Rich

There is not quite enough detail here for us to understand the problem or to give you good advice. Can you clarify some things? Does the vpn terminate on the front (Internet facing) 877 or on the back (private) 877? What kind of vpn is it? (just IPSEC, GRE with IPSEC, VTI? Can you verify if there is IP connectivity between the peer address of the ISR and the peer address of the 877? Can you post the crypto configuration of both routers?

HTH

Rick

Hi,

Configs are attached as requested.

There is IP connectivity over the internet between the two ISRs, one at each of our HQ sites and the gateway 877. We're using IPSEC with VTI.

Thanks,

Rich

Hi,

I didn't consider using split tunnel as won't that give all of my users local internet breakout?  Also, I need to keep all of the guest users completely segregated from my corporate users.

I've posted the configs below, these are for the two 877s.

Thanks,

Rich

Hello,

I cannot figure out your setup. None of your routers has any NAT enabled interfaces...? But there is a static NAT statement in your 'gateway' router ?

Can you post a brief schematic drawing so that we can see what is connected to what ?

Oh of course I miss that! I'll post updated configs and a schematic when I'm back in the office on Monday.

If it helps, Dialer1 on the gateway router would be NAT outside and VLAN1 would be NAT inside.

Sorry I'm not making more sense, I'm primarily a server guy :D

Rich

Thanks for the additional information. It is good to see the configs but since they seem to be incomplete it is hard to know what is really going on. And since you have used x.x.x.x for both tunnels for both source address and destination address it is hard to know what is going on - and is a bit odd since you left the public IPs in the isakmp key commands. So we can  probably guess that these are the destination address. So what is the source address of each tunnel?

I see that both routers in the OSPF section have network statements for the subnets of both tunnels and for the local lan. And also do redistribute connected. I am a bit concerned that this will result in the tunnel source interface being advertised through the ospf to the remote peer which would seem that it might create problems with recursive routing.

On both routers would you post output of these commands

show ip ospf 

show ip ospf interface

show ip ospf neighbor

show ip route

Also it would be helpful to see at least the crypto parts of the ISR routers.

HTH

Rick

[edit] Also I notice that neither of the routers has a configured default route. Are they learning a default route via ospf? or what?

Rich

I understand the need to protect sensitive information. But giving addresses as x.x.x.x makes it extremely challenging to try to understand what is going on. We need to be able to assess some things about the address, such as is the address the address of a local interface, or if there are access list entries is there an entry about this address, or if there is routing information does that information relate to that address, or do the references to the address in this config match to references in other configs (especially to be sure that the configs of both peers use the same addresses in complementary ways). One suggestion might be to post addresses changing the digits in one of the octets, so that the posted addresses do not point at you - and to state clearly in posting the config that the addresses have been altered.

HTH

Rick