Site to Site VPN ISSUE

dissai · ‎01-04-2024

Hello Community

I was create a site to site VPN but it failed to come up for unknown reason. I kindly ask for help.

I have two site. One is Site-A and Second is Site-B.

At Site A I have NAT Host PC 10.1.1.10 to NAT 200.1.1.25 when I tried to initiate icmp from Site B 10.2.2.10 using 200.1.1.25 , I'm getting host not reachable. See attached my running configuration for help.

*10.2.2.254 icmp_seq=1069 ttl=255 time=0.391 ms (ICMP type:3, code:1, Destination host unreachable)
*10.2.2.254 icmp_seq=1070 ttl=255 time=0.617 ms (ICMP type:3, code:1, Destination host unreachable)
*10.2.2.254 icmp_seq=1071 ttl=255 time=0.696 ms (ICMP type:3, code:1, Destination host unreachable)
*10.2.2.254 icmp_seq=1072 ttl=255 time=0.538 ms (ICMP type:3, code:1, Destination host unreachable)

MHM Cisco World · ‎01-04-2024

Friend
you need Loopback and enable NAT to make it work.
the NAT before forward traffic via IPsec is not support in IOS unless we use Lo, where we direct the traffic to Lo (NATing there) then pass through tunnel
MHM

dissai · ‎01-04-2024

Thanks for the response.
Kindly please assist in sharing the sample configuration as a guide on how
to do it.
Thank you

MHM Cisco World · ‎01-04-2024

can I know the router of both VPN tunnel head ?
are it IOS or IOS XE ?
MHM

dissai · ‎01-10-2024

See the attached configuration template that I was trying to simulate.

[image: image.png]

MHM Cisco World · ‎01-11-2024

there is no attachment
but I will make it simple to you
LAN1-Router1-Internet-Router2-LAN2
NOW we need to NATing LAN1 to other subnet before pass it through the IPSec VPN
we config LO in R1
we config PBR that direct traffic from LAN1 to LAN2 to LO
we config LO with ip nat enable
we config LAN1 interface with ip nat enable
we config NATing

the traffic now from LAN1 go to LO then it NATing then forward through the tunnel
MHM

dissai · ‎01-11-2024

Hello HMH,

See my configuration I decided to share so that you can have more
visibility. To assist me.

SITE -A
-------------------------------------------------
!
crypto isakmp policy 10
encryption aes
authentication pre-share
group 2
crypto isakmp key eve address 40.0.0.2
!
!
crypto ipsec transform-set TS esp-aes esp-md5-hmac
mode tunnel
!
!
!
crypto map VPN 10 ipsec-isakmp
set peer 40.0.0.2
set transform-set TS
match address 101
!
!
!
!
!
!
!
!
interface GigabitEthernet1
description OUTSIDE
ip address 30.0.0.2 255.255.255.0
ip nat outside
negotiation auto
no mop enabled
no mop sysid
crypto map VPN
!
interface GigabitEthernet2
description INSIDE
ip address 10.1.1.254 255.255.255.0
ip nat inside
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet4
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source static 10.1.1.10 200.1.1.25 route-map nonat
ip nat inside source list 122 interface GigabitEthernet1 overload
!
!
ip access-list extended 101
10 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
ip access-list extended 122
10 deny ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
20 permit ip 10.1.1.0 0.0.0.255 any
ip access-list extended 150
10 deny ip host 10.1.1.10 10.2.2.0 0.0.0.255
20 permit ip host 10.1.1.10 any
!
!
route-map nonat permit 10
match ip address 150
!
!
!

SITE-B
----------------------------------------------------------

!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encryption aes
authentication pre-share
group 2
crypto isakmp key eve address 30.0.0.2
!
!
crypto ipsec transform-set TS esp-aes esp-md5-hmac
mode tunnel
!
!
!
crypto map VPN 10 ipsec-isakmp
set peer 30.0.0.2
set transform-set TS
match address 101
!
!
!
!
!
!
!
!
interface GigabitEthernet1
ip address 40.0.0.2 255.255.255.0
ip nat outside
negotiation auto
no mop enabled
no mop sysid
crypto map VPN
!
interface GigabitEthernet2
ip address 10.2.2.254 255.255.255.0
ip nat inside
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet4
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 175 interface GigabitEthernet2 overload
!
!
ip access-list extended 101
10 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
ip access-list extended 175
10 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
20 permit ip 10.2.2.0 0.0.0.255 any
!
!
!
!

ISP
------------------------------------------------------------------------------

!
!
!
interface GigabitEthernet1
ip address 30.0.0.1 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
ip address 40.0.0.1 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet4
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
!
!
!
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login

MHM Cisco World · ‎01-11-2024

in siteA router
can you add
ip nat enable

under any Loopback interface ?

MHM