09-26-2018 07:34 AM - edited 03-05-2019 10:56 AM
09-26-2018 08:24 AM
Hello,
have you set up a slit tunnel access list ? Can you post the configuration of your routers (you have 2 877s and 1 ISR) ?
09-26-2018 02:37 PM
Rich
There is not quite enough detail here for us to understand the problem or to give you good advice. Can you clarify some things? Does the vpn terminate on the front (Internet facing) 877 or on the back (private) 877? What kind of vpn is it? (just IPSEC, GRE with IPSEC, VTI? Can you verify if there is IP connectivity between the peer address of the ISR and the peer address of the 877? Can you post the crypto configuration of both routers?
HTH
Rick
09-28-2018 08:34 AM - edited 09-28-2018 12:44 PM
Hi,
Configs are attached as requested.
There is IP connectivity over the internet between the two ISRs, one at each of our HQ sites and the gateway 877. We're using IPSEC with VTI.
Thanks,
Rich
09-28-2018 08:35 AM
Hi,
I didn't consider using split tunnel as won't that give all of my users local internet breakout? Also, I need to keep all of the guest users completely segregated from my corporate users.
I've posted the configs below, these are for the two 877s.
Thanks,
Rich
09-28-2018 08:51 AM
Hello,
I cannot figure out your setup. None of your routers has any NAT enabled interfaces...? But there is a static NAT statement in your 'gateway' router ?
Can you post a brief schematic drawing so that we can see what is connected to what ?
09-28-2018 11:53 AM
Oh of course I miss that! I'll post updated configs and a schematic when I'm back in the office on Monday.
If it helps, Dialer1 on the gateway router would be NAT outside and VLAN1 would be NAT inside.
Sorry I'm not making more sense, I'm primarily a server guy :D
09-28-2018 12:09 PM - edited 09-28-2018 12:18 PM
Rich
Thanks for the additional information. It is good to see the configs but since they seem to be incomplete it is hard to know what is really going on. And since you have used x.x.x.x for both tunnels for both source address and destination address it is hard to know what is going on - and is a bit odd since you left the public IPs in the isakmp key commands. So we can probably guess that these are the destination address. So what is the source address of each tunnel?
I see that both routers in the OSPF section have network statements for the subnets of both tunnels and for the local lan. And also do redistribute connected. I am a bit concerned that this will result in the tunnel source interface being advertised through the ospf to the remote peer which would seem that it might create problems with recursive routing.
On both routers would you post output of these commands
show ip ospf
show ip ospf interface
show ip ospf neighbor
show ip route
Also it would be helpful to see at least the crypto parts of the ISR routers.
HTH
Rick
[edit] Also I notice that neither of the routers has a configured default route. Are they learning a default route via ospf? or what?
09-29-2018 02:49 AM
09-29-2018 08:55 AM - edited 09-29-2018 08:55 AM
Rich
I understand the need to protect sensitive information. But giving addresses as x.x.x.x makes it extremely challenging to try to understand what is going on. We need to be able to assess some things about the address, such as is the address the address of a local interface, or if there are access list entries is there an entry about this address, or if there is routing information does that information relate to that address, or do the references to the address in this config match to references in other configs (especially to be sure that the configs of both peers use the same addresses in complementary ways). One suggestion might be to post addresses changing the digits in one of the octets, so that the posted addresses do not point at you - and to state clearly in posting the config that the addresses have been altered.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide