Cisco 837 IPSEC Linksys WAG54g

Cisco 837 IPSEC Linksys WAG54g

NewsGroups | Search | Tools
 comp.dcom.sys.cisco  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Cisco 837 IPSEC Linksys WAG54g Systematic 07-11-2005
Posted by Systematic on July 11, 2005, 4:37 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Has anoyone successfully managed to setup an IPSEC tunnel with a Cisco
router and Linksys WAG54g ?

As I have managed to establish an actual tunnel but nothing will route
between the networks. Cant ping machines at either end.

Any ideas ?




NMFall 20%
Posted by Uli Link on July 11, 2005, 5:51 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Systematic schrieb:

> Has anoyone successfully managed to setup an IPSEC tunnel with a Cisco
> router and Linksys WAG54g ?

Not a Linksys WAG54g, but Allnet 1294VPN and Netgear FVS318 and Safenet
Softremote IPsec client (and other Cisco IOS routers)
Don't have a 837, but a 836 instead ;-)

> As I have managed to establish an actual tunnel but nothing will route
> between the networks. Cant ping machines at either end.
> Any ideas ?

Yes. But there are many traps with FW, NAT, ACLs and the routing table.
Describe your setup a little closer.

--
Uli



Posted by Systematic on July 11, 2005, 5:04 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Well have a Cisco 837 at one end of connection on 192.168.0.0 with NAT
running on the internal range.

Other end has Linksys WAG54g 192.168.1.0 also with NAT.

I can see the tunnel establish under the connections screen on the linksys
and also when debug on the Cisco router.

But when trying to ping either end just get no replies from either end.

Do you have an example of a configuration you have got working successfully
?

Thanks
Matt

> Systematic schrieb:
>
>> Has anoyone successfully managed to setup an IPSEC tunnel with a Cisco
>> router and Linksys WAG54g ?
>
> Not a Linksys WAG54g, but Allnet 1294VPN and Netgear FVS318 and Safenet
> Softremote IPsec client (and other Cisco IOS routers)
> Don't have a 837, but a 836 instead ;-)
>
>> As I have managed to establish an actual tunnel but nothing will route
>> between the networks. Cant ping machines at either end.
>> Any ideas ?
>
> Yes. But there are many traps with FW, NAT, ACLs and the routing table.
> Describe your setup a little closer.
>
> --
> Uli
>




Posted by Uli Link on July 11, 2005, 6:41 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Systematic schrieb:

> Well have a Cisco 837 at one end of connection on 192.168.0.0 with NAT
> running on the internal range.
>
> Other end has Linksys WAG54g 192.168.1.0 also with NAT.

So have to exclude traffic from 192.168.0.0/24 to 192.168.1.0/24 from
being natted.


> I can see the tunnel establish under the connections screen on the linksys
> and also when debug on the Cisco router.

What do you mean by "see tunnel establish"?
You'll need one SA for the IKE and two SAs for the dataflow in each
direction.

> But when trying to ping either end just get no replies from either end.
>

When using ping from exec of the Cisco you'll need to specify
"ping tag 192.168.1.1 source Ethernet0"

> Do you have an example of a configuration you have got working successfully

the following works for me with dynamic IPs on both sides.
It is easier when you restrict by know WAN IP address, or at least a
range of addresses for the preshared key.
3DES-SHA1 with PFS/DH group 2

!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
!
crypto isakmp key YourPreSharedKey address 0.0.0.0 0.0.0.0 no-xauth
!
crypto isakmp identity hostname
!
crypto ipsec transform-set tfs-3des esp-3des esp-sha-hmac
!
crypto identity id-list-100
description FQDN-OF-REMOTE-SITE
fqdn yourremote-fqdn.domainname.dom
!
crypto map your_cmap_1 10 ipsec-isakmp
description YOUR-IPSEC-TUNNEL
set peer yourremote-fqdn.domainname.dom dynamic
set security-association lifetime kilobytes 256000
set security-association lifetime seconds 28800
set transform-set tfs-3des
set pfs group2
set identity id-list-100
match address 120
reverse-route
!
interface Dialer 0
crypto map your_cmap_1
!
ip nat inside source route-map NAT_ROUTEMAP interface Dialer0 overload
!
!
route-map NAT_ROUTEMAP permit 1
match ip address 102
!
access-list 102 remark First exclude IPsec Tunnel from natting
access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 remark Now the traffic being natted
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 deny ip any any
!
access-list 120 remark Traffic matching will be protected
access-list 120 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!

If it won't work with the Linksys, try using MD5 instead of SHA1 and
perhaps turning of PFS. If you want AES instead of 3DES you'll need to
turn of hardware encryption.

--
Uli



Similar ThreadsPosted
Linksys router WAG54G and updates of antispyware November 17, 2005, 11:25 pm
Connecting to a PIX firewall using cisco VPM client though a Linksys WAG54G with eth firewall enabled December 11, 2004, 5:16 pm
linksys rv042 +cisco 2600 +ipsec +two subnets April 21, 2006, 9:14 am
linksys ipsec with pix 501 6.3 anyone? October 3, 2005, 6:47 am
PIX 501 -> Linksys BEFSX41 via IPSec October 11, 2005, 12:11 pm
IPSEC Tunnel - LAN TO LAN - 3DES - SHA1 - 3K CONCENTRATOR to BEFSX41 ( LINKSYS ) September 11, 2006, 12:54 pm
Revisited - Need help with IPSec tunnel periodically collapsing with 7206 to Linksys BEFVP41 December 10, 2004, 12:08 pm
Cisco Wireless-G WAG54G configuration problem July 13, 2005, 7:44 pm
WAG54G LAN connection problem - help! July 11, 2005, 9:21 pm
Linksys GIG v's Cisco Gig October 14, 2006, 2:01 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map