Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Virtual Private Networking » VPN - no ping
Search Topic:
Uniqs:
615		 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·VPN Forum FAQ ·VPN Terms ·SSH Sentinel ·Real VNC ·TightVNC
How do I prevent DNS leak through VPN? »
« Mikrotik VPN  
AuthorAll Replies

robineq

join:2009-04-20
Arlington, VA

1 edit		 VPN - no ping

Hi!

I have a problem with VPN between 79.xxx (Cisco 861) and 95.xxx (Netgear FVS318) connection is set but there is no ping to local network.

Please help or suggestions.

CISCO 861:
Building configuration...
Current configuration : 7982 bytes
!
version 12.4
username xxx privilege 15 secret 5 $1$2jm/$McHxNl6f/uhr55FK1Bx2o/
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp key 1xxxxxxxxxxxxxx address 212.xxx.102.xxx
crypto isakmp key ixxxxxxxxxxxxxx address 95.xxx.xxx.xxx
!
!
crypto ipsec transform-set gre esp-3des esp-sha-hmac
crypto ipsec transform-set serwis esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 212.xxx.100.xxx
set peer 212.xxx.102.xxx
set transform-set gre
set pfs group2
match address 112
!
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to 95.xxx.xxx.xxx
set peer 95.xxx.xxx.xxx
set transform-set serwis
set pfs group2
match address 101
!
interface Tunnel0
ip address 192.168.1.1 255.255.255.252
tunnel source FastEthernet4
tunnel destination 212.xxx.100.xxx
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 79.xxx.xxx.xxx 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 79.xxx.xxx.xxx 15
ip route 79.xxx.xxx.xxx 255.255.255.248 FastEthernet4
ip route 192.168.2.0 255.255.255.0 Vlan1
ip route 192.168.2.0 255.255.255.0 Tunnel0
ip route 192.168.3.0 255.255.255.0 192.168.1.2
ip route 192.168.4.0 255.255.255.0 192.168.1.2
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit gre host 79.xxx.xxx.xxx host 212.xxx.100.xxx
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 112 remark CCP_ACL Category=4
access-list 112 permit ip host 79.xxx.xxx.xxx host 212.xxx.100.xxx
access-list 112 permit icmp host 79.xxx.xxx.xxx host 212.xxx.100.xxx
access-list 112 permit icmp host 79.xxx.xxx.xxx host 192.168.4.0
access-list 112 permit icmp host 79.xxx.xxx.xxx host 192.168.3.0
access-list 112 permit ip host 79.xxx.xxx.xxx host 192.168.3.0
access-list 112 permit ip host 79.xxx.xxx.xxx host 192.168.4.0
no cdp run

route-map SDM_RMAP_1 permit 1
match ip address 100
!
route-map SDM_RMAP_1 permit 2
match ip address 101
!

NETGEAR FVS318:





log's:
[2009-04-20 06:43:38]**** AGGRESSIVE MODE COMPLETED ****
[2009-04-20 06:43:38][==== IKE PHASE 2(to 79.xxx.xxx.xxx) START (initiator) ====]
[2009-04-20 06:43:39]**** SENT OUT FIRST MESSAGE OF QUICK MODE ****
[2009-04-20 06:43:39]Initiator IPADDR=192.168.5.0,PORT=0
[2009-04-20 06:43:39]Responder IPADDR=192.168.2.0,PORT=0
[2009-04-20 06:43:39]**** RECEIVED SECOND MESSAGE OF QUICK MODE ****
[2009-04-20 06:43:39] PAYLOADS: HASH,SA,PROP,TRANS,NONCE,KE,ID,ID
[2009-04-20 06:43:39] PAYLOADS: HASH
[2009-04-20 06:43:39]**** SENT OUT THIRD MESSAGE OF QUICK MODE ****
[2009-04-20 06:43:41]**** QUICK MODE COMPLETED ****
[2009-04-20 06:43:41][==== IKE PHASE 2 ESTABLISHED====]
[2009-04-20 07:42:33][==== IKE PHASE 2(from 79.xxx.xxx.xxx) START (responder) ====]
[2009-04-20 07:42:33]**** RECEIVED FIRST MESSAGE OF QUICK MODE ****
[2009-04-20 07:42:33] PAYLOADS: HASH,SA,PROP,TRANS,NONCE,KE,ID,ID
[2009-04-20 07:42:33]**** FOUND IDs,EXTRACT ID INFO ****
[2009-04-20 07:42:33]Initiator IPADDR=192.168.2.0 MASK=255.255.255.0
[2009-04-20 07:42:33]Responder IPADDR=192.168.5.0 MASK=255.255.255.0
[2009-04-20 07:42:34]**** SENT OUT SECOND MESSAGE OF QUICK MODE ****
[2009-04-20 07:42:34]**** RECEIVED THIRD MESSAGE OF QUICK MODE ****
[2009-04-20 07:42:34] PAYLOADS: HASH
[2009-04-20 07:42:36]**** QUICK MODE COMPLETED ****
[2009-04-20 07:42:36][==== IKE PHASE 2 ESTABLISHED====]
[2009-04-20 07:42:42]DISCARDING RETRANSMITTED PACKET...
[2009-04-20 07:42:46]DISCARDING RETRANSMITTED PACKET...
[2009-04-20 07:42:52]DISCARDING RETRANSMITTED PACKET...
[2009-04-20 07:43:26]**** RECEIVED INFORMATIONAL EXCHANGE MESSAGE ****
[2009-04-20 07:43:45] PAYLOADS: HASH,DEL
to forum · permalink · · 2009-04-20 03:07:21 · Reply to this

g3neration

join:2005-11-04
Brooklyn, NY

 Your interesting traffic for that should be going to the Netgear is defined by:

crypto map SDM_CMAP_1 2 ipsec-isakmp

Interesting traffic is being matched against access list 101. Access list 101 only has one network permitted which is 192.168.2.0 to 192.168.5.0. Is that the two networks you want? You might also want to allow traffic from 192.168.5.0 to 192.168.2.0.
to forum · permalink · · 2009-04-26 15:38:06 · Reply to this

robineq

join:2009-04-20
Arlington, VA

reply to robineq
Hi!

I have two vpn on the cisco 861
Yes, I want one network permitted between 192.168.2.0 to 192.168.5.0 and vice versa... The vpn are connecting.
I can ping from netgear my add 79.xxx.xxx.xxx but not local 192.168.2.0, also I can't ping from cisco add 95.xxx.xxx.xxx ...
to forum · permalink · · 2009-04-27 02:28:49 · Reply to this

g3neration

join:2005-11-04
Brooklyn, NY		reply to robineq
If the VPN is established then right now it would seem like its just the traffic that is permitted. So on the 861, I would also allow traffic by doing:

access-list 101 permit ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255
to forum · permalink · · 2009-04-28 18:50:51 · Reply to this

robineq

join:2009-04-20
Arlington, VA
1 edit		reply to robineq
yes the VPN is established but add this to the access-list doesn't solve the problem
to forum · permalink · · 2009-04-30 04:22:13 · Reply to this
-
Forums » Up and Running » Virtual Private NetworkingHow do I prevent DNS leak through VPN? »
« Mikrotik VPN  

Wednesday, 09-Dec 16:54:38 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.republican-creole
page compression OFF
Most commented news this week
· [197] Sprint Sued For Distracted Driving Death
· [96] AT&T Launching New 24 Mbps U-Verse Tier
· [81] 3G Network Test Says AT&T Is Tops
· [72] Mediacom Unveils 105 Mbps Pricing
· [66] Sprint Poised For A Turnaround?
· [59] WPA Cracker: Test WPA-PSK Networks In 20 Minutes
· [51] The Future Of Wi-Fi Is Bright
· [47] Site Leaks Yahoo, Verizon Fed Data Share Pricing
· [44] Microwaving Your Innards Is Not 'Extreme'
· [39] Verizon LTE: 5-12 Mbps Downstream
Most people now reading
· MicroSoft Discontinues Sale of Windows 7 Family Pack in US [Microsoft Help]
· Cross Server Dungeon Experience [World of Warcraft]
· Windows 7 boot manager editing questions [Microsoft Help]
· Adobe Flash Player version 10.0.42.34 [Security]
· Man Downloads Child Porn "Accidentally," Faces 20 Years [Security]
· [ Classes] ATTN Death Knights - Post your spec for critique! [World of Warcraft]
· Is sleeping similar to being dead? [General Questions]
· Heather's mouth taped shut!! [Spam, Scam and Phishbusters]
· Comcast refused to install 400' feet. [Comcast HSI]
· HoR, PoS and FoS [World of Warcraft]