topic Re: Multiple vlans over IPSEC VPN Tunnel in Network Security

Multiple vlans over IPSEC VPN Tunnel

dlandriscinaclg — Fri, 21 Feb 2020 09:59:48 GMT

Hi , I have 2 Cisco 1811 routers with the advanced ip svc ios set on it. I currently have it running with everything communicating properly but I need to add another VLAN to each router and cant get it to recognize.. here is the set up

R1 Vlan1 is 10.10.10.0/24 network

R2 Vlan1 is 10.10.20.0/24 network

over IPSEC VPN Tunnel

I need to add a Vlan2 10.7.1.0/24 network on R1

and Vlan2 10.7.2.0/24 network on R2 and have them work over this tunnel.

I already created the VLAN's in the vlan data base and gave them addresses of 10.7.1.1 and 10.7.2.1 respectively. What else am I missing.. I am positive I configured the access lists wrong or something?

Please help!

Thank you

Domenick

Re: Multiple vlans over IPSEC VPN Tunnel

andrew.prince — Fri, 25 Apr 2008 09:55:39 GMT

Domenick,

Can you supply the configs please? with sensitive information removed of course!

Re: Multiple vlans over IPSEC VPN Tunnel

dlandriscinaclg — Fri, 25 Apr 2008 13:33:05 GMT

Absolutely.. here go thank you very much!

Re: Multiple vlans over IPSEC VPN Tunnel

andrew.prince — Fri, 25 Apr 2008 13:47:20 GMT

Do you only want the new VLAN's to talk to each other over the VPN or do you want VLAN 1 on both sites to be able to route also?

Re: Multiple vlans over IPSEC VPN Tunnel

dlandriscinaclg — Fri, 25 Apr 2008 15:53:31 GMT

yes I need both vlan1 and vlan2 to route over the vpn.

Re: Multiple vlans over IPSEC VPN Tunnel

andrew.prince — Sat, 26 Apr 2008 08:27:04 GMT

I would add:-

R1-AVEX>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Current:-

ip access-list extended SDM_2

remark SDM_ACL Category=4

remark IPSec Rule

permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

remark IPSec Rule

permit ip 10.10.10.0 0.0.0.255 10.7.2.0 0.0.0.255

ADD to the above ACL the below:-

permit 10.7.1.0 0.0.0.255 10.10.20.0 0.0.0.255

permit 10.7.1.0 0.0.0.255 10.7.2.0 0.0.0.255

Current:-

access-list 101 remark auto generated by Cisco SDM Express firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.7.2.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.10.10.0 0.0.0.255 10.7.2.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255

ADD to the above ACL the below:-

access-list 101 permit ip 10.7.2.0 0.0.0.255 10.7.1.0 0.0.0.255

access-list 101 permit ip 10.10.20.0 0.0.0.255 10.7.1.0 0.0.0.255

R2-57st>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Current:-

ip access-list extended SDM_2

remark SDM_ACL Category=4

remark IPSec Rule

permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255

remark IPSec Rule

permit ip 10.10.20.0 0.0.0.255 10.7.1.0 0.0.0.255

ADD to the above ACL the below:-

permit 10.7.2.0 0.0.0.255 10.7.1.0 0.0.0.255

permit 10.7.2.0 0.0.0.255 10.10.10.0 0.0.0.255

Current:-

access-list 101 remark auto generated by Cisco SDM Express firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.7.1.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.10.10.0 0.0.0.255 10.7.2.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

ADD to the above ACL the below:-

access-list 101 permit ip 10.7.1.0 0.0.0.255 10.7.2.0 0.0.0.255

Re: Multiple vlans over IPSEC VPN Tunnel

dlandriscinaclg — Mon, 28 Apr 2008 19:28:02 GMT

I added all ACL's described but unfortunately I am unable to ping any host from the 10.10.10.0 network to the 10.7.2.0 network or back and forth.

Re: Multiple vlans over IPSEC VPN Tunnel

andrew.prince — Mon, 28 Apr 2008 21:13:45 GMT

are the ACL's being hit? Provide output of "show access-list"

Can you see the IPSEC SA with the new ACL's in them? Provide output of "sh crypto ipsec sa"

Re: Multiple vlans over IPSEC VPN Tunnel

dlandriscinaclg — Mon, 28 Apr 2008 22:49:02 GMT

Here is the output you requested.

Thank you!

Re: Multiple vlans over IPSEC VPN Tunnel

andrew.prince — Tue, 29 Apr 2008 07:33:44 GMT

The encryption domans are in the IPSE SA = Good. no packets encrypted or decrypted = Bad.

The ACL's for the "interesting traffic" are not being hit = bad, BUT I did notice you are performing some NAT with route maps.

Add "ip nat inside" to the vlan 2 interfaces on both sites.

Re: Multiple vlans over IPSEC VPN Tunnel

dlandriscinaclg — Tue, 29 Apr 2008 13:22:14 GMT

i added the ip nat inside and seems that there is some activity going on... i still cant ping a host on either network from either router.. but then again i cant ping any host from any router on opposite sides.. any insight into that?

i have attached the output of the show access-list command and the show crypto again

Re: Multiple vlans over IPSEC VPN Tunnel

andrew.prince — Tue, 29 Apr 2008 13:52:12 GMT

The acl's are being hit, you are no longer nat'ing the IP to IP internal. The crypto Sa looks OK - apart from some packet number mis-match.

What debugging have you done? Have you performed any trace routes? have you debuged the IP NAT? Have you debugged any ICMP - all these will give an idea on what could be the issue.

You may want to try clearing down the IPSEC VPN and let the routers form a new one, this sometimes helps.