Routing VPN Traffic

[lagcat]

hi people

i have a vpn running from a Cisco 1811 to a Juniper firewall
its all up and running

but i am have a problem getting the traffic to flow between routers....

from machine to machine i can ping

10.60.11.25 to 172.16.1.50

but from router to router i cannot

10.60.11.1 to 172.16.7.3 (juniper firewall)
10.60.11.1 to 172.16.7.1 (Root/Gateway Router)


i have set up my routes that i will paste in a moment and the ACL which all looks correct to me the Juniper Firewal does let traffic through as i am replicating DNS

crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key tslgermany address(Juniper Public Addess)
!
!
crypto ipsec transform-set TSLVPN esp-3des esp-sha-hmac
!
crypto map VPNMAP 11 ipsec-isakmp
set peer (Juniper Public Addess)
set security-association lifetime seconds 28800
set security-association idle-time 3600
set transform-set TSLVPN
set pfs group2
match address 101
!
!
!
!
interface FastEthernet0
description Public LAN
ip address (Public IP) 255.255.255.248
ip access-group 104 in
ip virtual-reassembly
duplex auto
speed auto
crypto map VPNMAP
!
interface FastEthernet1
description Private LAN
ip address 10.60.11.1 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
!
interface Async1
no ip address
encapsulation slip
!
router rip
version 2
network 10.0.0.0
!
ip route 0.0.0.0 0.0.0.0 (Public Internet Gateway)
ip route 10.3.0.0 255.255.0.0 172.16.7.3 <<Internal Juniper Address
ip route 10.60.11.0 255.255.255.0 FastEthernet1
ip route 10.60.25.0 255.255.255.0 10.60.11.3 <<Linux IPCOP Routing Computer
ip route 10.60.74.0 255.255.255.0 10.60.11.3
ip route 10.60.75.0 255.255.255.0 10.60.11.3
ip route 10.60.76.0 255.255.255.0 10.60.11.3
ip route 10.60.111.0 255.255.255.0 10.60.11.3
ip route 10.60.190.0 255.255.255.0 10.60.11.3
ip route 172.255.255.0 255.255.255.0 172.16.7.3
!
!
ip http server
no ip http secure-server
!
access-list 101 permit ip 10.60.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 101 permit ip 10.60.0.0 0.0.255.255 10.3.0.0 0.0.255.255
access-list 101 permit ip 10.33.0.0 0.0.255.255 10.3.0.0 0.0.255.255
access-list 101 permit ip 10.33.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 101 permit ip 172.16.0.0 0.0.255.255 10.60.0.0 0.0.255.255
access-list 101 permit ip 172.16.0.0 0.0.255.255 10.33.0.0 0.0.255.255
access-list 101 permit ip 10.3.0.0 0.0.255.255 10.60.0.0 0.0.255.255
access-list 101 permit ip 10.3.0.0 0.0.255.255 10.33.0.0 0.0.255.255
access-list 104 deny ip host (Unknown IP blocking connection) any
access-list 104 permit ip any any



CCENT, CCNA
MCP, MCSA
Comptia: Network Essentials, Security +, A+

 

[North323]

you have a static route for ip route 10.60.11.0 255.255.255.0 FastEthernet1 so from the router 10.60.11.1 its route is fa0/1

post sh ip route

 

[burtsbees]

Exactly---you should not have static routes to define directly connected destinations, though the router in theory should ignore it (metric of static route=1, metric of directly connected=0).

Burt

 

[lagcat]

also i have noticed i cannot ping from the 10.60.11.1 router to any other client or router on the 172.16 network

but form the 172.16 network i can ping 10.60.11.1

CCENT, CCNA
MCP, MCSA
Comptia: Network Essentials, Security +, A+

 

[North323]

please post your 'show ip route'

 

[lagcat]

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 217.89.49.233 to network 0.0.0.0

217.89.49.0/29 is subnetted, 1 subnets
C 217.89.49.232 is directly connected, FastEthernet0
10.0.0.0/24 is subnetted, 7 subnets
S 10.60.25.0 [1/0] via 10.60.11.3
C 10.60.11.0 is directly connected, FastEthernet1
S 10.60.111.0 [1/0] via 10.60.11.3
S 10.60.76.0 [1/0] via 10.60.11.3
S 10.60.74.0 [1/0] via 10.60.11.3
S 10.60.75.0 [1/0] via 10.60.11.3
S 10.60.190.0 [1/0] via 10.60.11.3
S* 0.0.0.0/0 [1/0] via 217.89.49.233
GermanyTSL#


there is no route here to send traffic to 172.16.0.0 255.255.0.0 (172.16.7.1/172.16.7.3)

so do i need to add the route

ip route 172.16.0.0 255.255.0.0 fastethernet 0
ip route 172.16.0.0 255.255.0.0 (Juniper Public IP)
ip route 172.16.0.0 255.255.0.0 (Juniper Private IP)
ip route 172.16.0.0 255.255.0.0 (VPN Tunnel Name)

or am i well off?



CCENT, CCNA
MCP, MCSA
Comptia: Network Essentials, Security +, A+

 

[North323]

ip route x.x.x.x x.x.x.x (source) to your desired destination, not interface

 

[lagcat]

---- ip route x.x.x.x x.x.x.x (source) to your desired destination, not interface ----

which source...the public address of the opposite end?
which dont make much sense

or the Private Address of the otherend

i tried the private address which is the juniper 172.16.7.3

but this did not make a difference?

as i still could not ping in that direction

this thing is a pain



CCENT, CCNA
MCP, MCSA
Comptia: Network Essentials, Security +, A+

 

[North323]

is the juniper firewall by default allow pings from interface? in most cases firewalls wont allow that from interface for security reasons. check the juniper.

 

[unclerico]

also i have noticed i cannot ping from the 10.60.11.1 router to any other client or router on the 172.16 network
but form the 172.16 network i can ping 10.60.11.1

Chances are when you ping from the router you are not using the extended commands and specifying the inside address as the source of the pings. If you just specify ping 172.16.7.3 it will be using the WAN IP as the source. Since this address is not defined as interesting traffic it will not traverse the tunnel. I'm assuming that you are pinging from a host on 172.16 to 10.60.11.1 rather than the gateway itself??

which source...the public address of the opposite end?

Honestly in your situation I would look at implementing RIP with IPSEC+ GRE. It is really simple to set up and it will give you dynamic routing capabilities over your IPSec tunnel rather than needing to worry about your static routes. However, if you only want to use static routes, in this case I would specify the next hop as the exiting interface rather than the neighbor ip.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[lagcat]

Thankyou for all your help

this problem is not exactly stoping everything working so i am going to wait until i travel to the Germany and look into this further....

as half the system over there is IPCOP computers and the language set in German i will have my work cut out for me

but i see it as the more experience the better at the moment

Cheers Again

CCENT, CCNA
MCP, MCSA
Comptia: Network Essentials, Security +, A+