Hello
I am having a small problem with a router to PIX vpn. I hope someone can shed some light.
Here is a sketch of the network involved.
Server1 (192.168.20.111) -> PIX(192.168.50.1) -> Router1 <---> (192.168.200.200)Router2 <--- Server2(192.168.250.3)
Server1's IP is natted at the PIX to 192.168.50.10
Server2's IP is natted at Router2 to 192.210.210.4
The VPN peers are the PIX(192.168.50.1) and router2(192.168.200.200)
Here is the related PIX and router configs.
PIX:
access-list l2l extended permit ip 192.168.50.0 255.255.255.0 192.210.210.0 255.255.255.0
crypto ipsec transform-set encrypt_des esp-3des esp-md5-hmac
crypto map crypto1 1 match address l2l
crypto map crypto1 1 set peer 192.168.200.200
crypto map crypto1 1 set transform-set encrypt_des
crypto map crypto1 interface Partner
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp nat-traversal 1200
tunnel-group 192.168.200.200 type ipsec-l2l
tunnel-group 192.168.200.200 ipsec-attributes
pre-shared-key somekey
ROUTER:
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key somekey address 192.168.50.1
!
crypto ipsec transform-set encrypt_des esp-3des esp-md5-hmac
!
crypto map crypto1 local-address Loopback1
crypto map crypto1 20 ipsec-isakmp
set peer 192.168.50.1
set transform-set encrypt_des
match address 100
access-list 100 permit ip 192.210.210.0 0.0.0.255 192.168.50.0 0.0.0.255
interface loopback 1
ip address 192.168.200.200 255.255.255.0
crypto map crypto1
According to the PIX logs, PHASE 1 and PHASE 2 are completed successfully.
I tried to ping from server1 to server2. Here's what I get after the logs say phase 2 is completed.
Teardown local-host Partner:192.210.210.4 duration 0:00:02
Teardown ICMP connection for faddr 192.168.20.111/768 gaddr 192.210.210.4/0 laddr 192.210.210.4/0
Rec'd packet not an IPSEC packet. (ip) dest_addr= 192.168.50.10, src_addr= 192.210.210.4, prot= ICMP
So from what I understand from this is that the packets leaving server1 are getting encrypted but those returning are not.
I'm not sure what the problem is. I'm thinking it might have something to do with the loopback interface. It's a loopback
to the serial interface of router2 (which is connected to router 1 by frame relay).
Also is it ok to be using the natted IPs in the access-lists or should we be using the real server IPs?
If anyone can shed some light on this ..
I am having a small problem with a router to PIX vpn. I hope someone can shed some light.
Here is a sketch of the network involved.
Server1 (192.168.20.111) -> PIX(192.168.50.1) -> Router1 <---> (192.168.200.200)Router2 <--- Server2(192.168.250.3)
Server1's IP is natted at the PIX to 192.168.50.10
Server2's IP is natted at Router2 to 192.210.210.4
The VPN peers are the PIX(192.168.50.1) and router2(192.168.200.200)
Here is the related PIX and router configs.
PIX:
access-list l2l extended permit ip 192.168.50.0 255.255.255.0 192.210.210.0 255.255.255.0
crypto ipsec transform-set encrypt_des esp-3des esp-md5-hmac
crypto map crypto1 1 match address l2l
crypto map crypto1 1 set peer 192.168.200.200
crypto map crypto1 1 set transform-set encrypt_des
crypto map crypto1 interface Partner
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp nat-traversal 1200
tunnel-group 192.168.200.200 type ipsec-l2l
tunnel-group 192.168.200.200 ipsec-attributes
pre-shared-key somekey
ROUTER:
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key somekey address 192.168.50.1
!
crypto ipsec transform-set encrypt_des esp-3des esp-md5-hmac
!
crypto map crypto1 local-address Loopback1
crypto map crypto1 20 ipsec-isakmp
set peer 192.168.50.1
set transform-set encrypt_des
match address 100
access-list 100 permit ip 192.210.210.0 0.0.0.255 192.168.50.0 0.0.0.255
interface loopback 1
ip address 192.168.200.200 255.255.255.0
crypto map crypto1
According to the PIX logs, PHASE 1 and PHASE 2 are completed successfully.
I tried to ping from server1 to server2. Here's what I get after the logs say phase 2 is completed.
Teardown local-host Partner:192.210.210.4 duration 0:00:02
Teardown ICMP connection for faddr 192.168.20.111/768 gaddr 192.210.210.4/0 laddr 192.210.210.4/0
Rec'd packet not an IPSEC packet. (ip) dest_addr= 192.168.50.10, src_addr= 192.210.210.4, prot= ICMP
So from what I understand from this is that the packets leaving server1 are getting encrypted but those returning are not.
I'm not sure what the problem is. I'm thinking it might have something to do with the loopback interface. It's a loopback
to the serial interface of router2 (which is connected to router 1 by frame relay).
Also is it ok to be using the natted IPs in the access-lists or should we be using the real server IPs?
If anyone can shed some light on this ..