05-18-2022 04:02 AM
Hi,
I want to use a direct connection between to routers as "first" way for the traffic and as fallback I want to route the traffic to VPN.
The setup is / shoud use bfd for static routes.
But I am not able to route the traffic trough the VPN. So where is my mistake?
R1:
crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key xxxxxxxxxxxxx address xxxxxxxxxxxxxxx ! ! crypto ipsec transform-set TS esp-3des esp-md5-hmac mode tunnel ! ! ! crypto map CMAP 10 ipsec-isakmp set peer xxxxxxxxxxxxxxxxxxxxxxx set transform-set TS match address VPN-TRAFFIC ! ! ! ! ! ! ! ! interface Loopback0 ip address 179.31.4.49 255.255.255.240 ! interface Loopback1 ip address 10.0.0.1 255.255.255.0 ! interface GigabitEthernet0/0/0 description Uplink Richtfunkstrecke ip address 179.31.4.17 255.255.255.240 negotiation auto bfd interval 500 min_rx 500 multiplier 5 ! interface GigabitEthernet0/0/1 no ip address negotiation auto ! interface GigabitEthernet0/1/0 ! interface GigabitEthernet0/1/1 ! interface GigabitEthernet0/1/2 ! interface GigabitEthernet0/1/3 ! interface GigabitEthernet0/1/4 ! interface GigabitEthernet0/1/5 ! interface GigabitEthernet0/1/6 ! interface GigabitEthernet0/1/7 ! interface Vlan1 description Uplink Firewall ip address 179.31.4.2 255.255.255.240 crypto map CMAP ! interface Vlan2 no ip address ! ip forward-protocol nd ip http server ip http authentication local ip http secure-server ip nat inside source list 100 interface Vlan1 overload ip route static bfd GigabitEthernet0/0/0 179.31.4.18 group group1 ip route 0.0.0.0 0.0.0.0 179.31.4.1 ip route 10.0.1.1 255.255.255.255 GigabitEthernet0/0/0 179.31.4.18 ip route 10.1.1.1 255.255.255.255 GigabitEthernet0/0/0 179.31.4.18 ip route 10.32.1.0 255.255.255.0 179.31.4.1 ip route 10.32.10.0 255.255.254.0 179.31.4.1 ip route 10.32.22.0 255.255.255.0 179.31.4.1 ip route 10.112.80.0 255.255.255.0 Loopback0 179.31.4.65 20 ip route 179.23.12.0 255.255.255.0 179.31.4.1 ip route 179.31.4.32 255.255.255.240 GigabitEthernet0/0/0 179.31.4.18 ip route 192.168.50.0 255.255.255.0 179.31.4.1 ip ssh version 2 ! ! ip access-list extended VPN-TRAFFIC permit ip 179.31.4.48 0.0.0.15 179.31.4.64 0.0.0.15 permit ip 179.31.4.0 0.0.0.15 179.31.4.64 0.0.0.15 ! access-list 100 remark -=[Define NAT Service]=- access-list 100 deny ip 179.31.4.48 0.0.0.15 179.31.4.64 0.0.0.15 access-list 100 permit ip 179.31.4.48 0.0.0.15 any access-list 100 remark
R2:
crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key xxxxxxxxx address xxxxxxxxxxx ! ! crypto ipsec transform-set TS esp-3des esp-md5-hmac mode tunnel ! ! ! crypto map CMAP 10 ipsec-isakmp set peer xxxxxxxxxxxxxxxx set transform-set TS match address VPN-TRAFFIC ! ! ! ! ! ! ! ! interface Loopback0 ip address 179.31.4.65 255.255.255.240 ! interface Loopback2 ip address 10.0.1.1 255.255.255.0 ! interface GigabitEthernet0/0/0 ip address 179.31.4.18 255.255.255.240 negotiation auto bfd interval 500 min_rx 500 multiplier 5 ! interface GigabitEthernet0/0/1 no ip address negotiation auto ! interface GigabitEthernet0/1/0 ! interface GigabitEthernet0/1/1 ! interface GigabitEthernet0/1/2 ! interface GigabitEthernet0/1/3 ! interface GigabitEthernet0/1/4 ! interface GigabitEthernet0/1/5 ! interface GigabitEthernet0/1/6 ! interface GigabitEthernet0/1/7 ! interface Vlan1 ip address 179.31.4.34 255.255.255.240 crypto map CMAP ! interface Vlan2 no ip address ! ip forward-protocol nd ip http server ip http authentication local ip http secure-server ip nat inside source list 100 interface Vlan1 overload ip route static bfd GigabitEthernet0/0/0 179.31.4.17 group group1 ip route 0.0.0.0 0.0.0.0 179.31.4.33 ip route 10.0.0.1 255.255.255.255 GigabitEthernet0/0/0 179.31.4.17 ip route 10.32.1.0 255.255.255.0 Loopback0 179.31.4.49 20 ip route 10.32.10.0 255.255.254.0 GigabitEthernet0/0/0 179.31.4.17 ip route 10.32.22.0 255.255.255.0 GigabitEthernet0/0/0 179.31.4.17 ip route 10.112.80.0 255.255.255.0 179.31.4.33 ip route 179.23.12.0 255.255.255.0 GigabitEthernet0/0/0 179.31.4.17 ip route 179.31.4.0 255.255.255.240 GigabitEthernet0/0/0 179.31.4.17 ip route 192.168.50.0 255.255.255.0 GigabitEthernet0/0/0 179.31.4.17 ! ! ip access-list extended VPN-TRAFFIC permit ip 179.31.4.64 0.0.0.15 179.31.4.48 0.0.0.15 permit ip 179.31.4.0 0.0.0.15 179.31.4.0 0.0.0.15 ! access-list 100 remark -=[Define NAT Service]=- access-list 100 deny ip 179.31.4.64 0.0.0.15 179.31.4.48 0.0.0.15 access-list 100 permit ip 179.31.4.64 0.0.0.15 any access-list 100 remark
05-19-2022 03:17 AM
Hello,
at first glance, the NAT access lists do not look correct. Make sure you deny (on both sides) exactly what is allowed in the VPN access list. The NAT access lists should look like this:
R1
access-list 100 deny ip 179.31.4.48 0.0.0.15 179.31.4.64 0.0.0.15
access-list 100 deny ip 179.31.4.0 0.0.0.15 179.31.4.64 0.0.0.15
access-list 100 permit ip 179.31.4.48 0.0.0.15 any
R2
access-list 100 deny ip 179.31.4.64 0.0.0.15 179.31.4.48 0.0.0.15
access-list 100 deny ip 179.31.4.0 0.0.0.15 179.31.4.0 0.0.0.15
access-list 100 permit ip 179.31.4.64 0.0.0.15 any
05-19-2022 05:54 AM
I think you should use a routing protocol for this and not try to it all with static routes. The main reason for this is that if you lose connectivity over the direct G0/0 interface but the interface doesn't physically go down, you will not fail over to the VPN path. If you run a routing protocol and have a floating static (less preferred admin distance) to the VPN path, that will fail over even if G0/0 is is up when the connectivity is lost.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide