Question:
I am trying to
connect my Cisco Catalyst 3560 office 2801 router with a static IP to my home 2851 router that has
a dynamic IP address via a VPN
Currently I
seem to have a VPN connection but no data crosses it. When I issue the command SHOW CRYPTO SESSION,
here is what I get:
OFFFICE 2801
Interface:
FastEthernet0/0
Session status:
UP-IDLE
Peer:
70.193.201.242 port 10327
IKEv1 SA: local 40.197.68.9/4500 remote
70.193.211.19/10327 Active
HOME 2851
Interface:
GigabitEthernet0/0
Session status:
DOWN
Peer:
40.197.68.9 port 500
IPSEC FLOW: permit ip
192.168.70.0/255.255.255.252 40.197.68.0/255.255.255.7
Active SAs: 0, origin: crypto map
Interface:
GigabitEthernet0/0
Session status:
UP-IDLE
Peer:
40.197.68.9 port 4500
IKEv1 SA: local 192.168.70.2/4500 remote
40.197.68.9/4500 Active
Any idea why I
am not able to get the IPSec part to work?
CONFIG FILES:
2801 OFFICE
!
crypto isakmp
policy 1
encr 3des
hash md5
authentication
pre-share
group 2
crypto isakmp
key VPNpassword address 0.0.0 .0 0.0.0.0
!
crypto ipsec
transform-set TS-1 esp-3des esp-md5-hmac
!
crypto
dynamic-map NCL-vpn 10
set
security-association lifetime seconds 86400
set
transform-set TS-1
match address
VPN1-FLA-TRAFFIC
!
crypto map
VPN-FLA-MAP 10 ipsec-isakmp dynamic NCL-vpn
!
interface
FastEthernet0/0
ip address
40.197.68.9 255.255.255.248
ip nat outside
ip
virtual-reassembly
duplex auto
speed auto
crypto map
VPN-FLA-MAP
!
interface
FastEthernet0/1
ip address
192.168.10.1 255.255.255.0
ip nat inside
ip
virtual-reassembly
duplex auto
speed auto
!
no ip forward-protocol
nd
!
ip nat inside
source list 1 interface FastEthernet0/0 overload
ip route 0.0.0 .0
0.0.0.0 40.197.68.10
ip route
192.168.2.0 255.255.255.0 192.168.10.5
!
ip access-list
extended VPN1-FLA-TRAFFIC
permit ip
40.197.68.0 0.0.0 .248 192.168.70.0 0.0.0.3
2851 HOME
! ----------
This is used for local SSH only ----------
crypto pki
token default removal timeout 0
!
crypto pki
trustpoint TP-self-signed-2516279958
enrollment
selfsigned
subject-name
cn=IOS-Self-Signed-Certificate-2516279958
revocation-check
none
rsakeypair
TP-self-signed-2516279958
!
!
crypto pki
certificate chain TP-self-signed-2516279958
certificate
self-signed 01
3082022B
30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
! ------------------ END LOCAL USE PKI --------------------------
------------------For
VPN use ------------------------
!
crypto isakmp
policy 1
encr 3des
hash md5
authentication
pre-share
group 2
crypto isakmp
key VPNpassword address 40.197.68.9
!
!
crypto ipsec
transform-set TS esp-3des esp-md5-hmac
!
crypto map
vpn-to-hq 10 ipsec-isakmp
set peer
40.197.68.9
set
transform-set TS
match address
VPN-TRAFFIC
!
interface
GigabitEthernet0/0
description
Router - C3524 Port Fa0/23 192.168.70.1
ip address
192.168.70.2 255.255.255.252
duplex auto
speed auto
crypto map
vpn-to-hq
!
ip access-list
extended VPN-TRAFFIC
permit ip
192.168.70.0 0.0.0 .3 40.197.68.0 0.0.0.248
Answer:
2801 OFFICE
permit ip
40.197.68.0 0.0.0 .248 192.168.70.0 0.0.0.3
2851 HOME
permit ip
192.168.70.0 0.0.0 .3 40.197.68.0 0.0.0.248
you should
replace the bolded IP addresses by your LAN subnet IPs as an IPSec tunnel is
for LAN to LAN Cisco 3560 Switch communication.
没有评论:
发表评论