Internet to view the router's web pages. These web pages are built into the router.
Use Internet Explorer, it usually works.
JavaScript must be enabled.
Use a computer that is connected to the router.
In the non-working computer, temporarily disable your firewall software.If you use Zone Alarm, do a right-click on the ZA icon in the taskbar (bottom right of screen) then click on "Shutdown ZoneAlarm" and see if that solves your problem. If this does not work, try the following with Zone Alarm: open the control center ZAISS, go to privacy, then temporarily disable Ad Blocking and Cookie Control and see if it solves your problem.
If you use Noton Internet Security with the add-on Pack, don't forget to disable the blocker and ad blocker. Some users have reported that they needed to uninstall all Norton Add-on Pack.
If you can not get anything to 192.168.1.1 then perhaps this is not the address of the router. Go to 'Start' > all programs > Accessories > command prompt.
A black DOS window will appear. Type "ipconfig" (with no quotes), and press the Enter key. Look at the "default gateway". It is 192.168.1.1? Point your browser to the 'default gateway', can connect you to your router.If the above fails, unplug your modem router, then try again. If it solves your problem, then most likely your modem is actually a "modem-router". Check if your "modem" is using the same address as your Linksys router 192.168.1.x space. If this is the case, then the report with this problem and specify also the brand and exact model of your modem number.
If all above fails them, turn off your entire system, unplug it from the wall, wait a minute, then lights up, then try again.
If all the above tips fail, then reset the default router: power down the router and unplug all the wires. Wait a minute. Switch on the router, let it fully boot (1-2 minutes), then press and hold the reset for 30 seconds button, then release the button and allow the router to reset and restart (2-3 minutes). Turn off the router. Wait a minute. To connect to a computer, cable, a router's LAN port. Initialize the system. It should work. Reset the default router will also reset your default Internet connection type.
If the reset does not fix your system, then you must download and install (or reinstall) the latest firmware for your router. After the update of the firmware, you must reset the default router, and then configure the router again from scratch. If you have saved a router configuration file, DO NOT use it.
-
Router WRT320N to a wired BEFSX41 router connection problem
Hello, I never thought it would be so difficult. I have problems to connect to a router (WRT320N) so it will be on the same network as my other cable firewall router (BEFSX41). The wireless router works fine because it connects to the internet via the BEFSX41 router. However, the two routers do not see each other and I can't connect two computers, a wired computer, the other laptop wireless to the same network.
Wired BEFSX41 router uses 192.168.1.1 IP address and the router WRT320N wireless uses 192.168.0.1 IP address.
Don't know what other information you need. I hope you can solve this problem for me.
Thank you
Mike
For file sharing, it is always better to maintain the network in the same subnet... Connect the BEFSX41 on the Ethernet Port of the router WRT. (LAN-to-LAN connection)... Visit this link for that. If the IP address of the main router is 192.168.1.1 then, change the 2nd router's ip address is 192.168.1.2.
Make sure that file and printer sharing is enabled... Also, make sure the computer are in the same workgroup...
Default workgroup in Windows Vista has been renamed to WORKING group. In Windows XP, the default workgroup name is MSHOME... -
Hello
could you please be so kind to help me with a problem I have with the firewall of the router (Linksys WRT110) Linksys Wireless.
Run the firewall test, I get this message:
Your system REPLIED to our requests for Ping (ICMP Echo), make it visible on the Internet. Personal firewall plus can be configured to block, delete and ignore these ping requests to better conceal systems against hackers. Is strongly recommended as 'Ping' is among the oldest and most common methods used to locate previous systems to further exploitation.
Thank you very much.
Fred
Thanks for the info. I run the test on the Gibson Research site with a scan named ShieldsUp. But if you say that it gives false results, I am happy, I don't want someone hack into my system, my son we homeschooled tru internet and this school would be a big problem if someone with bad intentions hack here and do who knows what.
Thanks again.
Maybe you are looking for
-
Cannot open Firefox on Yosemite
I've updated to Yosemite Macintosh yesterday, and I can not open Firefox. I had 33.0.1 at the time and have since updated to 33.0.3, but this does not solve the problem.
-
How can I unsubscribe to showtime
How can I unsubscribe to showtime
-
I use Yahoo to send text messages. After scoring in the mail from yahoo, on the right side of the new message message is a drop down menu message with three e-mail options, message Instance or SMS (text message). When I select SMS he begins as he goe
-
Over time, because of me hitting the keys hard, my gmail login has accumulated several misspelled usernames. Every time I have access to gmail, all pop-up. I want to clean first, but I can't get rid of them. I followed your instructions to clear my c
-
I did not use my HP h8-1124 computer disk drive enough since I bought my computer to remember of what it can do. That is it can burn discs and if so, single layer or double? Just what is the capabliity to my player? It seems to be a DVD A DH16ABSH. I