cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8021
Views
0
Helpful
11
Replies

Multiple vlans over IPSEC VPN Tunnel

dlandriscinaclg
Level 1
Level 1

Hi , I have 2 Cisco 1811 routers with the advanced ip svc ios set on it. I currently have it running with everything communicating properly but I need to add another VLAN to each router and cant get it to recognize.. here is the set up

R1 Vlan1 is 10.10.10.0/24 network

R2 Vlan1 is 10.10.20.0/24 network

over IPSEC VPN Tunnel

I need to add a Vlan2 10.7.1.0/24 network on R1

and Vlan2 10.7.2.0/24 network on R2 and have them work over this tunnel.

I already created the VLAN's in the vlan data base and gave them addresses of 10.7.1.1 and 10.7.2.1 respectively. What else am I missing.. I am positive I configured the access lists wrong or something?

Please help!

Thank you

Domenick

11 Replies 11

andrew.prince
Level 10
Level 10

Domenick,

Can you supply the configs please? with sensitive information removed of course!

Absolutely.. here go thank you very much!

Do you only want the new VLAN's to talk to each other over the VPN or do you want VLAN 1 on both sites to be able to route also?

yes I need both vlan1 and vlan2 to route over the vpn.

I would add:-

R1-AVEX>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Current:-

!

ip access-list extended SDM_2

remark SDM_ACL Category=4

remark IPSec Rule

permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

remark IPSec Rule

permit ip 10.10.10.0 0.0.0.255 10.7.2.0 0.0.0.255

ADD to the above ACL the below:-

permit 10.7.1.0 0.0.0.255 10.10.20.0 0.0.0.255

permit 10.7.1.0 0.0.0.255 10.7.2.0 0.0.0.255

!

Current:-

access-list 101 remark auto generated by Cisco SDM Express firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.7.2.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.10.10.0 0.0.0.255 10.7.2.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255

ADD to the above ACL the below:-

access-list 101 permit ip 10.7.2.0 0.0.0.255 10.7.1.0 0.0.0.255

access-list 101 permit ip 10.10.20.0 0.0.0.255 10.7.1.0 0.0.0.255

R2-57st>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Current:-

!

ip access-list extended SDM_2

remark SDM_ACL Category=4

remark IPSec Rule

permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255

remark IPSec Rule

permit ip 10.10.20.0 0.0.0.255 10.7.1.0 0.0.0.255

!

ADD to the above ACL the below:-

permit 10.7.2.0 0.0.0.255 10.7.1.0 0.0.0.255

permit 10.7.2.0 0.0.0.255 10.10.10.0 0.0.0.255

Current:-

access-list 101 remark auto generated by Cisco SDM Express firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.7.1.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.10.10.0 0.0.0.255 10.7.2.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

ADD to the above ACL the below:-

access-list 101 permit ip 10.7.1.0 0.0.0.255 10.7.2.0 0.0.0.255

I added all ACL's described but unfortunately I am unable to ping any host from the 10.10.10.0 network to the 10.7.2.0 network or back and forth.

are the ACL's being hit? Provide output of "show access-list"

Can you see the IPSEC SA with the new ACL's in them? Provide output of "sh crypto ipsec sa"

Here is the output you requested.

Thank you!

The encryption domans are in the IPSE SA = Good. no packets encrypted or decrypted = Bad.

The ACL's for the "interesting traffic" are not being hit = bad, BUT I did notice you are performing some NAT with route maps.

Add "ip nat inside" to the vlan 2 interfaces on both sites.

i added the ip nat inside and seems that there is some activity going on... i still cant ping a host on either network from either router.. but then again i cant ping any host from any router on opposite sides.. any insight into that?

i have attached the output of the show access-list command and the show crypto again

The acl's are being hit, you are no longer nat'ing the IP to IP internal. The crypto Sa looks OK - apart from some packet number mis-match.

What debugging have you done? Have you performed any trace routes? have you debuged the IP NAT? Have you debugged any ICMP - all these will give an idea on what could be the issue.

You may want to try clearing down the IPSEC VPN and let the routers form a new one, this sometimes helps.

Review Cisco Networking for a $25 gift card