VPN - no ping in Virtual Private Networking

VPN - no ping in Virtual Private Networking http://www.dslreports.com/forum/r22264578 en Sun, 22 Nov 2009 18:47:34 EDT Sun, 22 Nov 2009 18:47:34 EDT Re: VPN - no ping http://www.dslreports.com/forum/remark,22317359 robineq : yes the VPN is established but add this to the access-list doesn't solve the problem]]> http://www.dslreports.com/forum/remark,22317359 Thu, 30 Apr 2009 04:22:13 EDT Re: VPN - no ping http://www.dslreports.com/forum/remark,22309756 g3neration : If the VPN is established then right now it would seem like its just the traffic that is permitted. So on the 861, I would also allow traffic by doing:

access-list 101 permit ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255]]> http://www.dslreports.com/forum/remark,22309756 Tue, 28 Apr 2009 18:50:51 EDT Re: VPN - no ping http://www.dslreports.com/forum/remark,22300959 robineq : Hi!

I have two vpn on the cisco 861
Yes, I want one network permitted between 192.168.2.0 to 192.168.5.0 and vice versa... The vpn are connecting.
I can ping from netgear my add 79.xxx.xxx.xxx but not local 192.168.2.0, also I can't ping from cisco add 95.xxx.xxx.xxx ... ]]> http://www.dslreports.com/forum/remark,22300959 Mon, 27 Apr 2009 02:28:49 EDT Re: VPN - no ping http://www.dslreports.com/forum/remark,22298719 g3neration : Your interesting traffic for that should be going to the Netgear is defined by:

crypto map SDM_CMAP_1 2 ipsec-isakmp

Interesting traffic is being matched against access list 101. Access list 101 only has one network permitted which is 192.168.2.0 to 192.168.5.0. Is that the two networks you want? You might also want to allow traffic from 192.168.5.0 to 192.168.2.0.]]> http://www.dslreports.com/forum/remark,22298719 Sun, 26 Apr 2009 15:38:06 EDT VPN - no ping http://www.dslreports.com/forum/remark,22264578 robineq : Hi!

I have a problem with VPN between 79.xxx (Cisco 861) and 95.xxx (Netgear FVS318) connection is set but there is no ping to local network.

Please help or suggestions.

CISCO 861:
Building configuration...
Current configuration : 7982 bytes
!
version 12.4
username xxx privilege 15 secret 5 $1$2jm/$McHxNl6f/uhr55FK1Bx2o/
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp key 1xxxxxxxxxxxxxx address 212.xxx.102.xxx
crypto isakmp key ixxxxxxxxxxxxxx address 95.xxx.xxx.xxx
!
!
crypto ipsec transform-set gre esp-3des esp-sha-hmac
crypto ipsec transform-set serwis esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 212.xxx.100.xxx
set peer 212.xxx.102.xxx
set transform-set gre
set pfs group2
match address 112
!
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to 95.xxx.xxx.xxx
set peer 95.xxx.xxx.xxx
set transform-set serwis
set pfs group2
match address 101
!
interface Tunnel0
ip address 192.168.1.1 255.255.255.252
tunnel source FastEthernet4
tunnel destination 212.xxx.100.xxx
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 79.xxx.xxx.xxx 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 79.xxx.xxx.xxx 15
ip route 79.xxx.xxx.xxx 255.255.255.248 FastEthernet4
ip route 192.168.2.0 255.255.255.0 Vlan1
ip route 192.168.2.0 255.255.255.0 Tunnel0
ip route 192.168.3.0 255.255.255.0 192.168.1.2
ip route 192.168.4.0 255.255.255.0 192.168.1.2
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit gre host 79.xxx.xxx.xxx host 212.xxx.100.xxx
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 112 remark CCP_ACL Category=4
access-list 112 permit ip host 79.xxx.xxx.xxx host 212.xxx.100.xxx
access-list 112 permit icmp host 79.xxx.xxx.xxx host 212.xxx.100.xxx
access-list 112 permit icmp host 79.xxx.xxx.xxx host 192.168.4.0
access-list 112 permit icmp host 79.xxx.xxx.xxx host 192.168.3.0
access-list 112 permit ip host 79.xxx.xxx.xxx host 192.168.3.0
access-list 112 permit ip host 79.xxx.xxx.xxx host 192.168.4.0
no cdp run

route-map SDM_RMAP_1 permit 1
match ip address 100
!
route-map SDM_RMAP_1 permit 2
match ip address 101
!

NETGEAR FVS318:

log's:
[2009-04-20 06:43:38]**** AGGRESSIVE MODE COMPLETED ****
[2009-04-20 06:43:38][==== IKE PHASE 2(to 79.xxx.xxx.xxx) START (initiator) ====]
[2009-04-20 06:43:39]**** SENT OUT FIRST MESSAGE OF QUICK MODE ****
[2009-04-20 06:43:39]Initiator IPADDR=192.168.5.0,PORT=0
[2009-04-20 06:43:39]Responder IPADDR=192.168.2.0,PORT=0
[2009-04-20 06:43:39]**** RECEIVED SECOND MESSAGE OF QUICK MODE ****
[2009-04-20 06:43:39] PAYLOADS: HASH,SA,PROP,TRANS,NONCE,KE,ID,ID
[2009-04-20 06:43:39] PAYLOADS: HASH
[2009-04-20 06:43:39]**** SENT OUT THIRD MESSAGE OF QUICK MODE ****
[2009-04-20 06:43:41]**** QUICK MODE COMPLETED ****
[2009-04-20 06:43:41][==== IKE PHASE 2 ESTABLISHED====]
[2009-04-20 07:42:33][==== IKE PHASE 2(from 79.xxx.xxx.xxx) START (responder) ====]
[2009-04-20 07:42:33]**** RECEIVED FIRST MESSAGE OF QUICK MODE ****
[2009-04-20 07:42:33] PAYLOADS: HASH,SA,PROP,TRANS,NONCE,KE,ID,ID
[2009-04-20 07:42:33]**** FOUND IDs,EXTRACT ID INFO ****
[2009-04-20 07:42:33]Initiator IPADDR=192.168.2.0 MASK=255.255.255.0
[2009-04-20 07:42:33]Responder IPADDR=192.168.5.0 MASK=255.255.255.0
[2009-04-20 07:42:34]**** SENT OUT SECOND MESSAGE OF QUICK MODE ****
[2009-04-20 07:42:34]**** RECEIVED THIRD MESSAGE OF QUICK MODE ****
[2009-04-20 07:42:34] PAYLOADS: HASH
[2009-04-20 07:42:36]**** QUICK MODE COMPLETED ****
[2009-04-20 07:42:36][==== IKE PHASE 2 ESTABLISHED====]
[2009-04-20 07:42:42]DISCARDING RETRANSMITTED PACKET...
[2009-04-20 07:42:46]DISCARDING RETRANSMITTED PACKET...
[2009-04-20 07:42:52]DISCARDING RETRANSMITTED PACKET...
[2009-04-20 07:43:26]**** RECEIVED INFORMATIONAL EXCHANGE MESSAGE ****
[2009-04-20 07:43:45] PAYLOADS: HASH,DEL]]> http://www.dslreports.com/forum/remark,22264578 Mon, 20 Apr 2009 03:07:21 EDT